Report

ID: 796320
Sample Name: pupy-rat.iso

Cookbook:
defaultwindowsinteractivecookbook.jbs
Time: 19:54:53
Date: 01/02/2023
Version: 36.0.0 Rainbow Opal
Table of Contents
Table of Contents 2
Windows Analysis Report pupy-rat.iso 5
Overview 5
General Information 5
Detection 5
Signatures 5
Classification 5
Process Tree 5
Malware Configuration 5
Yara Signatures 5
Memory Dumps 5
Unpacked PEs 6
Sigma Signatures 6
Snort Signatures 6
Joe Sandbox Signatures 7
AV Detection 7
System Summary 7
HIPS / PFW / Operating System Protection Evasion 7
Mitre Att&ck Matrix 7
Behavior Graph 8
Screenshots 8
Thumbnails 8
Antivirus, Machine Learning and Genetic Malware Detection 9
Initial Sample 9
Dropped Files 9
Unpacked PE Files 9
Domains 9
URLs 10
Domains and IPs 10
Contacted Domains 10
URLs from Memory and Binaries 10
World Map of Contacted IPs 15
Public IPs 16
General Information 16
Warnings 17
Simulations 17
Behavior and APIs 17
Joe Sandbox View / Context 17
IPs 17
Domains 17
ASNs 17
JA3 Fingerprints 17
Dropped Files 17
Created / dropped Files 17
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scriptrunner.exe.log 17
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json 18
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf 18
C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml 18
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm 19
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal 19
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\10BAD5B6.emf 19
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11C0FCE5.emf 20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11FE67AF.emf 20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\121B07FB.emf 20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13053A28.emf 21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13CFE1CB.emf 21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14A7521E.emf 21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\150A6B00.emf 22
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15716039.emf 22
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15AD3ADF.emf 23
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16C583A3.emf 23
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\186462B2.emf 23
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\18903CC4.emf 24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\194F3407.emf 24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1CFB9F5F.emf 24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D1E13F6.emf 25
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D60F6AB.emf 25
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1DA52891.emf 25
Copyright Joe Security LLC 2023 Page 2 of 57

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1E17657E.emf 26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FF4D30F.emf 26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2081CA0F.emf 26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2125D65F.emf 27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\24EB40F6.emf 27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2647AAEC.emf 27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\267E3898.emf 27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\26DC2624.emf 28
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27CA7CCD.emf 28
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\287C8B9E.emf 28
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\28F2D5F4.emf 29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29225B7B.emf 29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29695E3F.emf 29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29EBEC4F.emf 30
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A1673A0.emf 30
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D15189E.emf 31
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D163B02.emf 31
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D597744.emf 31
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E65AFF1.emf 32
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E7CB9BF.emf 32
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E9D42AD.emf 32
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E9FF88D.emf 33
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\30169E86.emf 33
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3059EDE1.emf 33
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\30C9B5FD.emf 34
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31FE88B4.emf 34
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32BE5E21.emf 35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33BD3489.emf 35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33DBF84.emf 36
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\34D97A04.emf 36
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\35F990F8.emf 36
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3627023E.emf 37
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\36E7A8B0.emf 37
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3797D1BB.emf 37
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37A44F58.emf 38
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\38CD7869.emf 38
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A8FB074.emf 39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C61628B.emf 39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C7A587E.emf 39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3EA98EDE.emf 40
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3F6F55EA.emf 40
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\400CCA35.emf 41
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\410A63BC.emf 41
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4111E8D1.emf 42
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\433228E.emf 42
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\44F967CF.emf 43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\45B5D55E.emf 43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4689A56F.emf 43
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48B97D13.emf 44
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48D8BC63.emf 44
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4958DA57.emf 45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49AD2C2F.emf 45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49E591F2.emf 45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A0DE334.emf 46
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A8DF1D4.emf 46
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B0A2BFF.emf 46
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C0CF77.emf 47
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4CE85770.emf 47
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D18E0EE.emf 47
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4DC63CEB.emf 48
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4DF8A925.emf 48
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4EDF2723.emf 48
Static File Info 49
General 49

File Icon 49
Network Behavior 49
TCP Packets 49
Statistics 51
Behavior 51
System Behavior 51
Analysis Process: explorer.exePID: 3840, Parent PID: -1 51
General 51
File Activities 51
Registry Activities 52
Analysis Process: ScriptRunner.exePID: 6620, Parent PID: 3840 52
General 52
File Activities 52
File Created 52
File Written 52
File Read 53
Analysis Process: conhost.exePID: 6628, Parent PID: 6620 53
General 53
File Activities 54
Analysis Process: WerFault.exePID: 6716, Parent PID: 6620 54
General 54
File Activities 54
File Created 54
File Deleted 55
File Written 55
File Read 56
Analysis Process: EXCEL.EXEPID: 6796, Parent PID: 6716 57
General 57
File Activities 57
File Deleted 57
Disassembly 57

Windows Analysis Report
pupy-rat.iso
Overview
General Information Detection Signatures Classification

Sample Name: pupy-rat.iso
Multi AV Scanner detection for subm…
Analysis ID: 796320
Benign windows process drops PE f…
MD5: d069812aa63b…
SHA1: Malicious sample detected (through…

6b0cd7ae05f88…
Ransomware
SHA256: 17a3c8d82230… Multi AV Scanner detection for drop… Miner Spreading
Infos: Queries the volume information (nam… malicious

malicious
malicious
Evader Phishing
suspicious
suspicious
Yara signature match

suspicious
clean
clean
clean
Antivirus or Machine Learning detec… Exploiter Banker
One or more processes crash

Spyware Trojan / Bot
May sleep (evasive loops) to hinder… Adware
Score: 72
Uses code obfuscation techniques (…
Range: 0 - 100
PE file contains sections with non-s…
Whitelisted: false
Confidence: 100% Contains functionality to detect virtu…
Detected potential crypto function
Found potential string decryption / a…
Process Tree Sample execution stops while proce…
Contains long sleeps (>= 3 min)

System is w10x64_ra
PE file does not import any functions
explorer.exe (PID: 3840 cmdline: C:\Windows\Explorer.EXE MD5: D7874DD30BA935AAED6F730A0ED84610)
ScriptRunner.exe (PID: 6620 cmdline: "C:\windows\system32\scriptrunner.exe" -appvscript
PE fileWerFault.exe
contains an invalid
MD5: checksum
256DB41CC475676223E444781711AF17)
conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
Drops PE files
WerFault.exe (PID: 6716 cmdline: "E:\WerFault.exe" MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
EXCEL.EXE (PID: 6796 cmdline: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "E:\file.xls
Detected TCP or UDP traffic onMD5:
non…23CAD504B3E04BB54CD636AD2874041A)
cleanup
Binary contains a suspicious time s…
Monitors certain registry keys / valu…
Creates a process in suspended mo…
Malware Configuration
⊘ No configs have been found
Yara Signatures
Memory Dumps
Source Rule Description Author Strings
0000000F.00000002.2768445444.0000028E05150000.0000 Pupy_Backdoor Detects Pupy Florian Roth 0x84210:$x4: reflective_inject_dll

0004.00000020.00020000.00000000.sdmp backdoor (Nextron Systems) 0xa5e10:$x5: ld_preload_inject_dll
0x84210:$x8: reflective_inject_dll
0000000F.00000003.1581503034.0000028E03B30000.0000 ReflectiveLoader Detects a Florian Roth 0x218b8:$x1: ReflectiveLoader

0004.00001000.00020000.00000000.sdmp unspecified hack (Nextron Systems) 0x640f0:$x1: ReflectiveLoader
tool, crack or
malware using a
reflective loader -
no hard match -
further
investigation
recommended

0000000F.00000003.1581503034.0000028E03B30000.0000 APT_PupyRAT_P Detects Pupy RAT Florian Roth 0x63ec0:$x1: reflective_inject_dll

0004.00001000.00020000.00000000.sdmp Y (Nextron Systems) 0x64b90:$x4: [INJECT] inject_dll.
0x64bd0:$x4: [INJECT] inject_dll.
0x64c20:$x4: [INJECT] inject_dll.
0x64ca0:$x4: [INJECT] inject_dll.
0x64ce8:$x4: [INJECT] inject_dll.
0x64d30:$x4: [INJECT] inject_dll.
0x64d78:$x4: [INJECT] inject_dll.
0x64dc0:$x4: [INJECT] inject_dll.
0000000F.00000003.1581503034.0000028E03B30000.0000 Pupy_Backdoor Detects Pupy Florian Roth 0x63ec0:$x4: reflective_inject_dll

0004.00001000.00020000.00000000.sdmp backdoor (Nextron Systems) 0x64c20:$x7: [INJECT] inject_dll. OpenProcess failed.
0x63ec0:$x8: reflective_inject_dll
0000000F.00000003.1581503034.0000028E03B30000.0000 Windows_Trojan_ Identifies the API unknown 0x6431e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 1

0004.00001000.00020000.00000000.sdmp Metasploit_38b8ce address lookup 4 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
ec function used by
metasploit. Also
used by other tools
(like beacon).
Click to see the 11 entries
Unpacked PEs
15.3.WerFault.exe.28e03b30000.2.unpack ReflectiveLoader Detects a Florian Roth 0x20cb8:$x1: ReflectiveLoader

unspecified hack (Nextron Systems) 0x634f0:$x1: ReflectiveLoader
tool, crack or
malware using a
reflective loader -
no hard match -
further
investigation
recommended
15.3.WerFault.exe.28e03b30000.2.unpack APT_PupyRAT_P Detects Pupy RAT Florian Roth 0x632c0:$x1: reflective_inject_dll

Y (Nextron Systems) 0x63f90:$x4: [INJECT] inject_dll.
0x63fd0:$x4: [INJECT] inject_dll.
0x64020:$x4: [INJECT] inject_dll.
0x640a0:$x4: [INJECT] inject_dll.
0x640e8:$x4: [INJECT] inject_dll.
15.3.WerFault.exe.28e03b30000.2.unpack Pupy_Backdoor Detects Pupy Florian Roth 0x632c0:$x4: reflective_inject_dll

backdoor (Nextron Systems) 0x64020:$x7: [INJECT] inject_dll. OpenProcess failed.
0x632c0:$x8: reflective_inject_dll
15.3.WerFault.exe.28e03b30000.2.unpack Windows_Trojan_ Identifies the API unknown 0x6371e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 1

Metasploit_38b8ce address lookup 4 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
ec function used by
metasploit. Also
used by other tools
(like beacon).
15.3.WerFault.exe.28e03b30000.2.unpack Windows_Trojan_ Identifies the API unknown 0x635f7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B

Metasploit_7bc0f9 address lookup 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 A
98 function leverage C 3C 61
by metasploit 0x6382f:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B
shellcode 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 A
C 3C 61
Click to see the 24 entries
Sigma Signatures
⊘ No Sigma rule has matched
Snort Signatures
⊘ No Snort rule has matched

Joe Sandbox Signatures
AV Detection
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
System Summary
Malicious sample detected (through community Yara rule)
HIPS / PFW / Operating System Protection Evasion
Benign windows process drops PE files
Mitre Att&ck Matrix

Command Remote
Initial Privilege Defense Credential Lateral Network
Execution Persistence Discovery Collection Exfiltration and Service Impact
Access Escalation Evasion Access Movement Effects
Control Effects
Valid 2 Path 1 2 1 OS 1 Remote 1 1 Exfiltration 1 Eavesdrop Remotely Modify

Accounts Command Interceptio Process Masqueradi Credential System Services Archive Over Other Encrypted on Insecure Track System
and n Injection ng Dumping Time Collected Network Channel Network Device Partition
Scripting Discovery Data Medium Communic Without
Interpreter ation Authorizati
on
Default 1 Boot or 1 1 LSASS 1 Remote Data from Exfiltration 1 Exploit SS7 Remotely Device
Accounts Exploitation Logon Extra Disable or Memory Query Desktop Removable Over Non- to Redirect Wipe Data Lockout
for Client Initializatio Window Modify Registry Protocol Media Bluetooth Standard Phone Without
Execution n Scripts Memory Tools Port Calls/SMS Authorizati
Injection on
Domain At (Linux) Logon Logon 3 1 Security 1 1 SMB/Wind Data from Automated Steganogra Exploit SS7 Obtain Delete
Accounts Script Script Virtualizatio Account Security ows Admin Network Exfiltration phy to Track Device Device
(Windows) (Windows) n/Sandbox Manager Software Shares Shared Device Cloud Data
Evasion Discovery Drive Location Backups
Local At Logon Logon 1 2 NTDS 1 Distributed Input Scheduled Protocol SIM Card Carrier
Accounts (Windows) Script Script Process Process Component Capture Transfer Impersonati Swap Billing
(Mac) (Mac) Injection Discovery Object on Fraud
Model
Cloud Cron Network Network 1 LSA 3 1 SSH Keylogging Data Fallback Manipulate Manipulate
Accounts Logon Logon Deobfuscat Secrets Virtualizatio Transfer Channels Device App Store
Script Script e/Decode n/Sandbox Size Limits Communic Rankings
Files or Evasion ation or Ratings
Information
Replication Launchd Rc.commo Rc.commo 2 Cached 1 VNC GUI Input Exfiltration Multiband Jamming or Abuse
Through n n Obfuscated Domain Remote Capture Over C2 Communic Denial of Accessibilit
Removable Files or Credentials System Channel ation Service y Features
Media Information Discovery
External Scheduled Startup Startup 1 DCSync 2 Windows Web Portal Exfiltration Commonly Rogue Wi- Data
Remote Task Items Items Software File and Remote Capture Over Used Port Fi Access Encrypted
Services Packing Directory Manageme Alternative Points for Impact
Discovery nt Protocol
Drive-by Command Scheduled Scheduled 1 Proc 1 3 Shared Credential Exfiltration Application Downgrade Generate
Compromis and Task/Job Task/Job Timestomp Filesystem System Webroot API Over Layer to Insecure Fraudulent
e Scripting Information Hooking Symmetric Protocol Protocols Advertising
Interpreter Discovery Encrypted Revenue
Non-C2
Protocol
Exploit PowerShell At (Linux) At (Linux) 1 /etc/passw System Software Data Exfiltration Web Rogue Data
Public- Extra d and Network Deploymen Staged Over Protocols Cellular Destruction
Facing Window /etc/shado Connection t Tools Asymmetric Base
Application Memory w s Encrypted Station
Injection Discovery Non-C2
Protocol

Behavior Graph
Hide Legend
Behavior Graph
ID: 796320 Legend:
Sample: pupy-rat.iso
Startdate: 01/02/2023
Process
Architecture: WINDOWS
Score: 72
Signature
Created File
Malicious sample detected DNS/IP Info

Multi AV Scanner detection Multi AV Scanner detection
(through community Yara started
for dropped file for submitted file
rule)
Is Dropped
Is Windows Process
explorer.exe
Number of created Registry Values
34 25 Number of created Files
dropped dropped
Visual Basic
Delphi
\Device\CdRom1\WERFAULT.EXE, PE32+ \Device\CdRom1\FAULTREP.DLL, PE32+
Java
started
.Net C# or VB.NET
Benign windows process
drops PE files
C, C++ or other language
Is malicious
ScriptRunner.exe
Internet
started started
WerFault.exe conhost.exe
4 5 1
103.79.76.40, 49730, 8443

ASN-QUADRANET-GLOBALUS started
United Kingdom
EXCEL.EXE
92 425
Screenshots
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link
pupy-rat.iso 2% ReversingLabs
pupy-rat.iso 55% Virustotal Browse
Dropped Files
\Device\CdRom1\FAULTREP.DLL 77% ReversingLabs Win64.Backdoor.P

upy
\Device\CdRom1\WERFAULT.EXE 0% ReversingLabs
Unpacked PE Files
Source Detection Scanner Label Link Download
15.2.WerFault.exe.28e07473090.8.unpack 100% Avira TR/Crypt.ZPACK Download File

.Gen2
Domains
⊘ No Antivirus matches

URLs
vpaste.net/ 0% Avira URL Cloud safe
ix.ios 0% Avira URL Cloud safe
https://cloudflare-dns.com/dns-querys$ 0% Avira URL Cloud safe
https://go.microsoftb 0% Avira URL Cloud safe
https://phpaste.sourceforge.ios 0% Avira URL Cloud safe
wpad/wpad.dats 0% Avira URL Cloud safe
https://dns1.nextdns.io/dns-query$ 0% Avira URL Cloud safe
vpaste.net/ 1% Virustotal Browse
https://pastebin.coms 0% Avira URL Cloud safe
https://cloudflare-dns.com/dns-queryfile 0% Avira URL Cloud safe
https://dns.quad9.net:5053/dns-query 0% Avira URL Cloud safe
https://ghostbin.coms 0% Avira URL Cloud safe
https://pastebin.comngebrary 0% Avira URL Cloud safe
vpaste.net 0% Avira URL Cloud safe
https://dns.quad9.net:5053/dns-querys 0% Avira URL Cloud safe
https://go.microsoft 0% Avira URL Cloud safe
https://9.9.9.9:5053/dns-query 0% Avira URL Cloud safe
paste.openstack.orgs 0% Avira URL Cloud safe
https://dns1.nextdns.io/dns-query 0% Avira URL Cloud safe
https://lpaste.nets 0% Avira URL Cloud safe
https://dns1.nextdns.io/dns-querys 0% Avira URL Cloud safe
dpaste.coms 0% Avira URL Cloud safe
https://9.9.9.9:5053/dns-querys 0% Avira URL Cloud safe
https://hastebin.coms 0% Avira URL Cloud safe
dpaste.comi 0% Avira URL Cloud safe
vpaste.neti 0% Avira URL Cloud safe
https://cloudflare-dns.com/dns-query 0% Avira URL Cloud safe
vpaste.nets 0% Avira URL Cloud safe
https://friendpaste.coms 0% Avira URL Cloud safe
Domains and IPs
Contacted Domains
⊘ No contacted domains info
URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation
https://cloudflare-dns.com/dns-querys$ WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
020000.00000000.sdmp, WerFault.exe, 0000
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://hastebin.com WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
httpbin.org/headers WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
www.python.org/sax/properties/encodings3 WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://ghostbin.com/paste/ WerFault.exe, 0000000F.00000002.27684454 false high

44.0000028E05150000.00000004.00000020.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp

ix.io WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://github.com/pyca/cryptography__ WerFault.exe, 0000000F.00000002.28585810 false high

87.0000028E082E7000.00000004.00000020.00
020000.00000000.sdmp
www.msftncsi.com/ncsi.txt WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
pastebin.com/raw/ WerFault.exe, 0000000F.00000002.27684454 false high

44.0000028E05150000.00000004.00000020.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
xml.org/sax/features/validations5 WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
vpaste.net/ WerFault.exe, 0000000F.00000002.27895716 false 1%, Virustotal, Browse unknown

17.0000028E072E0000.00000004.00000020.00 Avira URL Cloud: safe
020000.00000000.sdmp
xml.org/sax/features/external-general-entitiess7 WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
ix.ios WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://www.openssl.org/ WerFault.exe false high
https://phpaste.sourceforge.io/demo/paste.php? WerFault.exe, 0000000F.00000002.27895716 false high

download&id= 17.0000028E072E0000.00000004.00000020.00
020000.00000000.sdmp
https://github.com/apple/ccs-pykerberos WerFault.exe, 0000000F.00000002.28079234 false high

64.0000028E07719000.00000004.00000020.00
020000.00000000.sdmp
https://www.apache.org/licenses/LICENSE-2.0 WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://go.microsoftb WerFault.exe, 0000000F.00000002.26511418 false Avira URL Cloud: safe unknown

22.0000028E01F55000.00000004.00000020.00
020000.00000000.sdmp
schemas.xmlsoap.org/soap/envelope/t WerFault.exe, 0000000F.00000003.15972896 false high

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
www.unicode.org/reports/tr44/tr44-4.html).u WerFault.exe, 0000000F.00000002.27895716 false high

17.0000028E075FC000.00000004.00000020.00
020000.00000000.sdmp
goo.gl/fmebo WerFault.exe, 0000000F.00000002.28079234 false high

64.0000028E07719000.00000004.00000020.00
020000.00000000.sdmp
www.python.org/sax/properties/interning-dictN( WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://phpaste.sourceforge.ios WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
wpad/wpad.dats WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe low

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://ghostbin.com WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://dns1.nextdns.io/dns-query$ WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0880D000.00000004.00000020.00
020000.00000000.sdmp
https://go.microsoft WerFault.exe, 0000000F.00000002.26511418 false Avira URL Cloud: safe unknown

22.0000028E01F55000.00000004.00000020.00
020000.00000000.sdmp
https://cloudflare-dns.com/dns-queryfile WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0880D000.00000004.00000020.00
020000.00000000.sdmp
clients3.google.com/generate_204 WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0870D000.00000004.00000020.00
020000.00000000.sdmp
www.autoitscript.com/autoit3 explorer.exe, 0000000C.00000002.26637325 false high

16.0000000004C6E000.00000004.00000001.00
020000.00000000.sdmp, explorer.exe, 0000
000C.00000000.1496796735.0000000004BFB00
0.00000004.00000001.00020000.00000000.sdmp
https://pastebin.coms WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
curl.haxx.se/rfc/cookie_spec.html WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0870D000.00000004.00000020.00
020000.00000000.sdmp
xml.python.org/entities/fragment-builder/internals WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
020000.00000000.sdmp
https://dns.quad9.net:5053/dns-query WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0880D000.00000004.00000020.00
020000.00000000.sdmp
xml.org/sax/properties/lexical-handlers1 WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
xml.org/sax/properties/dom-nodes( WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
schemas.xmlsoap.org/soap/encoding/ WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp,
WerFault.exe, 0000000F.00000002.2807923464.000
0028E07CE8000.00000004.00000020.00020000
.00000000.sdmp
https://ghostbin.coms WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
WerFault.exe, 0000000F.00000003.16054390 false high

xml.org/sax/features/namespacess.http://xml.org/sax/f 23.0000028E05610000.00000004.00001000.00
eatures/namespace-prefixess 020000.00000000.sdmp, WerFault.exe, 0000
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
xml.org/sax/features/string- WerFault.exe, 0000000F.00000003.16054390 false high

internings&http://xml.org/sax/features/validations5http:/ 23.0000028E05610000.00000004.00001000.00
/xml.org 020000.00000000.sdmp, WerFault.exe, 0000
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://dns.quad9.net:5053/dns-querys WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://tools.ietf.org/html/rfc5929 WerFault.exe, 0000000F.00000002.28079234 false high

64.0000028E07719000.00000004.00000020.00
020000.00000000.sdmp
https://dns.google.com/resolves$ WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
xml.org/sax/features/namespace-prefixess WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
vpaste.net WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp

https://lpaste.net WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
registry.npmjs.org/ WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E085E5000.00000004.00000020.00
000F.00000002.2773452580.0000028E054A300
0.00000004.00000020.00020000.00000000.sdmp
www.openssl.org/support/faq.htmlC: WerFault.exe, 0000000F.00000002.28503826 false high

15.0000028E08091000.00000040.00001000.00
000F.00000003.1618583762.0000028E07EEB00
0.00000004.00000020.00020000.00000000.sdmp
ix.io/ WerFault.exe, 0000000F.00000003.15972896 false high

83.0000028E05340000.00000004.00001000.00
000F.00000002.2768445444.0000028E0515000
0.00000004.00000020.00020000.00000000.sdmp,
WerFault.exe, 0000000F.00000002.2789571617.000
0028E072E0000.00000004.00000020.00020000
.00000000.sdmp
www.msftncsi.com/ncsi.txtt WerFault.exe, 0000000F.00000003.15972896 false high

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
https://android.notify.windows.com/iOS explorer.exe, 0000000C.00000003.24587201 false high

96.000000000A834000.00000004.00000001.00
000C.00000000.1519720651.000000000A83400
0.00000004.00000001.00020000.00000000.sdmp
lame.sourceforge.net/license.txts( WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
schemas.xmlsoap.org/wsdl/ WerFault.exe, 0000000F.00000002.28585810 false high

87.0000028E08230000.00000004.00000020.00
020000.00000000.sdmp
explorer.exe, 0000000C.00000000.14890063 false high

https://activity.windows.com/UserActivity.ReadWrite.Cr 88.000000000101B000.00000004.00000020.00
eatedByApp 020000.00000000.sdmp, explorer.exe, 0000
000C.00000002.2639807445.000000000108100
0.00000004.00000020.00020000.00000000.sdmp
https://pastebin.comngebrary WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://9.9.9.9:5053/dns-query WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0884D000.00000004.00000020.00
020000.00000000.sdmp
dpaste.com/ WerFault.exe, 0000000F.00000002.27895716 false high

17.0000028E072E0000.00000004.00000020.00
020000.00000000.sdmp
paste.openstack.orgs WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://pastebin.com WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://github.com/pyca/cryptography/issues WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
lame.sourceforge.net/license.txt WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
lpaste.net/raw/ WerFault.exe, 0000000F.00000002.27895716 false high

17.0000028E072E0000.00000004.00000020.00
020000.00000000.sdmp
schemas.xmlsoap.org/soap/envelope WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp,
WerFault.exe, 0000000F.00000002.2807923464.000
0028E07CE8000.00000004.00000020.00020000
.00000000.sdmp

paste.openstack.org WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://github.com/pyca/cryptography WerFault.exe, 0000000F.00000002.28585810 false high

87.0000028E082E7000.00000004.00000020.00
020000.00000000.sdmp
https://www.apache.org/licenses/LICENSE-2.0s7 WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
schemas.xmlsoap.org/soap/envelope/ WerFault.exe, 0000000F.00000002.28415038 false high

26.0000028E07E0E000.00000004.00000020.00
020000.00000000.sdmp
https://dns1.nextdns.io/dns-query WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0880D000.00000004.00000020.00
020000.00000000.sdmp
https://friendpaste.com/ WerFault.exe, 0000000F.00000003.15972896 false high

83.0000028E05340000.00000004.00001000.00
000F.00000002.2768445444.0000028E0515000
0.00000004.00000020.00020000.00000000.sdmp,
WerFault.exe, 0000000F.00000002.2789571617.000
0028E072E0000.00000004.00000020.00020000
.00000000.sdmp
xml.org/sax/properties/declaration-handlers& WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
clients3.google.com/generate_204s WerFault.exe, 0000000F.00000003.15972896 false high

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
dpaste.com WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
xml.org/sax/features/string-internings& WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://lpaste.nets WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://dns.google.com/resolve WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0884D000.00000004.00000020.00
020000.00000000.sdmp
https://dns1.nextdns.io/dns-querys WerFault.exe, 0000000F.00000003.15972896 false Avira URL Cloud: safe unknown

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
www.openssl.org/support/faq.html WerFault.exe, 0000000F.00000002.28503826 false high

15.0000028E08091000.00000040.00001000.00
000F.00000003.1618583762.0000028E07EEB00
0.00000004.00000020.00020000.00000000.sdmp
schemas.xmlsoap.org/wsdl/t WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
020000.00000000.sdmp
WerFault.exe, 0000000F.00000002.27734525 false high

https://dns.google.com/resolves$https://cloudflare- 80.0000028E05410000.00000004.00000020.00
dns.com/dns-querys$https://dns.quad9.net:5053/dns 020000.00000000.sdmp, WerFault.exe, 0000
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://phpaste.sourceforge.io WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
xml.org/sax/properties/xml-strings- WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://tools.ietf.org/html/rfc5929#section-4.1 WerFault.exe, 0000000F.00000002.28079234 false high

64.0000028E07719000.00000004.00000020.00
020000.00000000.sdmp
www.unicode.org/reports/tr44/tr44-4.html). WerFault.exe, 0000000F.00000002.27895716 false high

17.0000028E075FC000.00000004.00000020.00
020000.00000000.sdmp
dpaste.coms WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://cryptography.io/en/latest/faq.html#why- WerFault.exe, 0000000F.00000002.27895716 false high

can-t-i-import-my-pem-file 17.0000028E072E0000.00000004.00000020.00
020000.00000000.sdmp
https://friendpaste.com WerFault.exe, 0000000F.00000002.28714514 false high

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://9.9.9.9:5053/dns-querys WerFault.exe, 0000000F.00000003.15972896 false Avira URL Cloud: safe unknown

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
dpaste.comi WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://github.com/n1nj4sec/pupy WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
python.org/dev/peps/pep-0263/ WerFault.exe, 0000000F.00000002.27548057 false high

00.0000028E04DE1000.00000040.00001000.00
020000.00000000.sdmp
https://hastebin.coms WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
paste.openstack.org/raw/ WerFault.exe, 0000000F.00000002.27684454 false high

44.0000028E05150000.00000004.00000020.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
https://wns.windows.com/EXE.15fA explorer.exe, 0000000C.00000003.24587201 false high

96.000000000A7B1000.00000004.00000001.00
000C.00000000.1519720651.000000000A79600
0.00000004.00000001.00020000.00000000.sdmp
vpaste.neti WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0868D000.00000004.00000020.00
020000.00000000.sdmp
https://cloudflare-dns.com/dns-query WerFault.exe, 0000000F.00000002.28714514 false Avira URL Cloud: safe unknown

63.0000028E0880D000.00000004.00000020.00
020000.00000000.sdmp
vpaste.nets WerFault.exe, 0000000F.00000002.27734525 false Avira URL Cloud: safe unknown

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
xml.org/sax/features/namespacess. WerFault.exe, 0000000F.00000003.16054390 false high

23.0000028E05610000.00000004.00001000.00
000F.00000002.2789571617.0000028E072E000
0.00000004.00000020.00020000.00000000.sdmp
lame.sourceforge.net/license.txts(Can WerFault.exe, 0000000F.00000002.27734525 false high

80.0000028E05410000.00000004.00000020.00
000F.00000003.1597289683.0000028E0534000
0.00000004.00001000.00020000.00000000.sdmp
https://friendpaste.coms WerFault.exe, 0000000F.00000003.15972896 false Avira URL Cloud: safe unknown

83.0000028E05340000.00000004.00001000.00
020000.00000000.sdmp
https://hastebin.com/raw/ WerFault.exe, 0000000F.00000002.27895716 false high

17.0000028E072E0000.00000004.00000020.00
020000.00000000.sdmp
World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
Public IPs
IP Domain Country Flag ASN ASN Name Malicious
103.79.76.40 unknown United Kingdom 8100 ASN-QUADRANET- false

GLOBALUS
General Information
Joe Sandbox Version: 36.0.0 Rainbow Opal
Analysis ID: 796320
Start date and time: 2023-02-01 19:54:53 +01:00
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 8m 20s
Hypervisor based Inspection enabled: false
Report type: light
Cookbook file name: defaultwindowsinteractivecookbook.jbs
Analysis system description: Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes 15

analysed:
Number of new started drivers analysed: 3
Number of existing processes analysed: 1
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabled

EGA enabled
HDC enabled
AMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Sample file name: pupy-rat.iso
Detection: MAL
Classification: mal72.evad.winISO@7/389@0/1
EGA Information: Successful, ratio: 50%
HDC Information: Successful, ratio: 36.2% (good quality ratio 28.4%)

Quality average: 46.4%
Quality standard deviation: 33.9%

HCA Information: Successful, ratio: 97%
Number of executed functions: 0
Number of non-executed functions: 0
Warnings
Exclude process from analysis (whitelisted): cdfs.sys, vhdmp .sys, dllhost.exe, WMIADAP.exe , SIHClient.exe, SgrmBroker.ex e, usocoreworker.exe, fsdepends.sys, svchost.exe
Created / dropped Files have b een reduced to 100
Excluded IPs from analysis (wh itelisted): 20.190.160.14, 20.190.160.17, 40.126.32.133, 20. 190.160.22, 40.126.32.68, 40.126.32.76, 40.126.32.134, 20.190.160.20, 52.109.13.62, 104.10
2.28.147, 52.113.194.132, 104.208.16.88
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmana ger.net, fs.microsoft.com, slscr.update.microsoft.com, self.events.data.microsoft.com, www
.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com
.edgekey.net.globalredir.akadns.net, s-0005-office.config.skype.com, onedscolprdcus08.centralus.cloudapp.azure.com, login.msa.msidentity.com, prod.nexusrules.live.com.akadns.net, e
cs-office.s-0005.s-msedge.net, prda.aadg.msidentity.com, login.live.com, s-0005.s-msedge.net, e16604.g.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net,
nexusrules.officeapps.live.com
Execution Graph export aborted for target ScriptRunner.exe, PID 6620 because it is empty
Not all processes where analyz ed, report is missing behavior information
Report size exceeded maximum c apacity and may have missing b ehavior information.
Report size exceeded maximum c apacity and may have missing d isassembly code.
Report size getting too big, t oo many NtAllocateVirtualMemory calls found.
Report size getting too big, t oo many NtCreateFile calls fou nd.
Report size getting too big, t oo many NtOpenKeyEx calls found.
Report size getting too big, t oo many NtProtectVirtualMemory calls found.
Report size getting too big, t oo many NtQueryAttributesFile calls found.
Report size getting too big, t oo many NtQueryValueKey calls found.
Report size getting too big, t oo many NtQueryVolumeInformationFile calls found.
Report size getting too big, t oo many NtReadFile calls found.
Simulations
Behavior and APIs
Time Type Description
19:55:42 API Interceptor 779x Sleep call for process: explorer.exe modified
Joe Sandbox View / Context
IPs
⊘ No context
Domains
⊘ No context
ASNs
⊘ No context
JA3 Fingerprints
⊘ No context
Dropped Files
⊘ No context
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scriptrunner.exe.log
Process: C:\Windows\System32\ScriptRunner.exe
File Type: CSV text

Category: modified
Size (bytes): 425
Entropy (8bit): 5.364367573988121
Encrypted: false
SSDEEP: 12:Q3La/KDLI4MWuPJOKbbDLI4MWuPOKz8Khav:ML9E4KEKDE4KGKz8Khk
MD5: 01590F5008650E61E2F3A3399E1E6816
SHA1: 05A4812BF4CA42B3681CD13A12DF215BE2E323CB
SHA-256: E45BF7BA8915AA8B6BA09C23AE04231E6806FEBC4107DA41DAE24EF187598900
SHA-512: 553847D41BEF16CCE0BE55DF9BB99A75D26BBBCD20414B2ECE52F97517D05D22DECD9D49C3AA794BF580FED3771A89D3E5119C642E660CC1723DF8791D80D
B16
Malicious: false
Reputation: low
Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeIma

ges_v4.0.30319_64\System\e074a852d0b7a87fc8713d9727b9a1bb\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561
934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\5aa66136dfbf2cc6e3ba6b00dd4d2e9f\System.Core.ni.dll",0..
C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json
Process: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type: JSON data
Category: dropped
Size (bytes): 379722
Entropy (8bit): 4.9088149211082355
Encrypted: false
SSDEEP: 1536:MApDpphudnceJZezca9uRszBEmj6QkjfoJ5Jj7DMnDAYRbLSm5rYOLdHKmC9:lDThumeGzcTRszB7DkjfaJj76RbNbLW9
MD5: E9FB5A0DF105C6F7F80E8B650DF56AAB
SHA1: 0B7F6ADA05673F2535E61267C3CB428489ECEB55
SHA-256: A24470762A1F9F5F069C0F70EF53D693D08B7C99797935800FF294BD3B2566F3
SHA-512: 65C83135CE550981ED88CB4A83127CB3C94D5C616F26B05185FCC129E5201A88EB0A1351D144E1511B50ADB388071BFCC60388FDD613EBBA5B202FFC76F7D42
B
Malicious: false
Preview: {"MajorVersion":4,"MinorVersion":17,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983040,"lsc":"Latn","ltx"
:"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Ligh
t","fs":22180,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[214748365
1,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":983042,"lsc":"Latn"
,"ltx":"Agency FB"}],"gn":"Agency FB","id":"31150835240","p":[2,11,8,4,2,2,2,2,2,4],"sub":[],"t":"ttf","u":[3,0,0,0],"v":67502,"w":45875968},{"c":[536870913,0],"dn":"Agency
FB","fs":52680,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"29260917085","p":[2,11,5,3,2,2,2,2,
C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_o iceFontsPreview.ttf
File Type: TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.1
7;O365
Category: dropped
Entropy (8bit): 6.566110770587873
Encrypted: false
SSDEEP: 12288:/3zUbLds556T1BEFGHtASk3+/KLQ/zp1km/WJ1ov0mPqxXE/RoVZPE9Ob:/Qfds5opwSL1kovT92
MD5: 4DFB7AADD4771ADDF1BA168C12DEDBF3
SHA1: B379DC0E19FE0F51E77305BE0A7F3421B80E8A0F
SHA-256: DB9B46CC2132D76EF90CA9A59AF03CB478BB91EA2CDA3E8E42DD0801873416E2
SHA-512: 1C5AE2C794017A81A4232A2EF43725A0DA30F9672123940D85D34A4A77744D2D7ECA5FFE9A91E2FEDDBDBADE4EEAD6AB80E565C1F8FBB813C5A2BC25F7F0A
359
Malicious: false
Preview: ........... OS/29.P...(...`cmap.s.........pglyf..e.......0.head-@;,.......6hheaE.@B.......$hmtx...........ploca..@....h...tmaxp........... name.T+...A|....post...<..B.... ........Me.._.<...........<..

...........Aa.x.................Q....Aa....Aa.........................~...........................j.......................3..............................MS .@.......(...Q................. ...........d.......0...J.......8...>..........+a..#
...,................K.......z...............N......*...!...-...+....z.......h..%^..3...&j..+...+%.."....................l......$A...,.......g...&...=.......X..&........*......&...(B...............#.......j...............+...P...5.
..@...)..........#............*...N...7......<...;>.............. ]...........5......#....s.......$.......$.......^...................H.......%...7.......6.......O...V...........K.......c......!...........$...&...*p..+<..+...-....
q.......O...................F..(....5..0K..$...0V...k..*e...o...........S...*...0..0...*M......9...
C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
File Type: XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category: dropped

Entropy (8bit): 5.13061067760228
Encrypted: false
SSDEEP: 768:H1G501T1fJFVHYwDQrpAElQKPV3pEbWcMd3o6O3Qgqbx+B+Vso7Rx0/USkHx3BNU:HcHr6KPgb2XuN
MD5: A99A1BA698D7F802F5628734F8CB394F
SHA1: 31844709E7841B457EE2C83CD1AC300DDB5B94B3
SHA-256: E4BEB971B7150D90D26315BA6698F6913D499A00923336E8B52D7B342915EEE0
SHA-512: 63DC193CEF60ABABCD2FB710044774A66A4D12852A101BC28C8733D4373AB377F5757087339A702A1A639EF8B72022B60C73474605CB5C95596EF9F105F21BA8
Malicious: false
Preview: <?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d
448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159
" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L>
<R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5"
E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32"
I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="
ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
File Type: data
Category: dropped
Size (bytes): 32768
Entropy (8bit): 0.035018717674716114
Encrypted: false
SSDEEP: 3:Gtl8/6wlrYtM1OhMpWl3l8/6wlrYtM1OhMp789//Wlkl:GtGRrYtMIMc3GRrYtMIM189Xis
MD5: 82E386E0182B0317F7BD534BA5CED397
SHA1: CE8293F6CF1A59D6379F6F48221BD686CE10AD57
SHA-256: 6819F8E9E6E2C5B4769BC4443795A1B5BEAD098EF81846B488BECB9DDABC2BD3
SHA-512: A5147AAD15F9D5DB602013A083DE9BAF786492C05E199E4AB238BD8571C870500737679791383715D83647C15588FAEC58843AFA4ADFEE43B95283EB54A4B8DF
Malicious: false
Preview: ..-.....................T..............+.......-.....................T..............+...............................................................................................................................................................................
..............................................................................................................................................................................................................................................................................
..............................................................................................................................................................................................................................................................................
..................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
File Type: SQLite Write-Ahead Log, version 3007000
Category: dropped
Size (bytes): 4152
Entropy (8bit): 1.3866867407990409
Encrypted: false
SSDEEP: 12:KAgKRo0QqCmqtZeY4syJttJxUSo0x9DdN1tDEX4vcImm5RyZkFv4sbf:KAZ8qDqt8VtbDBtDi4kZERDf
MD5: 3BDA78537760571242CA8EDA37B261A7
SHA1: 21EDE7BAB993883AC2F04936AF08228D6A4ACACF
SHA-256: EDD3AEAD29338005E47CBBA9B5EA3B322AB76455425BE4E667F23C984724DAC1
SHA-512: 62AC005B64EA4F2F58F2E8255CA11D8A68D51AC300DD50255AB673BB9D4CF90BB55824BDFB3EE12A1242979BB383E0D70B94DCBEE51DD8219E188F5DC78193
57
Malicious: false
Preview: 7....-..................I*.2................T....SQLite format 3......@ .......................................................................... ..........#.....g.....................................................................................

..............................................................................................................................................................................................................................................................................
..............................................................................................................................................................................................................................................................................
...........................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\10BAD5B6.emf
File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
Category: dropped
Size (bytes): 6116
Entropy (8bit): 3.079206074234841
Encrypted: false
SSDEEP: 96:/H+bhhQp+8MZQkuPXoGiwSgjFVi23FsSpjnk/bRJ:v+bhhQp+8MZQNPXoFw/fR3Fs7j
MD5: A44851198EAD2610792A5549EC2CFFA2
SHA1: AEEFC7E605892E2E3E54171FA5F8A382106D8F48

SHA-256: 3448F9EE3980530C841D5F9C47E8AEA51047515F084E37C78BD0CBAB78EF6310
SHA-512: E7276EC48B585E571062599DAC20447B49F89F9693AC7C55ED56CAFF49632D774B45B1740C3BEFAA5DE70DB4090B2492D2FAFFCA5B40DF764E497FE078747D3
2
Malicious: false
Preview: ....l.......P.......~....4.......H..e... EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......T.......b.......6.d.-...%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......X.......d.......6...d...%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......^.......u.......-...-./.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11C0FCE5.emf
Category: dropped
Size (bytes): 16508
Entropy (8bit): 3.883014450865967
Encrypted: false
SSDEEP: 192:Jwt7ntfogEHvsYTBzXKLOZdFrAh072OI3AACggKhW2E2v8QNUXrP3gOJ4e:QlogofLXSWCOMApyhWddjx5
MD5: C6673A71B42872752F573B5992DA760E
SHA1: 1AF501DF5E0032AF646397E3EB0E279373F19A0D
SHA-256: 96A2EC32E48250A09309B262DFB26EDF745E67CB941A2502413455891062A8D2
SHA-512: C4CBD525A77814AB7005CC7AD8B9F06E1AA34C70FA763864C33061A2AB363022A27332E5DC1D1B30273EB3D0F6A3A06E3518E2878C4AB01F26250AF924449415
Malicious: false
Preview: ....l.......p............#...O..!-...X.. EMF....|@..$.......................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E...E...D...D.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h....:....................................?.............@..,...
..................EU..E........N...!.......b...............................................R...p...................................A.r.i.a.l........................................................................................................................
...............................................................................................................................................................................................dv......%...........T...T...0.......=...........UU.A%..A0..
.........L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11FE67AF.emf
Category: dropped
Size (bytes): 5116
Entropy (8bit): 3.4543264196099606
Encrypted: false
SSDEEP: 48:e3fawCUSbzhcSn0IDk0TMxSjAD2HzJXFBuSGVvWOG6ae+xZEtSItV/:Vwih7n0I40TMxSVNFsSGVvW2kxKIed
MD5: 2327BAD7D1BE18C844ABBBAC57647F30
SHA1: C6A7899D1AD24C0A3C3241487D4BBCFDC4B6DB44
SHA-256: FCD4DEF04A1D3CE41098DCD96C3692CB33982A2ADD9F637D1F8084CAD6772467
SHA-512: 399972B92ACDB84E8ABC340C426C17890179C06124F4593BAC7ACAA0DCFE02F6821516909007CBE0CB1461CCE07CD5A6906B186E8E9C74FF77DF41E424F262C
5
Malicious: false
Preview: ....l.......h...........)....x..T...l... EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7.......wR......................wR...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v..........>v.....
...H... `?.....x.?...Js].!\t...0...................dv......%...........T...T.......................[$.BU%.B............L.......................P...N.......%...........:...........$...$......=...........=............_...8.......8..
.....8........ ..........................%...........%...........W...$.......i................;.7v;.6%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8..
.....8.......8........ ..........................%.......
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\121B07FB.emf
Category: dropped
Size (bytes): 9576
Entropy (8bit): 3.4598638152645993
Encrypted: false
SSDEEP: 192:9zubdzEXaIMwkH76HZMFieL0wdCeqpKAedwPoewxFsPMJl3mX:9zubdzEXaIk76HZUxNd4ExaOlQ
MD5: 0BB15BF24D41568161111C6E7B921F5C
SHA1: 1D269185061592C9AA86567804EEB818FAC8A362
SHA-256: 8157E13F99D233E246404EFE8D9BFE8629A8E86881EBB2B12ADFDC0315BC1F26
SHA-512: DDBA203C915832C5670F5DBBA1C8CE5D30A4E31A2EEA56202237A6CAA9E8C5A25AD970E626D207E128B57C3BCB610C3F06956934B7D2FF2ED0757DE4CB3714
F9
Malicious: false

Preview: ....l....................E..y....X..;'.. EMF....h%......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......
....%...........W...$........................!...!J.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...........#............"7.."*.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$...........0............!J.."..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13053A28.emf
Category: dropped
Size (bytes): 10616
Entropy (8bit): 3.198045606560441
Encrypted: false
SSDEEP: 192:YppJ/t7iPWhvR4NjgP0eE0Tyx1zFdy3ityFxue00Q/7RaNYG:Y7J/t7iPWzejgP0eE0Tyx1xdy34yKe0G
MD5: 288013E2282C8752B4C64E6B0549F426
SHA1: 4766C0F7CA0838051DAB0E571CF8D7CF854B579F
SHA-256: D7A0AAD9AFE90CF2CBD2CEE67BEA83104BBDA8E176561797FF5F94D74EE666AC
SHA-512: D6F95BB5CC0AD34CB444F5EFA035BE6DBEB14C5794B23905153213F708C7C1E494E5BD82455FB8DCDC54B7B0D3720C86288D47A6DC9BE11F166EB4D03D395A
DF
Malicious: false
Preview: ....l...:...@...........wq..kO..t....X.. EMF....x)..O...................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ........................

..%...........%...........W...$.......^.......t........9.%.9*'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ................
..........%...........%...........W...$.......`.......r........9.&.9.'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ........
..................%...........%...........W...$.......q.......~........9*'.:.'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........
..........................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13CFE1CB.emf
Category: dropped
Size (bytes): 6008
Entropy (8bit): 3.6766620739967077
Encrypted: false
SSDEEP: 96:ilhPkS2pj+Ipil17TdIoSP6S8w+TaSbjS2c1F+t1Ymmv:ilhcpj+Ipil17TdIW9T/bdOF+Ymmv
MD5: AFD3F2262AE7AD72D5BCCB88A8448CE3
SHA1: 108B5444FA436F62B5D119EFFD08CC2866DA7CE4
SHA-256: 1D5001568B47418ED3AD830D9D0D622EBCACB703F53A75CAB7B04C14D4FB422C
SHA-512: 3E1D640E1EE81EF280EA492D374516C39C10B213E9932C0C4FCDD536C14B8A5AC85873E05E3689D2E851802D0E56F7EFFCBEB1628C0171FBCEFCDAED480B9E
A6
Malicious: false
Preview: ....l...`................0......+:...... EMF....x...|...........................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@.............

?0@............#>2@.............E.H.E...C...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ...............U..EUd.E........O...!
.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v........j.......................j..Z$.............9...l....B.o./.Dx...3B.o./.
D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....o.'!...#.........9...........dv......%...........T...T...`.......h............0.B...B`........
...L.......................P...O.......%...........F...t...h...EMF+.@..D...8...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\14A7521E.emf
Category: dropped
Size (bytes): 18884
Entropy (8bit): 4.113737796232493
Encrypted: false
SSDEEP: 192:N5Bg9bXZ/Qvt9c863qJB27dFrTAU+52FAQYgzF2E2v8QNEVXlP3gOJ4V:MZqPz2pmU+cF9YudRRxC
MD5: 12A95BEA3C9BBB27472470122A94D005
SHA1: D472EA90EA2C7536E96D9269C05B8637B33AA951
SHA-256: 7C702AE9D248563C4BDAE2AFCD15954A93AB21507978BB080FB1CF81713381C4
SHA-512: 853E166408C9957D5F1E7C31FE1EB741E086C240B07EA6E74B9697D3AA33EF144A46409F490A1A085740C78B1D6B35B4AF66DA2300F949D4F8B4F2607E6C5E78
Malicious: false
Preview: ....l....................k.......|..9... EMF.....I..|.......................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........8.E...B.`.D.@.D.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
...............U..E...D........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x/w....$y/wp6...................O9w..
......................H@......L9`vp6....!.........D...<+w............p6..p6...........v........p6..(.......!.H..H@....!........p6...v.. ......1.v.....V_r(..........(..HW_r..!.....V_r(......PT....vdv......%...........T...
T.......................UU.A%..A............L.......................P...N.r.....%...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\150A6B00.emf
Category: dropped
Size (bytes): 19020
Entropy (8bit): 3.272043917655634
Encrypted: false
SSDEEP: 384:JWMqIbaxOp5N0AFKcfvLTCoKNi08+3P18kQJ3s5tuYAMiC+lsUbS9pEapyNRd/cP:p5ZFvw
MD5: D6CE8C8502672E81E6B45BF932AF6E69
SHA1: FBEEA9B68CAC40FE4FB2C8819873A7F761834591
SHA-256: 17DFBFED5E6C9F5B92224AFB6E531D8D9B429090EFE123826F6936D057E572D1
SHA-512: A75F0B658E062CEDAF6C63E4F0EBBCB8404881FDEA9A831BCF2766D5B5E46BB6C964A49F84FEDEC674FFF04CDBF0348859DD26D0013EA14489BFD2BA63B4A
224
Malicious: false
Preview: ....l..._...E...........?0.......J..i... EMF....LJ..............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............E...F. .D.@.D.@..D...8......................A...........?.........................@.. ...........;.'E...F;.'E...F!.......b...........:...........$...$......=...........=............_...8..
.....8.......8........ ..........................%...........%...........W...$.......O.......f..........e..Bf%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8............
..........A...........?.........................@.. ............3)E.).F.3)Es..F:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......Q.......d..
.......2e...f%...........%...........$...$......A...........A............(...........:...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15716039.emf
Category: dropped
Size (bytes): 7440
Entropy (8bit): 3.469369042226229
Encrypted: false
SSDEEP: 192:9s4bGG1YshwzRyeC6JwI3etx55Fs4CFHdcS:9s4bGG1YsO0Gqx55zkHdp
MD5: 60E4C02644BF61E70CB7722D67FA2788
SHA1: F07173C01C72AFA23F21769325AE45869C0A61CF
SHA-256: 9A037445568621B932AFBDA46BD2F682ECE355924C5C0D8E36C9CF89D0F14464
SHA-512: CAA7784F8CBD2581B118A791888B6CC08DF2B325AC10B33A60EDB271C258CDC0B464A9B7879EBCB827435F14CD7ECCB582719749FC3D785D2D96B8E96D46D4
A2
Malicious: false
Preview: ....l...6...@...~........*...r...4...... EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$...6...a...:...x.........16..d7%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...:...c...>...v.........Q6..D7%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ........
..................%...........%...........W...$...6...t...K.............d7...7%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........
..........................%...........%...........
Category: dropped
Size (bytes): 7764
Entropy (8bit): 3.695224196320506
Encrypted: false
SSDEEP: 96:whrG0Wk+U0vUsfefdfjf7fgfkfO3q+fofaImjLFRS88xW2eWoAQSpu0z:whrG0+TFRLMr5u0z
MD5: 9AE9D17C772283DED3BF898D5C3C2F2D
SHA1: FC81661214698D0A8F35DD104C0005EE82A5EDC0
SHA-256: 01AD4F7F7BCFA742D4DA72DFAC7E799B9739CC42B9F79C3E428CB1BA28A8FFE0
SHA-512: C37F30E4FD69E87F46C08E9D3FEEB5E0B8EB1DDF31CD42CE1F4406EC4B939F5343BD5017E98D8B51E091E1F3327F0A8DC23E9726662A1294D815628CEE998D7
7
Malicious: false
Preview: ....l..........._...9................... EMF....T...........................8.......}................U..H.......................n...k...........c...:...........)... ...K...............R...p.......8.........................."A.r.i.a.l.......

..................................................O.M...P.........O.N...P...N...P..........{X...P...X.....lvP...pka.......y.H.......p*........O......M.w4....M.w..3.....4.w..w....P.............P.$...h............4....P...
..H.0.......O.H.0...O..................n.|...|........X...h...D......|..O........|dv......%...................................%.......................s...%.......................s...R...p.................................."A.r.i.a.l.........
................................................O..p........N.YI..;.................Y.YI...+.....|X.....L.P......@........H.......p........~^......1.......M.w..3.....4.w..w....P.......l.....P..................4....P.d...H.0.......
O.H.0.....................................X..............|..O.....

Category: dropped
Size (bytes): 16404
Entropy (8bit): 3.855504524052733
Encrypted: false
SSDEEP: 192:TpbugiJVd24vgwdldFL7FL7b12E8Gv8QNUJlP3gOJ4m2L:6d1Vv1+dXxt2L
MD5: 080C9E4B38CC9B396BBA91650A56E017
SHA1: 9FA7F092F25C8D5A937FC1F86F9E19C3E9E66E7C
SHA-256: B82B66DA02BE99C0640CA89BDE1E3A0934016E02C0DA04FCCE5325E0AFEDCC65
SHA-512: 259E6FFB454491598DD4686B74E23525078F959B32841AF1C63CAF40F088B82EABB906EAB6AC8D64AFC4B30E4B95C9CF3FD5847AD1D2186654B5236B3D80967D
Malicious: false
Preview: ....l...M...)...........x....&..a...j-.. EMF.....@..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............F.`.E.._D...C.@......................4@...........@..@...4......................@...........@.....................@.. ............<.Fz..E.Q.FVG.E!.......b...........:.
..........$...$......>...........>............_...8.......8.......8........ ..........................%...........%...........W...$......./.......I.......8E..MD$.%...........%...........$...$......A...........A............(.......
....:...........F...p...d...EMF+.@..@...4......................@...........@.....................@.. ............<.F..E..F.3.E:...........$...$......>...........>............_...8.......8.......8........ ..........................
%...........%...........W...$.......6.......L.......8E..~D@.%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15AD3ADF.emf
Category: dropped
Size (bytes): 13888
Entropy (8bit): 3.7665426616386926
Encrypted: false
SSDEEP: 96:8IYUw2H9BiMzdwNSbufHO6RjSUNDxzTeQn+3M3105KFYZG3cLrCvR7NE5KIC8MhD:8IXbH8qQFTco7YBMhV4DEuzq
MD5: 4D8E4A47CC5215670FDC03D66C6B17EF
SHA1: E08FCED213B27766C15D40C701EC16AF43D174A9
SHA-256: 3DED705F713ED76E1559F1C2625A9FEEAFFE94D02E8BD94ED01E05EDEF178227
SHA-512: F1C72122990B9AAA4312A663EE4114C3E7776238369BC3C41B5661F8AC34DA8EA333B004C5E744DEE3589EDBAB141C845BB0CE34CF56F844029A722C2C82248
9
Malicious: false
Preview: ....l...............c................... EMF....@6..........................8.......}................U..H.......................O...q...............d...............p*..K...............R...p.......`.........................."A.r.i.a.l.......

..................................................7.......@....^.............r...@....^...X.8.L...X.8.^...P...`.........H.8...8.x.....8...7......M.w$....M.w........4.w..w....P.............P.....X............4....P.......
:.......7...:...O..................n.|...|........X...h...4......|..7........|dv......%...................................&...........................%........................+..6............,..............%...........&.....................
......%...........(...................................7+..............%...........(...........'.......................%...........&...........................%........................+..6............+..........................7+..............%.......
....(...........'.......................%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\16C583A3.emf
Category: dropped
Size (bytes): 6160
Entropy (8bit): 3.67311914971494
Encrypted: false
SSDEEP: 96:1Fp+cNiJO/pOJCNJRWNavYFDFRMcTGylDvMcn:1/5NiJO/pOJCNKNawFRMcTGUvfn
MD5: 007190642696B49C08508C0BB85739A2
SHA1: C6D45494B1D5E4629A8C9E19C13ACC346D7F0B71
SHA-256: EE20874B8E028A7177E7DF9E2CCCCDE2F82A38D9E5350DD0305118E15634C86C
SHA-512: FF3C1E9363CC0D1372C53AB20E242ADF5DB66A07E0B3E04A62294A3A8B9B6E88F156629AB06492D542A40B8362B466C5113A966824C02933D15232A812B7B74C
Malicious: false
Preview: ....l...e...\............0.../..{:..L8.. EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

......................x....~@..PG......MG......................NG...;.................H....BBs..DT...3BBs..Dl...:.DsP.Ds....81............Ms.6.......-DT.!.@......Mu ...l...X....6......81..............P...P.....
Mu..........Mu............8.G...DsF !.d..................t...dv......%...........T...T...e...i...l...v.......[$.BU%.Be...t.......L.......................P...H.......%...............................................%...........T...T
...l...i...s...v.......[$.BU%.Bl...t.......L.......................P...N.......%...............................................(...........R...p...................................A.r.i.a.l...........................................................`..
..~@..PG......MG......................NG...;.............
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\186462B2.emf
Category: dropped
Size (bytes): 15192
Entropy (8bit): 4.16386598909968
Encrypted: false

SSDEEP: 192:v8JNZ/6BXwdFrqB+weT2E8Gv8QNUXl53gOJ4t:v8nI5eT+dXxi
MD5: E2D675A55B03A745458672DD5235677D
SHA1: A76A9B15CD148209E2EC7EE11FE0EA488B96D965
SHA-256: F367A584B22026066782E9C04B0BE004AB0C6CEAC77E162565B204186F5E7540
SHA-512: E3C8B20C439BC0E42A45F077801D89C5719C171D11DB328B09E487B9D116091C69B46E081C69AE96A4485A6D5F0E369E51D993E161AF7E576D09A398DD0DF8C
E
Malicious: false
Preview: ....l.../...5...........!.......y#...... EMF....X;..+.......................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........@.D..YC..VD...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........&Q.D.+.C...E.+.C!.......b...........:.
..........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......a.......h.........N...N.%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ..............E.+.C...Es..C:...........$...$......=...........=............_...8.......8.......8........ ........................
..%...........%...........W...$.......F.......h.........N.h...%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\18903CC4.emf
Category: dropped
Size (bytes): 12856
Entropy (8bit): 3.970851023856957
Encrypted: false
SSDEEP: 192:Y05Bmuxcb1c9vdFrwnpP8pPW2E8Gv8QNUXlH3gOJ4c:Y0bSnGdW+dFxH
MD5: CD069A1BA11CB4C7B5318D04E60DBC98
SHA1: E14D28A4C3AD80E7648FF29120FF070C0918BD04
SHA-256: E2321143BD0500DB8D333EEFD303001B5A2A62B6EBC277542585A16DC9F47DEB
SHA-512: CD6EC623BADFE87DF1AC3097E8ECF87EE41A6264EFED45493B0A051A3B3DA98B0B5B59F093C209896B2C03AC0AA30C10FD6F232897AFB68B6E8ECDE5AB484
56A
Malicious: false
Preview: ....l...0...&.......z..............k... EMF....82..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............u>2@.............E.`.D..?D...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........9g.E.D.D.'.E..D!.......b...........:...........$.
..$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...0...K...P...`........t..?s..%...........%...........$...$......A...........A............(...........:...........F.....
......EMF+.@..0...$.........B................A.R.I.A.L....@..H...<........h.... ....................................?.............@..,... ..................E...D........O.......................................R...p................
...................A.r.i.a.l...........................................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\194F3407.emf
Category: dropped
Size (bytes): 8232
Entropy (8bit): 3.580932847698391
Encrypted: false
SSDEEP: 192:pwTXBRezzHZ9e/UwxezO13iFCpM9f4a2POVFmQ:hzHZ9e/QO13i2of4O9
MD5: 7D114EF05A8E5B393EE41580C2954D06
SHA1: A8E6B06ECB0C8543B2F65060478CC0A40B04FC3F
SHA-256: 347F0490F3C77920FE1BEA1EE460AEBF55AFCD040C7467646F642BAC607353B4
SHA-512: 38AA8B8FE98F6AECD7764A769FD4D29921FB6DE9752F1441AF30757CAEC5D3FA9463E83EA9C972B63F2C806202A3525EEA5DB1A0E942E945E2E785FF8F35249
5
Malicious: false
Preview: ....l...........I........!.......-..!... EMF....( ......................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

......................x...h.9.H7.......wR......................wR...3.................H....BHs..DT...3BHs..Dl...:.Js..D.....Z?...........Ss `?......-DT.!.@......>v ...l...X... `?......Z?.............P...P.....>
v..........>v............x.?...Js..!6t...................t...dv......%...........T...T.......................[$.BU%.B............L.......................P...N.......%...............................................%...........T...T
.......................[$.BU%.B............L.......................P...B.......%...............................................%...........T...T.......................[$.BU%.B............L.......................P...o.......%................
...............................%...........T...T...................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1CFB9F5F.emf
Category: dropped
Size (bytes): 11320
Entropy (8bit): 3.6939731575974615
Encrypted: false
SSDEEP: 192:5AvMmUPT8hIKmqoD8P53ugBSlMe79PdjtyJbFOPxn0V:5nT8hIKmqaMzQ/xhtQbKG
MD5: DB3F84AEBC88E310599A6459DF743DFA
SHA1: 4255AFD6A58DD77A580F28966B74DCCDB5C26AE9

SHA-256: 83A78012EF94B4FF7D50843F36DE83703589D62AA2B300647A24A56D413EAF28
SHA-512: 5762107DFCC5CAD93147C067DF062B020C2705324312DB152F917665796AFC9ECEBE8FA334733F15CCC13F1EB6F3EABB76052E65EF60AAF7B04C3A474B95D4B
2
Malicious: false
Preview: ....l..._...g................x..8....... EMF....8,..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@............8F.h.E.@.D...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... ................~:F+ .E...
.....N...!.......b...............................................R...p...................................A.r.i.a.l..................................................................@7......8......................X..hT..................l....B
Vq..Dx...3BVq..D....:.XqP.Xq..................aq.E....DT.!.@.......v .......|...T....E..................p...p......v...........v.........E......8x....XqL.!,........................dv......%...........T...T...u.......|...
.........0.B...Bu...........L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D1E13F6.emf
Category: dropped
Size (bytes): 13400
Entropy (8bit): 4.037554098725396
Encrypted: false
SSDEEP: 192:yWIQN9KS0w7wHryPOGhdFrt5h/2E2v8QNHXlP3gOJ48:yWIq95tHj/dARxt
MD5: CCFAF190690C0015BC64DAA8114607FE
SHA1: FA18FE59B8F6557F57BD7AA64F6A541268AFD80F
SHA-256: EF36C610A1B1438D69097D1046FF192745D5867D6C780E5B5D60F2CFAA19E301
SHA-512: FF858593D2C13481FF1EB70FCE558F0C86977BC7F9F236F9E3ED76CF7F3CE75CFEDEBD8A3CFD3048A985DA3E3B5FBD49A914EC2C61557165E76F5CCD8D3062
B1
Malicious: false
Preview: ....l...>...O...........M...;_......Lg.. EMF....X4..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............C...E.@.D...C.@......................4@...........@..@...4......................@...........@.....................@.. .............CVS.E..CV..E!.......b...........:...
........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...>...e...E..............V..TX%...........%...........$...$......A...........A............(.........
..:...........F...p...d...EMF+.@..@...4......................@...........@.....................@.. ...........N..C...EN..C...E:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...C...h...J...........m..Vm.$X%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D60F6AB.emf
Category: dropped
Size (bytes): 8120
Entropy (8bit): 3.5959887207777284
Encrypted: false
SSDEEP: 192:k6RtJj6H3xa7n9UT9rEONS3JdVIFRMcb8+uUx:l76H3xaZUT9rr4aPv
MD5: 3740967549DDCCD46AC56CF441FCFC1C
SHA1: 2512106038CFB85D41718AB2655C1D2BB6E6F784
SHA-256: 36861B6FA54E8D38B7EABA34754B8395FBB669FD599C4EA86DEC4222ECB5AF8C
SHA-512: D3B552C723649CAA8945752594E79E60241E93ABA159986F2B5BD43520CC5E0B139B618732AFB1F8D015DA85FD8AE04B8E7022F8C278258C02D38CD3E2FA4C12
Malicious: false
Preview: ....l...s.......................j....... EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

......................x....~@..PG.......[.......................[...;.................H....BBs..DT...3BBs..Dl...:.DsP.Ds....81............Ms.6.......-DT.!.@......Mu ...l...X....6......81..............P...P.....
Mu..........Mu............8.G...Ds..!Md..................t...dv......%...........T...T.......................[$.BU%.B............L.......................P...N.......%...............................................%...........T...T
.......................[$.BU%.B............L.......................P...H.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$................
...........c...%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1DA52891.emf
Category: dropped
Size (bytes): 9372
Entropy (8bit): 3.274917729939228
Encrypted: false
SSDEEP: 192:IrcVX1ucvZaCvv/e2zXEKApOAVbXvrMwnFx71:IrcVX1ucvZaC/VzXEKApOAVbTMwnH1
MD5: 54ACD239F157AB8674851946D753DB19
SHA1: EF2501110B576DDA32C44D265F708AADCD4B7609
SHA-256: 5A46C31465DFCF368ADA30E160EED56762EA6E8BF0DB34539616A4055D80598D
SHA-512: 87B466857ABF259A693331FF4D86F66CDCC17B0B071C8CE5C62BA217F8B0E5F54C0A03337E0FF6935288EA59EB2DE2C94C3A71BB353CC2903C6700AF71E0F09
9
Malicious: false

Preview: ....l...........6.../...~<..If..IN..)p.. EMF.....$......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......
....%...........W...$...............).........k2...1%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...............%.........+2v..1%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$..........................1...0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1E17657E.emf
Category: dropped
Size (bytes): 28208
Entropy (8bit): 3.2343100176950377
Encrypted: false
SSDEEP: 384:cAsEfR1bQ3vzZ2S+w8rdFXvglVun12XZzfi3P0OQxbg7lch4RI8+EHboNx04jsW9:pwsexpBY4cd2
MD5: 2826A62A4AACA81E1CE4733C35A248ED
SHA1: 6A9C139189A487FB381E19C98940BA5CBC486931
SHA-256: AB4D48EF809A0A6C118B596AF3C6A972FB68EB406F9749CA14AED2370746FDDF
SHA-512: 1B0FF327E220773892660ACF6566B6A4E308A6FBB77B782CF5C338FEF2DD69E8D675A341A3CCFF9DAA9B7CB85BBA1E9086DA631773DE19A50FA7EA61EBD060
AC
Malicious: false
Preview: ....l.......;...........-...H........... EMF....0n..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@.............

?0@............#>2@.............C...C...D..HD.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................N....................?.............@..,... ..................DV..D........N...!
.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v.......\.......................\..Z$.................l....B.o..Dx...3B.o..D..
..:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....ol.!...#.....................dv......%...........T...T...[...W...b...d........0.B...B[...b.......
L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1FF4D30F.emf
Category: dropped
Size (bytes): 7172
Entropy (8bit): 3.481966379191935
Encrypted: false
SSDEEP: 96:YHY5lkC4z8DSRhFtjwT+5BO3kZFRMXsb7EXhj:YHY5lkC4IDSRhFtjwT+5BTFRMXskXd
MD5: 0E4FEB5C688EEBC946834417ED8B3B37
SHA1: 345E10BAAB68E13EF594BAF5C7713E6B403E74BA
SHA-256: 22E1D03A1B1C76A4C35C01528EC93B915CD0CB41F19598FE886061C61F17B318
SHA-512: AF188217BAC4C0FAB7CD0BA5215EEAF0F958EA5660D5AF0D7E48E58BE620E9FB55084BA0D4459E41E8170FA2EC142716A63ED5D58F4AC03C63DF96B7E240B
ACD
Malicious: false
Preview: ....l...~.........../........g..u#..Qp.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.........................81...0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...~.....................81...0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$..........................0..k0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2081CA0F.emf
Category: dropped
Size (bytes): 12480
Entropy (8bit): 4.117740030834187
Encrypted: false
SSDEEP: 192:IpWmMLIkbyDdFr4VpYoAedV2E8Gv8QNUXYP3gOJ44:IuexUGoF+dgx5
MD5: 9E1154B090EACB94183D4450DF8E39EB
SHA1: E730AA3568955D4A4EB319A58C041AA2811E2B7B
SHA-256: F4C979EC371B86695422A32FFA43E351E12EFC4E01AE36B5CE589CCAC1879337
SHA-512: 924CB17F289583C092B18FC263C5FDDC946FC065AB381815BA5ED8F363EF15109901F106C80351C9D114F810D7A28B755AD53789D256BD1E66180C45A167A838
Malicious: false
Preview: ....l...:...9...........<.......H....... EMF.....0..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........p.E..lC..aD...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........De.E...CDe.E...D!.......b...........:...........
$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...`...`...g...........>v>.>v..%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ..............ER?.C...Efc.D:...........$...$......=...........=............_...8.......8.......8........ ........................
..%...........%...........W...$...e...c...m............vn..v..%...........%...........$...$......A...........A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2125D65F.emf
Category: dropped
Size (bytes): 15212
Entropy (8bit): 3.850692108292007
Encrypted: false
SSDEEP: 192:36IU36zchF9BzB7UsRpBzYhdFUm8Gy1q2E8Gv8QNUXlD3gOJ4a:+H7x1Gd7y1q+d1xJ
MD5: 69887B7E73D107CD8B088AA78AD2B31A
SHA1: 38C6B7E30E2A1B01B3B2EA648FE6FF75608D88C1
SHA-256: 860985415925DD70B9FDDD91DF8A4F9B05C6CFDC4FA039098A5E6C883D5A0DD4
SHA-512: 1712C0BC2308F3ED1567CFE5FEFAAB2D449A41E56A8CA1BEEAB52A23E9AB8A02241819FFD204F9873FC4CA634D74400F7272619F1BDD6A3BE9F6B2276AB864
8F
Malicious: false
Preview: ....l...b...................#........... EMF....l;..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............C...D.."D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h....W....................................?.............@..,...
...............oj.C...D........H...!.......b...............................................R...p...................................A.r.i.a.l........................................................................................................................
...............................................................................................................................................................................................dv......%...........T...T...p.......}...........UU.A%..Ap..
.........L.......................P...H.."....%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\24EB40F6.emf
Category: dropped
Size (bytes): 6764
Entropy (8bit): 3.5284566371450032
Encrypted: false
SSDEEP: 96:UUhh0YSqo7S3xSvLUG5HXIgwqJCS0nSEQFWmWgg72:jhhFo4SLUG5HXIgwqJsQFWmWL2
MD5: 4478AF8C4A961C1C326CDB506ED42603
SHA1: 1267BE061499EF842C09F82873A23E66F33F8E20
SHA-256: 8402C6C059D21A2607B797193B3519E75E79A7C75CF84933787E448C8DFA5EE4
SHA-512: 38CFF742F9845D32E75F6F14028DE8231D319404B2F35354D0F2CDDF30FE2AD1EB2049EBBA389EEFCCE5778168A9567D6BB700B604E84EC221B0DB092AB0E11
2
Malicious: false
Preview: ....l...p...^............U..@...._...... EMF....l...............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........psE.D.F...C...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ................pyEz..F...
.....N...!.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v...... .j.....................@.j..Z$.................l....B.o..Dx.
..3B.o..D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....oG(!...#.....................dv......%...........T...T...~..................
..0.B...B~...........L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2647AAEC.emf
Category: dropped
Size (bytes): 11324
Entropy (8bit): 3.402252144044144
Encrypted: false
SSDEEP: 192:vnhQ9su4g+RNgCqjKJ2u2UKLX2chLGgu35MfBFRVrUJJ6tnel:e9su4g+RNgCq+J2uJKLX2KGZMfBFYr3l
MD5: 687CB9B634731408D88410DACC078AA6
SHA1: 9A17752795C63801566CE383946C7CCE5B5C0690
SHA-256: 9DA82710CFC771655A09C365A8E77EAD1551B71A26CE54FCEA986E66A578CC74
SHA-512: 5B0DB396B723238F55910E747C2C2B748197F0F693A56C17CFBCFD7B1058123B115719AC70E1F2DA2DACE88251FD5F65FD018F369696BAEFD7FB99264CB80237
Malicious: false
Preview: ....l.......u...>...........:3...+..U=.. EMF....<,..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............D.`.E...D...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ...............UQ.DUk.E...
.....N...!.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v......P.T.....................p.T..Z$.................l....B.o..Dx.
..3B.o..D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....o*'!...#.....................dv......%...........T...T........................0.B...B.
...........L.......................P...N.......%...........F...t...h...EMF+.@..D...8...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\267E3898.emf

Category: dropped
Size (bytes): 14976
Entropy (8bit): 3.9925640738507227
Encrypted: false
SSDEEP: 192:5nwlGOv1yXP6fdFrRdzZ/2E8Gv8QNUXlj3gOJ4b:lTWBzV+dhxY
MD5: 17E9381B5CC02CC633ECBB0C95884780
SHA1: D5012B7FC9BC02E2DDCD6DE383D9D999BB1B248B
SHA-256: B2A9B9D6C4382FEF0A30B7A7DCC4F0FE10A5F3D7A43188C73E18934453945E09
SHA-512: DCBC8D78C984442416D87BB9EB92D70E3DE37145FE9B888D204CB1F778EF5552B4AA5D96C3A471F6B7C2B04C690572726E77E4C7F1C61A52C9907677791BE251
Malicious: false
Preview: ....l...a...........w...mN...H...Z.. P.. EMF.....:..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@............E.X.E..9D...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........Q{.E...E.;.E..E!.......b...........:...........$.
..$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...............&........L>A.J%B%...........%...........$...$......A...........A............(...........:.......
....F...p...d...EMF+.@..@...4......................@...........@.....................@.. ...........Q{.E..E..E.?.E:...........$...$......=...........=............_...8.......8.......8........ ..........................%.
..........%...........W...$...............)........L.AIKUB%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\26DC2624.emf
Category: dropped
Size (bytes): 11664
Entropy (8bit): 4.388634297392588
Encrypted: false
SSDEEP: 192:n6nP4B3eTbdFrpMD2EBy3k0yzdv8QNaXlP3gOJ4hF:QJkC7LJRxmF
MD5: 22C3E1C8F07F9E6D3EC566E890CF79A7
SHA1: BB3C609AC07D99033E742B429E1E7A5E65F41B1E
SHA-256: 7DBE50E9C96BB3CFE0FB3FDFCA8AD9A4081509805B56571809C6925775076C48
SHA-512: C65D222D0F189E5F4F3BD71BC1276A01C059F12990A29C2E196EC2348BEF5B783BBF9CD4F251A755F94BF6C17DE71D7F38D713D9EB70DDD3CECEC55D395B09
82
Malicious: false
Preview: ....l.......,.......r....v.......~...... EMF.....-..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........0.E.`.D...C...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
................j.E,v.D........N...!.......b...............................................R...p...................................A.r.i.a.l........................................................................................................................
...............................................................................................................................................................................................dv......%...........T...T.......[.......q.......UU.A%..A...
.n.......L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\27CA7CCD.emf
Category: dropped
Size (bytes): 11912
Entropy (8bit): 3.4987852701120974
Encrypted: false
SSDEEP: 192:t79S8tfVd/iXYafBdsM+2lLn/zmkHzCdIv7lbxcgxYpwnOFJFj7H1zIdH:1M8tNd/iXYafbNusbxpxYpwnO/FjD1z4
MD5: 92C6E15538E085BC20A5F9D54E02BD0F
SHA1: 58F7C6520670F42B968F66CD07548FD24475C8A3
SHA-256: C1D53FADA8102B968065E66579F05370655602D7937850C446580E4870424B4C
SHA-512: B11B7528945387B175B17ED01DA9AD34175BB7B68E43D5044E877606C096BDF8BC55C9EED76605073A67FA1A7D1FC26A6E2BE0D67CC9240B5CE12DEF54C7206
F
Malicious: false
Preview: ....l...........k............^.......i.. EMF........!...........................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@.............?

0@............#>2@.............F...E..QD...C.@..D...8......................A...........?.........................@.. ...........O..F..EO..F...E!.......b...........:...........$...$......=...........=............_...8...
....8.......8........ ..........................%...........%...........W...$........... ............a.,.aB-%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8.............
.........A...........?.........................@.. ............U.F.3.E.U.F...E:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$... .......$.......
.....b2,.b.-%...........%...........$...$......A...........A............(...........:...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\287C8B9E.emf
Category: dropped
Size (bytes): 31216
Entropy (8bit): 3.2140889614400945
Encrypted: false

SSDEEP: 192:XYqgtt/jQkXers0nv3uN/XiW1RtCvYbZkPVq1cNCKPkoLWOC0fHrymTW9Py1wua1:4jPQ3uNPYpvwlrJYLDlTkn2YR
MD5: E560468D3AECFF0F056625F457ADF4B2
SHA1: E85171CE3321607DB6C5662DE0A895AA054822BC
SHA-256: 9B9D35DBBF2A2EF8DA73F66CD46901CE7E028F7DF964EE77DFB483585572CCC5
SHA-512: BD446483CFEE6C0B2503772AC8454A3D26DFE98104DFF4322A2956F3ABA6A6F22CEB6557185E94093A2E8DFF7E72AA0CE40DAE02DB592DDFD8040FB176785D
79
Malicious: false
Preview: ....l...........Z...~...............B... EMF.....y......................V.......5..........................F....?...?..GDIC.........-.'....h?..............%.........................................................................-.........n

.........D...............................-.......................-.............................................................-.............................-.......................-.........j.........H...............................................-..........
...................-.........................-...............-.......................-.........D........./.................-.......................-.............................................-.............................-.................-...............-..
.....................-........./.........D.................-.......................-.............................................-.............................-.......................-.........7.........H...................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\28F2D5F4.emf
Category: dropped
Size (bytes): 6140
Entropy (8bit): 3.7195215986197203
Encrypted: false
SSDEEP: 96:03GsFMOXYvRpjNGE+kFkkvzKgDFxSRkNg2h4gzxX:03Gs26YvR9NxxFkkvugDFx1lhr
MD5: 0A9FC386BA1DF3BDD8A5035A6C59590B
SHA1: 7D0B021CCF70AB5EC78E6391BCC805FE6B893134
SHA-256: 6D1B547265E36E0611ACA900234013269F79D51CD70E98A7DED000EE01CC46C8
SHA-512: BBA9C3B54864889C23D369FAEEF1B9C29B5C9ACA4D44CB69FB9820D3A6E693FA325D95D7079B3EFCF63EBC43FF2A7EF1DE27BDB168B25B145D5D9F8D6D730
537
Malicious: false
Preview: ....l...........=........k..Oc...r..:p.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$........................0G/.0z0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........................0z0.1.1%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.........../............1.1.2z0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29225B7B.emf
Category: dropped
Size (bytes): 11536
Entropy (8bit): 4.445463318446656
Encrypted: false
SSDEEP: 192:LSJYrBuNlWidFrwoNF2E8Gv8QNUXlm3gOJ4A:JqnF+dAxt
MD5: 795B995E2FAEC05E0A224BDB06E6227D
SHA1: FF8DE4396DD3EB2580A1E6B87D19800C8B234692
SHA-256: 9FA6F3D050010A6FB04D4EC37B76A700910E0957E8E4CE212B187EA3AA736FB8
SHA-512: A07AECB3D140308ED757C46DB94DE189568DEF8B6A01E065BF99359F022B29DB5E6A60D35BC1188F8569E44297C8A6650EEC6B121AFF85512C62E1F7E893FA6
4
Malicious: false
Preview: ....l.......a............-.......8..n... EMF.....-..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@............)E...C...D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
................./E.X@D........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x.w....$y.w`b........................
...g.n.....k.n@.......H@......L9.v`b....!.........D...<.v............`b..`b...........v........`b.. ;...:....!.H..H@....!........`b...... ......1.v.....VBr ;..........(..HWBr..!.....VBr ;......X.O....udv......%
...........T...T.......................UU.A%..A............L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29695E3F.emf
Category: dropped
Size (bytes): 6948
Entropy (8bit): 3.0636153985860157
Encrypted: false
SSDEEP: 96:N/LHEBXcgiqh1JhkwMFLL51l2o7bsFsSMMzU8r/bR/:N/LHEBXcgiqh1JhkwQND7gFspMfrN
MD5: EB64B6C90CF9D71EC9C7245CE73AAD58
SHA1: D63A15793DB59905DFF45BA861BDA19BAE8F141F
SHA-256: 501190A840422B1B718A9F8B6656EC7F9F97CF3C82465BC7C48FF546F62D6C74

SHA-512: 08F8E4B62D84BF8A588916E5FA89C15721196065608F0E028FD01FAF0410254DB8C8D72B39237415CFEBEA620F2DF1D1BD1B0E1A3B686A4A87384495EA6A4E0C
Malicious: false
Preview: ....l.......P...<.......u;......RO...... EMF....$.......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......T.......b.......;!d.2 ..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......X.......d.......;!..i ..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......^.......u.......2 ..2 /.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\29EBEC4F.emf
Category: dropped
Size (bytes): 21272
Entropy (8bit): 3.928219403514768
Encrypted: false
SSDEEP: 192:azQQiaOuRFMZ5YtVsIysvLKdFrDP0XwXwK2E8Gv8Q8UXlP3gOJ4CJS:ajxF7t2jXb+mRxq
MD5: 039469F0467C36313505BE2A0B06507E
SHA1: 45062C0AD43F44E7ADE68176150813378F399D1D
SHA-256: BB4E62CA02A1C9EC68E655E2731FB1F359641F6878B79B331C880AD27E1783C6
SHA-512: A35F565E0C8E5A039AE37F700F5DFD2C4071F2C9306602B7C45A47B1D488C7704FD9F03FCBC966B59D21F405189759A9065A9C21CCC8B1C3DB7520D90280040D
Malicious: false
Preview: ....l.......A...........MV..v....f...... EMF.....S..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E...C..sD..%D.@......................4@...........@..@...4......................@...........@.....................@.. ............,.E"..D.,.E!.)D!.......b...........:...........
$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......................VM].VM*.%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ...........t.EC..Dt.E..&D:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........................M...M..%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A1673A0.emf
Category: dropped
Size (bytes): 5424
Entropy (8bit): 3.9159936211118604
Encrypted: false
SSDEEP: 96:GOThRGeSNwSvXgLI+9OSUtxNhRQXsuS3SDqFAyYT:GOThR4RXgLIJtxNhRQNqFbe
MD5: 6C3EBDD2926CC7284FF6FB8125742340
SHA1: A4109CD0E0FC1068F2EB2214E69FED5996ED5C5E
SHA-256: 105825EFCE45D6A898FA271AA57A80A5A15C9A58A49FBFAEE3FF92A099AFF043
SHA-512: BC5B6EECC8FBEBA71B54CBEA5CE0A987E09CF1BB2F16DEA10C6D6F707932FA07C4058AF40C56FAD90DCF2A7442F1E137D0D74C43CB73183C471B98E3DA08
FF2B
Malicious: false
Preview: ....l...........k...........&.......x... EMF....0...U...........................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@............(C..ND...D...C.@..D...8......................A...........?.........................@.. ............@.C.@gD"6.C.@XD!.......b...........:...........$...$......=...........
=............_...8.......8.......8........ ..........................%...........%...........W...$...7.......L.............8.....%...........%...........$...$......A...........A............(...........:...........F...........EMF+.
@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ..................DT.]D........N.......................................R...p..........................
.........A.r.i.a.l...............................................................X.)..v......x+g.............
Category: dropped
Size (bytes): 16832
Entropy (8bit): 2.865909766460109
Encrypted: false
SSDEEP: 384:w4YX2+0EUjv2jlNxeOIq2U4m6LEToPbs//k4el3sRnKYFI2JBWRVQBi:xkqVQBi
MD5: C9DEF1F8E9AB6BBE39979EF2740FE018
SHA1: 3563260F5CA13AE2620CFE1EFA671CE3F5A6A840
SHA-256: 732C9078DBCF2A2E679A6860EAF1D552C51316DA0A3281005BF2E6840728DCB8
SHA-512: BEB296487E9C429C1DF82B98C1D26567077D0301A0398E66CB17BDD6DA9123D52942821DADB7C1535394E9B550434E6DFC4AFF2C26E36399F3536385F22CE04A
Malicious: false

Preview: ....l...x......._.......n.......V0...".. EMF.....A..7...................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......
....%...........W...$...x.......................8...%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......................8...j...%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......................[.S.G.S.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D15189E.emf
Category: dropped
Size (bytes): 5692
Entropy (8bit): 3.499000085320438
Encrypted: false
SSDEEP: 96:rVw0fiEezKwaHvezgdnnfKalNDrzFsS1XRyM7:Zw0aEezKw2vezannfKa7rzFscRyC
MD5: 7FF710B9DF6C8321BBAF95EC90505F34
SHA1: 9C21C5C03F0B6F00C7A1CC03E84E4802F15F19A2
SHA-256: 927D1063BD2A659E35540ED5E002DA378A840B53A6A977C29D83C8699EDE6BEE
SHA-512: 133D33FF6B9054F1D4DBFC5231BA0D4E1BB06E4021B9776BC9DA78F1AF0F57CB8C45276F3F8C41AE82B0E1820317533651E2948184E70DADDE30EADB965C371
7
Malicious: false
Preview: ....l...>...........#...4...UC..G...IK.. EMF....<.......................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l...........................

....................................h.9.H7.......wR......................wR...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v.......
...>v........H... `?.....x.?...Js..!nt...0...................dv......%...........T...T...>.......F...........[$.BU%.B>...........L.......................P...H.......%...............................................(...........R...p
...................................A.r.i.a.l...............................................................h.9.H7.......wR......................wR...3...................$.pvM..o.D....#.j.v%......:.Js._.DXtM.....hvM......,.vpvM....
.....hvM......v.t..$......v.t.S..8...pvM.@..v....................|......t...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D163B02.emf
Category: dropped
Size (bytes): 9516
Entropy (8bit): 3.6751093274471933
Encrypted: false
SSDEEP: 192:xlMu3llFh+tPxIi1mffGKdL+MW5RMWypFjw+J:DllFh+tPxIi1s055aBws
MD5: C9D7051AF17AD9962939533EECE2D5BC
SHA1: EF81F36104142000C09E54585C46B5A252BB6074
SHA-256: 57D592F1B4A2D84C15A8F4670168D6F995A7D9C2C8B7013F98E89218186C6F73
SHA-512: 5CD3ABA84815B59E47AD3B937CFCEBA1433300B718E857978B315F1C405E4B8A9B87B3DC809D4604D7C58685C8A13CCB6FC215D974B3893096F5B5CC3BF0B8
E6
Malicious: false
Preview: ....l...............7................... EMF....,%..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@.............

?0@............#>2@............$F...E...D...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... ............... m)F+..E........N...!.......b..
.............................................R...p...................................A.r.i.a.l..................................................................@7.......f.......................f..hT..................l....BVq..Dx...3BVq..D..
..:.XqP.Xq..................aq.E....DT.!.@.......v .......|...T....E..................p...p......v...........v.........E......8x....Xq8.!b........................dv......%...........T...T.......*.......7........0.B...B..
..5.......L.......................P...N.......%...........F...t...h...EMF+.@..D...8...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2D597744.emf
Category: dropped
Size (bytes): 6796
Entropy (8bit): 3.143788600320238
Encrypted: false
SSDEEP: 96:e5qLp6pn0ezSk5qisDf6EUXzvo1ewfjNaFxSKxx1cX8r:CqLp6pn1zSqbsDfUDvEewfjNaFxR1csr
MD5: 0559B81FF2F4CC24FBCFCD396B5BE616
SHA1: 66A90252F1692E7E33D322923388882AF7130A12
SHA-256: CBA3513ECE2305F1B554001FD4328FEB274EC1D8B9F55013AAA8537D07BA87EE
SHA-512: 6128CA55D098E17FE30E7FFAACC4988ECBD2BE1DA16E2006A19E83450B68E2F678FE62A790619B332ADA416A47E06BF1900CAA0EFD0E7E4DD9D00860F891C7
BF
Malicious: false
Preview: ....l...n...y............U...3..Ub...=.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$...n.......q............&...&..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$...q.......u............'...'..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$...n....................&...(..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........

Category: dropped
Size (bytes): 14832
Entropy (8bit): 3.9267468231639273
Encrypted: false
SSDEEP: 192:J1sgay/dVKUQ3oB1SxdFrrlyOTFY2E8Gv8QNUXlL3gOJ44:QCCFY+dhxr
MD5: CBE78430333A5BC83AD8DBA28E14FA99
SHA1: B56F8B5678F5A9243A284F448B566D996A62337E
SHA-256: 7F4856ED6A3A27163F5BA7D76BF77A750CA1DEE33B5E8ECAFBB96B2689E10D82
SHA-512: 141B0C11DF8E65CD62B033F2D9978BD15738AE41F8B05AA0CA0473A44DF4D60CA7DB5DAB67C4F4040861960378674AF6266B70F407FFA9D329490330877C257B
Malicious: false
Preview: ....l...................d4...,...C...2.. EMF.....9..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@............BE.p&E..dD...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........Y.JES.'E.&DESj+E!.......b...........:.
..........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$........................06(./.)%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ...........X.JEd9)E-.EE.1,E:...........$...$......=...........=............_...8.......8.......8........ ........................
..%...........%...........W...$........................0.(_/L)%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E65AFF1.emf
Category: dropped
Size (bytes): 13272
Entropy (8bit): 4.303156633948491
Encrypted: false
SSDEEP: 192:kEd/xH4UhAvoOrSTdFrkna1zb52EBy3k0yzdv8jNUXlP3gOJ4hQy:kExhCaTC7LORxmQy
MD5: 9DE584B09E28177A9FD6EDC8434CBD2B
SHA1: 0F9EA579C2768A43E3A691246B8D699A0393154D
SHA-256: 77E63B0E6A75F63A0B386D2FD84F0C313054611EC04C16D4642C534CAB17CE2D
SHA-512: AA2AB0DE9C67EA046D6E1E63B3312E3B130A5D3205E6FB52BAAFA0CD69782E626E743A10A85A4A0E5C6A86D761A47A62AF1ABB841EAE6A42C977F1932B4A7
2D2
Malicious: false
Preview: ....l...5...................U .......%.. EMF.....3..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E...D.@.D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h....H....................................?.............@..,...
...............<W.Elp.E........N...!.......b...............................................R...p...................................A.r.i.a.l..............................................................................................................
.........................................................................................................................................................................................................dv......%...........T...T...L.......Y...........U
U.A%..AL...........L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E7CB9BF.emf
Category: dropped
Size (bytes): 16368
Entropy (8bit): 4.130995867244024
Encrypted: false
SSDEEP: 192:Sm5HBd/TzmThKyyb8dFrti95bgRKW2E8Gv8QNUXU+P3gOJ4R:ZhpFyTyc3+dfxS
MD5: 5D505CE52D00E4A98ACC60B4707025FB
SHA1: CCA750F59D6EF00C7CD49F974026F977D35DAB48
SHA-256: 86708BC929DFC85CCCF3C91EDAB6D7B6F786C79F87A14C8945ADC805EA2F89C3
SHA-512: E5D6440446285263536AA03F9192A1709F09E7078169B42861D6A3AACA9AD99CB156873BBFD083CE82A7841F53C5A30678FE0139AA8365DEF16B94F78573D845
Malicious: false
Preview: ....l...........$.......xv..X6..B....@.. EMF.....?..7.......................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........h.E..IE...D...D.@......................4@...........@..@...4......................@...........@.....................@.. ..............E..cE...E.&kE!.......b...........:...........
$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......f................j.6.jh8%...........%...........$...$......A...........A............(...........:...........F...
p...d...EMF+.@..@...4......................@...........@.....................@.. .............E&ndE..E._jE:...........$...$......=...........=............_...8.......8.......8........ ..........................%.........
..%...........W...$.......i...............cj.6cj88%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E9D42AD.emf

Category: dropped
Size (bytes): 8256
Entropy (8bit): 3.6394092460237677
Encrypted: false
SSDEEP: 192:wt4gIrYjiERa2wdkibeQwZJeroIFsuefZeK796:w+gGYjiERaL0qoIsF7Q
MD5: CBE9EFB80C83D7B3021B62296878B5C5
SHA1: A98ED7070EFC62F0493F339A6F9FE77471574AE5
SHA-256: C727DFE45D5E5386ED2CD102A5B14E7E2820131901DB0F5429D89F9A1F0FAB8E
SHA-512: 30372F259FB07D9365FDE1F66C94E836C8C97C2719965350E92DAD1951BCC30DFC2DAAB7AFECB9D8037FF82DA0359FC6E71FD480287CF575191C57E806C8C67
5
Malicious: false
Preview: ....l.......]...........XD..6S...X..iX.. EMF....@ ......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......m...%............!.&2".'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......m...'...~........!.&R".'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$...!...~...8...........2".'e#.'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2E9FF88D.emf
Category: dropped
Size (bytes): 5960
Entropy (8bit): 3.1672979096118055
Encrypted: false
SSDEEP: 48:ZfawOUi4ZD21qDADED56DaDiiD5D2DUDZD/DlD9HRNDfH+3FBuSHzWwTGFg0QOya:swjZx8Ad62j1aYVbJNS3FsSH/p3keh+f
MD5: D0936B03CFBA436AB26F3623486891DA
SHA1: A478E998CCE6EB779E75372410A347815D8C9184
SHA-256: 84F6B9373C03DF7A796989BD7402B50C732B6012FC229B84864B9A07BC89CB49
SHA-512: 690FE5406C7D0B13B9336FD0F843B6FFDBB188414365081F0A618FBA8FE2A8B18EC2F50687DD9940097595846BFB10D4359C74B91598DC3DCA249ADBF9A63357
Malicious: false
Preview: ....l...........f...\....F.......T...&.. EMF....H.......................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7........R......................R...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v..........>v........H...
`?.....x.?...Js..!.t...0...................dv......%...........T...T...-...A...5...P.......[$.BU%.B-...N.......L.......................P...N.......%...........:...........$...$......>...........>............_...8.......8...
....8........ ..........................%...........%...........W...$... ...)...#...?.........TA...A%...........%...........$...$......A...........A............(...........:...........:...........$...$......>...........>............_...8...
....8.......8........ ..........................%.......
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\30169E86.emf
Category: dropped
Size (bytes): 12484
Entropy (8bit): 2.8550335845557293
Encrypted: false
SSDEEP: 384:zPi0IxJ24RaeUeNrcl+fOJJnod23XMo5dN2tu/+GuEQZJ37:mbQFDQZJ37
MD5: 2EDA406E959407A2BBA62DFB32F4CC7B
SHA1: DE2AB2230684441516E2DDE90E6419BE0B525082
SHA-256: 4FF8B8C191F403DE59D170CA2A47BC6F68B735DB1EC9481A1B6FA1B1266411B2
SHA-512: 5B170008CC0E5DB75A51356266417C8C6B62C936C41112143295EF1A92ADE74D64B45FCD2A65E7E25AA732C2087CD528B46C468DA80B6F46879CFA7A360F10BF
Malicious: false
Preview: ....l.......6...e.......Y....*..=1...7.. EMF.....0......................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l...........................

....................................h.9.H7.......R.......................R...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v........
..>v........H... `?.....x.?...Js.#!.t...0...................dv......%...........T...T.......i.......x.......[$.BU%.B....v.......L.......................P...N.......%...........:...........$...$......=...........=............_...8.
......8.......8........ ..........................%...........%...........W...$.......m.......{...............%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=..........
.._...8.......8.......8........ ..........................%.......
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3059EDE1.emf
Category: dropped
Size (bytes): 11788
Entropy (8bit): 4.082235229666931
Encrypted: false
SSDEEP: 192:aFp7r3ZX/ZlY2dF1MuVF2E8Gv8QNUXlr3gOJ4o:GZFXhF+d9x7

MD5: 8DF998C9E34DC3B31DDFD0CC5A057671
SHA1: F37CEE321E3D3823262A5C85610B86B755B919CD
SHA-256: 7AFEE441D6AFF6B66FFBB712FFBF9BB8584AE7529FE6E9A7878AE6252D9E329A
SHA-512: 83C5CDC8E8B1CF839EF6C567778914E3F22B0144FCA621649BF27945549945130BA8289192CF7DABF7A91EDCCD60727C3AA8682C828AAB6EC5A8BC9B6BD0B2
13
Malicious: false
Preview: ....l...U...........m.......=........... EMF................................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............C.`.D...D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h....s....................................?.............@..,...
.................%D|..D........N...!.......b...............................................R...p...................................A.r.i.a.l..............................................................................................................
.........................................................................................................................................................................................................dv......%...........T...T.......(.......>.......U
U.A%..A....;.......L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\30C9B5FD.emf
Category: dropped
Size (bytes): 8536
Entropy (8bit): 3.6238225072183354
Encrypted: false
SSDEEP: 192:XO6whB5dxLoxhKvox7LL6V60kZNiHFGMFji2p:XOZxLNvs7/O60+OoMc2p
MD5: E56ED1E7260669C61E280BE79C128385
SHA1: 23FB3EC2A1F716CC3552A2DB2017C680EEEF2034
SHA-256: 9BB9EB9C71F31688E7F068B85D5A0849CC4548F395FF1ED874484006026C17DE
SHA-512: D67B94336AC4F2A024DC7CC9318C66F4A5DCF212F5062D99749FDEE659A53CCEB037682BC9ECE8B980B7A25D9D08E8F17D4FFED6BD3D4DADE2F14F36780A4
045
Malicious: false
Preview: ....l...X...........>........F......&O.. EMF....X!..............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............D.0HE...D...C.@..D...8......................A...........?.........................@.. .............+D..VE..ED..SE!.......b...........:...........$...$......=...........=.........
..._...8.......8.......8........ ..........................%...........%...........W...$...k...........(.........X"...!%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8..
....................A...........?.........................@.. .............ED..SE.._D..VE:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...|...........
(..........!..X"%...........%...........$...$......A...........A............(...........:...
Category: dropped
Size (bytes): 10428
Entropy (8bit): 3.0431573506212275
Encrypted: false
SSDEEP: 192:HKohRNCXFo66vNN2WV5RYGNh301pd8TMa/S/lFxaC2Saz44Q0:HKohRN426S2WV5RYGNh301pd8TMa/S/8
MD5: 12112C19485CF58857EEA15085F3CE98
SHA1: 7BCE9FA3130E5DE03227C588A1E31FEBF5DB41B3
SHA-256: FD7AF5830DF4047FEEC47A25B7B408D4F042C1F969D8774AD2E180FAA293CF23
SHA-512: FC0CD1D0E5EEA9596774E50380F8DAB01837FF952984DD797199D78D2F34648CDA78637BCD8B7C7F7FA5B31B7486C0C776EED922995D7992315715A1FF1C998E
Malicious: false
Preview: ....l.......S...E.......u...P...1....... EMF.....(..S...................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$........................[...[5.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........................\#..\..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$........................[5..\..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31FE88B4.emf
Category: dropped
Size (bytes): 11332
Entropy (8bit): 4.495615213042401
Encrypted: false
SSDEEP: 192:FYQtNpc1NMydD+dFr30n/O+2E8Gv8QNUXlY3gOJ4W:R8ISn9+dSxj
MD5: 583533574275C0B991573E034873960B
SHA1: D723E70D37CA71E58BB534D6D8339A9D327F775E
SHA-256: 2B761354BB84988C942E416A949F1CAE6F15488E37B154E6CB8C7037632FA2F8

SHA-512: 85BF9635E84274BD4C27BCBA1BA53C3054D43D787ECC00547C3C7FF33D9760FB43271DC48683E5EDDE99A6C335196EE805A8563BF7ADEBF0AB69970BA4E542
42
Malicious: false
Preview: ....l...@...<............o...'..Px...-.. EMF....D,..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........8.E.p.E...C...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
................'.E.7$E........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x.w....$y.w.....................O.w..
......................H@......L9.v......!O........D...<.v.............................v............0=...<....!OH..H@....!O............*.. ......1.v.....VBr0=..........(..HWBr..!O....VBr0=......@.....udv......%.
..........T...T...U...u...b...........UU.A%..AU...........L.......................P...N.......%...
Category: dropped
Size (bytes): 7352
Entropy (8bit): 3.6200713593081226
Encrypted: false
SSDEEP: 192:zMvZfMXzd4VPF+nFjvlV4sFxKOp68uynfl:zOfMXzd4VPFoV4sVQyN
MD5: 06D31CFD3A47F9A94F8D120AAC4D4FBF
SHA1: C127EAB7B69551512A866424ADD648A3CC3276BD
SHA-256: 4900BDFBD7C8918D58BE66269C1BBBDC620D8FE694DE8073BBF4FEB67188DF7E
SHA-512: D32620673F5240110AC5A4EF978B6A76EF239C48455FFC4C5DCFD5C72321F44758BF9ACEEC1009A72064A5E62CC05CA07AEDA14847FA137EB2A839484C0A0FF
C
Malicious: false
Preview: ....l.......7...x...l...MD..gq...W...x.. EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l...........................

......................................?..:=.......D.......................D...?......................B>t..D....3B>t..D....:.@tP.@t.....P~...........It.-DT...@......Gv .............E.x...P.I.......................Gv..........Gv....
....H...P.I.....(W~...@tq.!...E.0...................dv......%...........T...T...,...]...4...l.......[$.BU%.B,...j.......L.......................P...N.......%...........:...........$...$......=...........=............_...8.......8.
......8........ ..........................%...........%...........W...$.......F..."...\........"w4.".5%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.
......8.......8........ ..........................%.......
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32BE5E21.emf
Category: dropped
Size (bytes): 11876
Entropy (8bit): 4.11095108768839
Encrypted: false
SSDEEP: 192:UuKg2ZIj+M9dFrTOV2ECv8QNUXlr3gOJ4Kv:UsHUdd9xFv
MD5: BC6AD9995E0BE6AD934261B84D524AFB
SHA1: C81FF86544060C625142EABE53A9758259632EC7
SHA-256: 8157117CCE010214BAB424241EAB110644971D7FAB9710C52A2E8F1A7D295CFF
SHA-512: D141612002F24B01D2BC3F7336CA473ED81DC6FCF1CC79B420B0B63C5E38E2D3B0B5F506599DC621CA91892E86C24B7680B3DE8482E75AB830AE65FF5807FE4
3
Malicious: false
Preview: ....l.......Q..._........h......or...... EMF....d...........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E...C...D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
................R.E...C........S...!.......b...............................................R...p...................................A.r.i.a.l........................................................................................................................
...............................................................................................................................................................................................dv......%...........T...T.......k...............UU.A%..A...
.~.......L.......................P...S.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33BD3489.emf
Category: dropped
Size (bytes): 7396
Entropy (8bit): 3.6117934178735536
Encrypted: false
SSDEEP: 96:yBh0rS7PlNS7p6Sq2Z6jf853Sib58RSO1JSmbmnG1SjadF0mpW:yBhtPepe2Zwk5iibuD7bmGXdFBpW
MD5: 72B1657E97CA2037242F1B932B805962
SHA1: CF257B4ACFB0776A7CFD589CF854479FE58C70B0
SHA-256: 86D63533E77B4D8221FF27255AE7BDA855670DEDD168830B5E6B8F1696FBD7AD
SHA-512: 6516F81B7B0EC04F17C218F47D67F6BCB3C6C5530A7BE83D9043DADC15535D571CBBF9048458525F60510AD221755422D04FFBB6E23CC94CD4649B7AA1F1E16
B
Malicious: false

Preview: ....l.......\...Y........H......FS...... EMF....................................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...
..........?0@............#>2@............ME...F...C...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... .................SEzS.F...
.....N...!.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v...... .j.....................@.j..Z$.................l....B.o..Dx.
..3B.o..D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....o.%!...#.....................dv......%...........T...T...........%..........
..0.B...B............L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33DBF84.emf
Category: dropped
Size (bytes): 13272
Entropy (8bit): 4.154773594652695
Encrypted: false
SSDEEP: 192:Ty85VxNISqdFychJ4sG2E8Gv8QNU5lP3gOJ4D:GwyOsG+dnxY
MD5: BD1EE66BD6E10ADCDF5DDBA285DB77DB
SHA1: 401D0B5604E1C506C52D069F5C6A054FD1294F87
SHA-256: B1B82387A87EEF9DC16DC660096B40D207CAC39B0429BF2E15B5D65F3AE35151
SHA-512: 8A2A62D1C0DD6A92593E3287C6A0A61FDFB4344443021A19E820BCD57A7C466D0FB21E3CD26518653836D6BF8621E5DCEE21206E6EC8A42EF3D17AED5DCC38
9B
Malicious: false
Preview: ....l...)...........\........#......Q*.. EMF.....3..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........(.E...E..;D...C.@......................4@...........@..@...4......................@...........@.....................@.. ...........~..E.n.E...E...E!.......b...........:...........
$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...S.......x...!.......Fw. nu.!%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ...........~..E$F.E...EU..E:...........$...$......=...........=............_...8.......8.......8........ ........................
..%...........%...........W...$...Y.......x...$.......Fw(!.u."%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\34D97A04.emf
Category: dropped
Size (bytes): 30352
Entropy (8bit): 4.147229253739414
Encrypted: false
SSDEEP: 192:lInWCGNZgJdoRRkM3go4OL2NQqJVjAUbYo0DbWml2mdpLSd2IdFrFbcn4uZGHJuu:eGbgAk22NrV4YLbcntZkJZx+dRxg
MD5: 7AAB1650D0EB97BFB3CCAC2C7C27AF3F
SHA1: 869BF44B56D1F5D386AC7F0EDEF605FBDEA14C71
SHA-256: B280B5E071BDA33E6E65F64E825FB51174336B70849D584DF55CC61675025BEC
SHA-512: 530ABF88C99E098A51A388CF331834C18BF72B40189A19F64B9CB7C490BA7E8A0F915DB0E377815CAEFE1B9E8D503B666A190602A87FD77B41EA132157499BA3
Malicious: false
Preview: ....l.......(...*.......~j.............. EMF.....v..B.......................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@........... .E..&C.@.D..~D.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
..................E...D........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x/w....$y/w.....................O9w............
....P.......H@......L9`v....b.!.........D...<+w.............................v............p.......b.!.H..H@..b.!............@... ......1.v.....V_rp...........(..HW_rb.!.....V_rp........V....vdv......%...........
T...T.......................UU.A%..A............L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\35F990F8.emf
Category: dropped
Size (bytes): 6556
Entropy (8bit): 3.524240580832263
Encrypted: false
SSDEEP: 96:xi6hdW4NSp1SRSnSp3MLGV+5fIzAPe7fSJf6jTtFDPG5nExkfWN:xi6hpooS63MLGV+5gzeeCCj5FCWxkfWN
MD5: 2CCFBE3C36327F01F6583143050A6F3B
SHA1: 3E8964B25B87C78BB4871467DD2A7E1972C55305
SHA-256: 9348BE538D5B8AA6A7A45A146FD1BEE734442E72011BADD9F98B6873682FEF27
SHA-512: A59B9BBD67E7AB2DF8806AD4E5B7EA0C230C05F1FE31559F22F6FC8D33465D3E08BE9547BF2EFFADB9060362041EF03519D487B0C031A4D41FC32D8B94C1C8
11
Malicious: false
Preview: ....l.......y...)........!..BW...(...`.. EMF....................................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........@.D..wE...C...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ...............L&.DP..E...
.....N...!.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v......@[M.....................`[M..Z$.................l..
..B.o..Dx...3B.o..D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....o.#!...#.....................dv......%...........T...T............
............0.B...B............L.......................P...N.......%...........F...l...`...EMF+.@..0...$...

Category: dropped
Size (bytes): 19380
Entropy (8bit): 4.141905659410581
Encrypted: false
SSDEEP: 192:QwWm89NXHWroPIpG8N2eOQH/dFr+zY/SY6vybDcGO12E8Gv8QNMXlP3gOJ4h:poXN/EEzY/SBWAGM+LRxG
MD5: 5B2AE666BC4847A2C45A73145F54259A
SHA1: 25CAC6447387A3A83C1F92D9D5EED9523DB250E3
SHA-256: 613F0F1A296AC94DA3992069F88B251071C274CB8A3074E1DF487E06709C3389
SHA-512: 054EB075AAEF7841764AD9392BB7B3FF1BF62EEBC951EE7EF94CA91EB18494908B11E8C93525F83C6C33515DD42D5D6169E5C46CE49516775A0CF86D953011B
6
Malicious: false
Preview: ....l.......W............$......X5..@... EMF.....K..q.......................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@....

......0@.............?0@............u>2@.............E...C..tD...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?...........
..@..,... ................b.E@W-D........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x/w....$y/w................
.....O9w.......................H@......L9`v....?.!.........D...<+w.............................v................8...?.!.H..H@..?.!................ ......1.v.....V_r............(..HW_r?.!.....V_r..............vdv......%..
.........T...T...L.......Y...........UU.A%..AL...........L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3627023E.emf
Category: dropped
Size (bytes): 9880
Entropy (8bit): 3.594319787025662
Encrypted: false
SSDEEP: 192:wA7M+/VR25nIKLIQoIFsCTM0i/M69X6brFWP2:wKR25njLIQoI/jm9X6brH
MD5: 38EAD39CFF6A67361DE74FACDB19626F
SHA1: 8F8BCFA7303A36CBB61E154DF805E2EB77FCD788
SHA-256: B357D36CEC715D23E7C5CB8E8A6F188D14DFAB441D7535F24FDFFAEF4E152DFE
SHA-512: 0FB36BEDDCC02B7E752082F558CF3E53242E61DB08C978B6879B4C9402A457969D30B554B2E87FF7E6C5D65C1498E8279CC9E116915DD533AA9A7641361E2A45
Malicious: false
Preview: ....l...f...O................Q......'[.. EMF.....&..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............F.PgE..#D...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................S....................?.............@..,... ...............+.#FU.vE...
.....N...!.......b...............................................R...p...................................A.r.i.a.l..................................................................@7........I.......................I.hT..................l....BVq..Dx..
.3BVq..D....:.XqP.Xq..................aq.E....DT.!.@.......v .......|...T....E..................p...p......v...........v.........E......8x....Xqf.!.........................dv......%...........T...T.......u...............
.0.B...B............L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\36E7A8B0.emf
Category: dropped
Size (bytes): 11844
Entropy (8bit): 3.518380644591799
Encrypted: false
SSDEEP: 192:0XOLDVLUl/rTWMO0rfgzdgvGg+KrSEMY6ecwz6FFH1U0F:0XOLDVLUl/rN0zdgvG6V6twz6n1U0F
MD5: A0CAB472F56991FAD6498296FEEDE011
SHA1: D23B329D52579CD1CD769FC839E46DFEF0E18A4D
SHA-256: 708530489A1FAB1AEC783B6CB9EBD73B00B5EB777F8090333C4C74BA07400D97
SHA-512: F542FD58EA7888080811EBC0DA7BF0FA9168EC8CFF81527993C8A8438A1677ACC2736F8F0701F678635242A4E60BF1709ABF26F354F6CB052B18EB613FC896E7
Malicious: false
Preview: ....l...h...........&.......dA.......K.. EMF....D...............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@............8F..9E.@=D...C.@..D...8......................A...........?.........................@.. ...........O.=F..AEO.=F.hIE!.......b...........:...........$...$......=...........=.........
..._...8.......8.......8........ ..........................%...........%...........W...$........................y...y2 %...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8..
....................A...........?.........................@.. ............X>F6.BE.X>F.HE:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.........
...............y"..y. %...........%...........$...$......A...........A............(...........:...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3797D1BB.emf
Category: dropped

Size (bytes): 6916
Entropy (8bit): 3.2929397745678957
Encrypted: false
SSDEEP: 96:qvg3Mz7jtK4ekHkORWNAgNt0vIAFxSe59BpUKWil/cydp:qv+Mz7jtK4TRWNAgNt0vhFxbLtXdp
MD5: F5CE96474B03B15298382152F6DA1C78
SHA1: CE9C40DCA5DF790546DB048D7A1860837A624A2A
SHA-256: 13011082BE87B2DB62C885A202B64E68C37BCA64969A3BFA3EB57F4E69AEE887
SHA-512: 5713C9FBA2D79B409287560A3185CB0A617B21BB2A442D2C1A552D7F4E299EBB9BB2A327DE24C9A6C0787F82A11010DB96101BC7A49FF29470C97301D55D7405
Malicious: false
Preview: ....l...........>........<..Y[...O..pc.. EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

............................?..:=.....8.D.....................X.D...?......................B>t..D....3B>t..D....:.@tP.@t.....P~...........It.-DT...@......Gv .............E.x...P.I.......................Gv..........Gv....
....H...P.I.....(W~...@t..!...E.0...................dv......%...........T...T.......................[$.BU%.B............L.......................P...N.......%...............................................%...........T...T.........
..............[$.BU%.B............L.......................P...S.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......................B!
.+B!O*%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37A44F58.emf
Category: dropped
Size (bytes): 16236
Entropy (8bit): 4.084384211444575
Encrypted: false
SSDEEP: 192:V9z9GyZI3wUYOdFrQNq72EBy3k0yzdvkQNUXlP3gOJ4hb:WiN4C7VdRxmb
MD5: 88733A36931F8DC19DDE91629CA7D6BE
SHA1: EA7CAD8D6AA13F120FB553658EB59F732D29E327
SHA-256: FEAE07AD190501B7F7ED3AB5F3BB9E614837F4718F169E3BFE6A869AC87F7C6D
SHA-512: 1D5224096FDF8797868DFA2E61EDF3A01457DF0C6379A4071A276D04ADF849CAEBD9DD1BADC38341F1A8CF4796E25EDE633087463D39FB24DB934B910E1439E
5
Malicious: false
Preview: ....l.......'...Q.......id......1q..\... EMF....l?..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@............E...C.@?D...D.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... .
............../..E.'.C........N...!.......b...............................................R...p...................................A.r.i.a.l.........................................................................................................................
..............................................................................................................................................................................................dv......%...........T...T.......R.......h.......UU.A%..A....
e.......L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\38CD7869.emf
Category: dropped
Size (bytes): 8624
Entropy (8bit): 3.492486928404126
Encrypted: false
SSDEEP: 192:FzgPODlCQWHKJlIWV9KM2FjuC5FoEBXCF6GNGONI:VMylCQWHKJlIWMnc6XCDGOG
MD5: 43E344FB368FD20C673248D8F24670DB
SHA1: 63C947E01EC8011237EDEF778BE2AD34E736E207
SHA-256: 888FAAAF0ED3A05F5C31869BA458AEA552115683BB8DD02CF501E9B4235E3A05
SHA-512: DBF449065093D6521DBD6F3CFA21CE7F5354B698A78B7B1175B3A3BBAE13A3C467D16365FBEBCE90D18AEC364804FE7E3074DD03E8A3872785C33E3984BFA4
9F
Malicious: false
Preview: ....l.......W...$............u../....... EMF.....!..............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............F.8.E...D...C.@..D...8......................A...........?.........................@.. ..............FY..E...FX.E!.......b...........:...........$...$......=...........=..........
.._...8.......8.......8........ ..........................%...........%...........W...$.......y................^.7.^.8%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8...
...................A...........?.........................@.. ............`.Fs..E.`.F>o.E:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......{...........
.....^.7.^.8%...........%...........$...$......A...........A............(...........:...
Category: dropped
Size (bytes): 8156
Entropy (8bit): 3.187453391841741
Encrypted: false
SSDEEP: 192:9wvlX5vrGoiwij4Uyb2gRzBkFsM/Lmp5Avkysutko:9wvlX5vrGokj4Ue2gRzyjs5AsNuuo

MD5: F4888D9A1FCA2A1AFD0E3F640B4B58DB
SHA1: 83C9419DFEF060129322C02C8A9985D1059C0C3D
SHA-256: F840CADEB8ECBF63268D5710DAAEE506FFDF9D810F2A4E08A63FCB9427313B11
SHA-512: 6CC3A777A4302B183F712475814758157BD703A7420142A1BD8E1B5E2A15D383293AC1ED26F1E79BB2AD4348369D864DEFCB8C514BC01F6D3AC38D60E3EAB54
8
Malicious: false
Preview: ....l..........._........m...^...v.."k.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$........................1'-.1Z.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........... ............1G-.1:.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$...........-............1Z..2..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A8FB074.emf
Category: dropped
Size (bytes): 19772
Entropy (8bit): 3.3092809632200924
Encrypted: false
SSDEEP: 384:k/d8+T6almJ6xIXrH35ZOSTpU7OeejlDRPaSWqE1xJ7LnrX:M7rrX
MD5: DB0E8EB8F43D3BCCC54141DEC108239A
SHA1: 00E739D32E253174B482A6F092DD54C7D06974BD
SHA-256: 0E85B1B7A4307CE18A83C91476E80570B63EDD7F9E35A0384A467E4B54761059
SHA-512: D035D1748A4AAD4276549CEEBB8442D41E3956737B3427093CDB43F64B184ECD9AC650E63E4CE05F76B12255F0A3AE16DDE5CDD1997329483241DD3C4C93FE3
A
Malicious: false
Preview: ....l............... ...l'..K....A...... EMF....<M..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........`.D...F. .D.@.D.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h....................T....................?.............@..,... ..................E.r.F........N...!
.......b...............................................R...p...................................A.r.i.a.l...............................................................X.)..v...... .j.....................@.j..Z$.................l....B.o..Dx.
..3B.o..D....:..oP..o....0.N............o..I...DT.!.@.......v .......|...T.....I.....0.N.........p...p......v...........v..........I.....8.N....o *!s..#.....................dv......%...........T...T...z..................
..0.B...Bz...........L.......................P...N.......%...........F...t...h...EMF+.@..D...8...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C61628B.emf
Category: dropped
Size (bytes): 15924
Entropy (8bit): 3.8150337799085774
Encrypted: false
SSDEEP: 192:oQQgtNbzGw6fUmGAjdFTDP5Y92E8Gv8QNUXl33gOJ4Yl:lEtDPQ+dtxp
MD5: 902E7FF00742D8641909BB376EBC3C33
SHA1: 16D7139479B864745ADC094AD405AB781304B528
SHA-256: FCFB2243341EE897DB812EC0318A612836B4A64DAF82E3CF9F2694B76A574E64
SHA-512: C49DC8A957442713513C3AD363F4906F79D31FE9D95153520B97B9D7A21CE44B215FFB36BC7AEFCDEE19CC9907CE1C00B93B3BE552F88D11564AA6FB3E7D35
D2
Malicious: false
Preview: ....l.......)...u.......x....&..Q...w-.. EMF....4>..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........p F...E..^D...C.@......................4@...........@..@...4......................@...........@.....................@.. .............&F...E.$F.s.E!.......b...........:...........$
...$......>...........>............_...8.......8.......8........ ..........................%...........%...........W...$.......0.......I........O...N).%...........%...........$...$......A...........A............(...........:...........F...p
...d...EMF+.@..@...4......................@...........@.....................@.. .............&F=..E..$Fn_.E:...........$...$......>...........>............_...8.......8.......8........ ..........................%........
...%...........W...$.......7.......M........O..-OE.%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C7A587E.emf
Category: dropped
Size (bytes): 14612
Entropy (8bit): 3.9027848034055195
Encrypted: false
SSDEEP: 192:92m5FMbpipVmQJai6dFr+RzbGK2E8Gv8QNUXl/3gOJ4z:U0zbGK+d9xo
MD5: 195EBC244FE5E65E70DE56B41096FB1B
SHA1: A4EF27E73AE33DFFD0E85134FB52A6FACD1E1C8E
SHA-256: 086252EB2A0716F2834D243518BE21E99F9E2EC9D1C0C700D886E248BE7969CA

SHA-512: 98AE5F1B23A0E8D80C4AC43CFBD89C14EC9D9C9007B46FCAED4E4C73C042D62A7498EC9D1E3444C1E4AC944F8D916CC35BA48544A4CCA5B10AF47CA451DA
C569
Malicious: false
Preview: ....l...........z........|......A...r... EMF.....9..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E.`.D...D...D.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
..................E...D........N...!.......b...............................................R...p...................................A.r.i.a.l........................................................................................................................
...............................................................................................................................................................................................dv......%...........T...T.......5.......K.......UU.A%..A...
.H.......L.......................P...N.......%...
Category: dropped
Size (bytes): 4612
Entropy (8bit): 3.499490994937926
Encrypted: false
SSDEEP: 48:RKuzVFvtlQPchd1jlHC8SHBSi0F0FBSrLnqbbne:RxFvtlQkhdF5ShSibFSKC
MD5: AABF11CC3D2C9383A7AD324BE14D66A2
SHA1: EAE04D9AFCF8C6A25746F3EA76869205594B0638
SHA-256: 5FE0E9516D0DB90FDACEFF34DE7BF0D00EA79C250D4892C3C2370B622948A2C3
SHA-512: 68A17B841DF16CFAB748ECE5BC3BDD11C27647AE3FF3D1080536EA88AED834B19513D3FB71125EEFCF503E32CF9B002889DFD1AD6EE1FB153A2011D3E7BB2
985
Malicious: false
Preview: ....l...`....................W......3].. EMF........`...........................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........@.D.PyE...C..yC.@..D...8......................A...........?.........................@.. ..............D...E...D..E!.......b...........:...........$...$......=...........=..........
.._...8.......8.......8........ ..........................%...........%...........W...$...`.......d..............(.."*%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8...
...................A...........?.........................@.. ..............D..E..7D..E:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...`.......w.........
...."*R."*%...........%...........$...$......A...........A............(...........:...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3EA98EDE.emf
Category: dropped
Size (bytes): 14052
Entropy (8bit): 4.013070980985426
Encrypted: false
SSDEEP: 192:dAn4IgnbdupXwtWtt/m19F3dFril2E8Gv8QNUXlEL3gOJ4R:vIYmtJm1t6+d+Lx8
MD5: 7853B61B91695495407F4AAC04D7DDD1
SHA1: 202EE445962741FBAF5CADFD69FFD263D38D3673
SHA-256: 83B9FB156E263627A3BAB1FE8AEF166620104A420123761AE7364AB72F999F07
SHA-512: 43C32996B776AA9F8FFC861523A453C6164BE0E2356E4569C3EE8B7265723C0761E4848550AED627CA4A54CC4081E8201B91383694DEBA38101AA6CB4FFE2AFF
Malicious: false
Preview: ....l...@....................[..K....c.. EMF.....6..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........0.E.x.E...C...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
...............2..E/X.E........N...!.......b...............................................R...p...................................A.r.i.a.l..............................................................................................................
.........................................................................................................................................................................................................dv......%...........T...T...@...A...M...W.......U
U.A%..A@...T.......L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3F6F55EA.emf
Category: dropped
Size (bytes): 7580
Entropy (8bit): 3.340841331467098
Encrypted: false
SSDEEP: 96:UvZ72sgme8aCTHiwaYBzDkcLzXViFsSlcmpD:UvZ6sPe8aCTCwDBfkcvX0FsmbD
MD5: B5BB1F60AC9B6421802E908F7463C036
SHA1: 221AE364CB0A4872FBA6AE863DDA2E342A6AE234
SHA-256: 69F9AF259FB4797C0337BB7F28CF5F27089A4C0B83259E0AB6E660DC8F7422D1
SHA-512: 0198DE32B56CE230DBD1794FEE75E4EB19657F629DC3D26E44E15DB6B4B9FB75EB0FABFEF2D966D29DFA97EC1B4AD44CBD8E87118146DF62C7DC614F251ED
FBF
Malicious: false

Preview: ....l.......8.......s...l....*..K'...3.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......
....%...........W...$.......B.......X.........8...j.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......D.......V.......?.W.?.J.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ........
..................%...........%...........W...$.......U.......b.........j.....%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........
..........................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\400CCA35.emf
Category: dropped
Size (bytes): 19852
Entropy (8bit): 4.17133160148547
Encrypted: false
SSDEEP: 192:iNyNQClpGafuBUCWeOrqPd4KPUkvdFr3/LY1tD2E8Gv8rNUXlP3gOJ4t:dzfJCDOAfd5KD+mRxw
MD5: BB671AA65AA13BA93B6E4B0DF65EAFD8
SHA1: 29E9053D04B5C0694BB7415D88C6D1133A6E25B8
SHA-256: 73247FFDD6F9129C5951BD1B31B073A49EDAB2048EB818F4CB6B98A11E5BBEB9
SHA-512: 85C6C40C977B5A9FDFB669CEA9456E7E3F8443DA50CA122E579AD09FD0C2AB60F0D9198603759785525CB574FDECEA17699491488E44492AAC9E47038FEEE05
7
Malicious: false
Preview: ....l...Z...>...............6...r....%.. EMF.....M..}.......................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............C..D..fD..jD.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... .
...............2.C..D........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x/w....$y/w.....................O9w....
............ g......H@......L9`v......!.........D...<+w.............................v............(.......!.H..H@....!............P... ......1.v.....V_r(..........(..HW_r..!.....V_r(.......m....vdv......%...........T...T.
..Z...i...g...........UU.A%..AZ...|.......L.......................P...N.......%...
Category: dropped
Size (bytes): 5340
Entropy (8bit): 3.3546787470708277
Encrypted: false
SSDEEP: 48:0fawnUG7wlEtHqsXlY4B2PViij0B4z0fFGFBuS41wbkH5jMjkPoW5ez17:lw8lE5VXlY4BlfgFsS41Go95Ip
MD5: 2C079F6E9C7F1FE449F44B7B631B944D
SHA1: 328DE2B81F3A0FDFCA35264094B6FCBB1AD86AFB
SHA-256: CF4856DD4E5DC64ADCBCB05C2F3F66AEACCFF75D5470DBEFF211D85385F11F0A
SHA-512: 7D224A6A9A85BF74746C37E0CA8325C1BAE072124AC0078D01EA119D4A2F4E35149A6AB27DDF732DFEAD0A3101DD4440D73A71B6FB0C3D60B70388897E47B18
5
Malicious: false
Preview: ....l.......I...<.......#h.......r...... EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7........R.......................R...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v..........>v........H...
`?.....x.?...Js..!.t...0...................dv......%...........T...T.......X.......g.......[$.BU%.B....e.......L.......................P...N.......%...............................................%...........T...T.......v...............
[$.BU%.B............L.......................P...N.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.......].......s.......V1.
..0..%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\410A63BC.emf
Category: dropped
Size (bytes): 5272
Entropy (8bit): 3.138666044251228
Encrypted: false
SSDEEP: 48:9yfaw6UQ/wDRDMDT7D2sDBDPDlDQxjDeDEDDUECDCAbDYxC0iFBuSMCx6pYhey9q:JwVFQ7Ztj5o6w1CnExZiFsSM9pMS5COj
MD5: 7B77F4869326410F2FE4272AC5ADCD5F
SHA1: AFA52F5321748CF1BF84A76FF5AFC5F805856718
SHA-256: E385A723E15862AB768962856980D3E13D10113CE4A0E0746CB1C70F09B3371F
SHA-512: 4D7E8E9299959919A2AF4A359E92D92827F8032BB8F4E73B605504CA18673D7FAA416FE5E7AD7E01FECAAA08A133C658A171A80DBDDAEBE033732B23ED0D5E
15
Malicious: false
Preview: ....l...Z...........Y..../......J9...&.. EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7........R.....................0.R...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v..........>v.....
...H... `?.....x.?...Js..!.t...0...................dv......%...........T...T...g...>...o...M.......[$.BU%.Bg...K.......L.......................P...N.......%...........:...........$...$......>...........>............_...8
.......8.......8........ ..........................%...........%...........W...$...Z...&...]...<.........<A...A%...........%...........$...$......A...........A............(...........:...........:...........$...$......>...........>.........
..._...8.......8.......8........ ..........................%.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4111E8D1.emf
Category: dropped
Size (bytes): 9408
Entropy (8bit): 3.285551836546516
Encrypted: false
SSDEEP: 192:aN6h/t46Q+R8fAWKOQvVwDHmNiFaVTRRXo0q:Zhl46Q3fWRVwDHmNisTRC0q
MD5: 0EB25F58D861E6CAFCF061066119FA07
SHA1: E7616E305E0AE1D8F45C6DDB5ABC82852199542C
SHA-256: D3BA7BC4C99166A27A9B29986128D6B0E2D21D5E0F6C5A7C40AB8FD63DC06E1E
SHA-512: 473CCBCA0AE727B011CC7979C908CFD13647E76011A6F6B0DD5959EA2BF2FBA2A62B95CE0DEC99AF84E8FB3E5584E3293926D7D3047510BB1AB7C36317BA77
FA
Malicious: false
Preview: ....l...l...n...............N.......?... EMF.....$..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@............$D..-D...C...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... .................CDT.jD........N...!
.......b...............................................R...p...................................A.r.i.a.l...............................................................0^C..........\C......................]C..Z9.................l....BKp..Dx.
..3BKp..D....:.MpP.Mp.....v............Vp.|....DT.!.@......-u .......|...T....|.......v..........p...p.....-u..........-u.........|............Mp..!...8.....................dv......%...........T...T...}..................
..0.B...B}...........L.......................P...N.......%...........F...t...h...EMF+.@..D...8...
Category: dropped
Size (bytes): 10840
Entropy (8bit): 3.3444309167279918
Encrypted: false
SSDEEP: 192:D3LB5b8ksLRyhaijOEmq7+IUQonWFFSYMYG+LJe24JuZ7l86WaK3:D3LB5b8ksLojOEmq7+jQAWFMYnG+LJez
MD5: DEC1B3137D7965D479C2A53B43BA75B8
SHA1: D35A036F215735C511851780B1A63611AC67C8FA
SHA-256: 55EE96CCDC737C3C58DD7F3E6045787961879E7E41E56E0A606911EB4DB244F4
SHA-512: CD07A9F6E1870C0E9574EDD4EDA0E891E391D6B7C4A3FFB9FCA31695A268AC6241DAE95767200A3BFD9013A193D60503C6AEFF4279DF2B2F4C0565A5AB198C
67
Malicious: false
Preview: ....l...6...........%....*..W....6...... EMF....X*..............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........@.D..)F...D.@.D.@..D...8......................A...........?.........................@.. ...........v..D.z-Fv..D.Z/F!.......b...........:...........$...$......=...........=.........
..._...8.......8.......8........ ..........................%...........%...........W...$...6.......:...........~..n~.2p%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8..
....................A...........?.........................@.. ...........]..D..-F]..Ds#/F:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...:.......>......
......."o...p%...........%...........$...$......A...........A............(...........:...
Category: dropped
Size (bytes): 8716
Entropy (8bit): 3.1073723194383986
Encrypted: false
SSDEEP: 96:PJI9Z9d7CLvq+0IeM/Dr9BGH3FxStoHN6Si+9xCazM:PJI9Z9d7CLvR0IeM/Dr9BGH3FxhHNPNM
MD5: 8ED5841DA77FA6A05CEE8122ABA7E7FA
SHA1: CAA4713CDEA3BAB490EAD4FC92FD2232DF90A664
SHA-256: 6A83E3A466BB75BD672F2C1A836332B80C1ED0BDD082D545DA6F973CA4352C8D
SHA-512: 46AF5EF8B62BECF669D5373D073AEDAFF6A43950C95FFF5D6803032464E6B4D27BE3101573ABDDB2026C69D23824B8CF9EE76AB85CB9BEE8F3BFEEC9052C0
D1B
Malicious: false
Preview: ....l.......;............8.......J...... EMF....."......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......e.......{.........g.....%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......x...................8.4.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......v...............f.z.8...%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\433228E.emf

Category: dropped
Size (bytes): 6644
Entropy (8bit): 3.265015254772091
Encrypted: false
SSDEEP: 96:MdP7v8Soe3zdUbvjqNBpU3fSMFxSp1bxkjh8wg4:OP7v8Soe3zd8v2NBpU3fSMFxm1bx3Z4
MD5: B5406691011D502706ACF093B1FBFE6A
SHA1: 5EFE512EF546453A2B5186CD57742F4364DC1900
SHA-256: 5DD62A3E237053B825E6398A4356E575F69250E2837110FD0EE8FB3FE462875A
SHA-512: C0988CD745F9C69F8161A5BE1277D74ABAF00E1C36B2790D29E395F29114E8F833A0656CE88DEC4EC8C39C9420201FFE91137CA9863C520721FE96E7AFF25AD4
Malicious: false
Preview: ....l.......*...s..._...cA.......V...... EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......9.......O...............%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......;.......M........ ... ..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......L.......Y............ t.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\44F967CF.emf
Category: dropped
Size (bytes): 15992
Entropy (8bit): 3.8930663891761568
Encrypted: false
SSDEEP: 192:Y+I+GvPCk2thavFL7AdFh4LxbMly2E8Gv8QNUwlP3gOJ4j:Ycj3uSM+dSxq
MD5: 69AE31B31C92D9DB981D55165C4FCD4E
SHA1: 8A27B41466925567F6CA34F59E39FC9C731C063B
SHA-256: F871AD39505CD2E6E2D0C35779B60CCE1E806C077F0BE0A74305A38EAC075598
SHA-512: 1E0CF489955827303E05DAB55E2FFA007ECC3671B7852E3DBA786CA6047A5368550A53D94CF43BE5ED30C7BE89CD388A44AFC0FB7FCD221C7BC7132AF466C7
EF
Malicious: false
Preview: ....l......."...............!8......>.. EMF....x>..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............u>2@.............F.PPE.@RD...C.@......................4@...........@..@...4......................@...........@.....................@.. ............*.F..SE.?.F.5XE!.......b...........:..
.........$...$......>...........>............_...8.......8.......8........ ..........................%...........%...........W...$.......)... ...B........@f..?..%...........%...........$...$......A...........A............(...........:......
.....F...p...d...EMF+.@..@...4......................@...........@.....................@.. ............*.F..UE...F9!YE:...........$...$......>...........>............_...8.......8.......8........ .........................
.%...........%...........W...$.......0... ...E........@..#@..%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\45B5D55E.emf
Category: dropped
Size (bytes): 8624
Entropy (8bit): 3.7457949017637198
Encrypted: false
SSDEEP: 96:Wyz97R3YuonvoYLF2Pv/v35zrHqFxSVfGon67ah:Wyz97R3YuKvRLF2Pv/v35zrHqFxQ76Oh
MD5: 7C10B0B2E3C29E46998F416B9FD06349
SHA1: CA8B840785F04F64CB4D23D5AB8A173698C9A3F0
SHA-256: 8C4BADCACE72A1D0568B0EA0DD0EB81B906B44BE383102474B08436278679F16
SHA-512: BA036E4DCFE2FC59B25AD360DF82D5146716B267D22F8E7C30CC48CB3C7077DA7C729DD42298117EA66973DDB669AD7C4530BB617405FF384E53083AF8FF058
4
Malicious: false
Preview: ....l...........e...J.......+D.......P.. EMF.....!......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$...2.......5...'.......6C'!6CZ"%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ................
..........%...........%...........W...$...5.......9...%.......nCG!nC:"%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........
..........................%...........%...........W...$...2...$...F...1.......6CZ"@D."%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.....
..8.......8........ ..........................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4689A56F.emf
Category: dropped
Size (bytes): 11260
Entropy (8bit): 3.0280120228456004

Encrypted: false
SSDEEP: 192:9vCRfaGcZ7UEtufWG1Jf+1NY5sWXqDEiJngBQLFIZFxE3mObubh:UBaGcZ7UEtufW0Jf+1NY5sW6DEiJngBX
MD5: 5DC02DCD7BD56B0C34F66A2DF5E64E77
SHA1: CFD380676C5C56E0A3009B973293B15F0F34CD59
SHA-256: A116EB73C9A719DBCB5E8750F833706826AE7AA62F3F539870547276795E0920
SHA-512: EED0811E0CCBF184EF864D60B93DE3DCE1D52474E35491402D1375A1CD74635A222DDFC381A874B7706CD5752A24E16253144495AC1028BBADCA83F6E7FBD44
9
Malicious: false
Preview: ....l...........P...]...B...X!.......0.. EMF.....+..t...................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

............................?..:=.......D.....................(.D...?.............V........B>t..D....3B>t..D....:.@tP.@t.....P~...........It.-DT...@......Gv .............E.x...P.I.......................Gv..........Gv....
....H...P.I.....(W~...@t..!...E.0.......V...........dv......%...........T...T.......M.......\.......[$.BU%.B....Z.......L.......................P...S.......%...............................................%...........T...
T.......#.......2.......[$.BU%.B....0.......L.......................P...N.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.....
..I.......S.......d`...a..%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48B97D13.emf
Category: dropped
Size (bytes): 11160
Entropy (8bit): 4.169176841177113
Encrypted: false
SSDEEP: 192:ic8zTQv4uAndFrBzgb9gr2E8Gv8QNUXlq3gOJ4o:Yd7gur+dcxp
MD5: 40A618BCBBD8CCF6A9CBD2F9F28A2229
SHA1: CD286E2715C6F9CDB685402AE7D9C11887D881E3
SHA-256: F3907F2783EB81D73B5B76C2C112235972DFA463EBE9EBE2840D39D51AAC9D48
SHA-512: 4616B58F3902928C57FB70511E26E6E8B13DBD8AA7FCF36EAD7031C13140CF9A488A88EFACA66473F5EA65AE96DFC050CBCE95BEF4401F3CC670E7D5E233EE
13
Malicious: false
Preview: ....l...i...........j........$..Z...O+.. EMF.....+..........................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............E...E...D...C.@......................4@...........@..@...4......................@...........@.....................@.. ..............E..Ew..E.T.E!.......b...........:...........$
...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...i.../.......D.......Xx&#.v.$%...........%...........$...$......A...........A............(...........:......
.....F...........EMF+.@..0...$.........B................A.R.I.A.L....@..H...<........h.... ....................................?.............@..,... ...............;..E..E........N.......................................R...p......
.............................A.r.i.a.l...........................................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48D8BC63.emf
Category: dropped
Size (bytes): 6764
Entropy (8bit): 3.6454690186921312
Encrypted: false
SSDEEP: 96:Brw0qGMDqL7DStQZvIFRSl24NllofyMb/Yw/CtSG:Brw0CthFRZ4/loaMTY9
MD5: 96D7D4D94B4306E69C226FF948F18F2C
SHA1: 26BA088A8A5951A689591403B36ACBA0D4613DBD
SHA-256: D00209AA46C5ECE6C848B92B59F2B66685D4E1175236E2DACC4A11A5707DF45A
SHA-512: 957813B39F3B0308F347599682893C6F5EF4BA7F8A774FC4D20C46D1BB203ED88CAC5A4F413783AE467B939C87191E099913D4B964BB4BDC5BC00756ACD0FC74
Malicious: false
Preview: ....l...........F...9...........6....... EMF....l...........................8.......}................U..H...........................k...........J...:...................K...........................R...p.......8.........................."A.r.i.a.l.....

....................................................O.M...P.........O.N...P...N...P..........{X...P...X.....lvP...pka.......y.H.......p*........O......M.w4....M.w..3.....4.w..w....P.............P.$...h............4....P.
....H.0.......O.H.0...O..................n.|...|........X...h...D......|..O........|dv......%...............................~...=...%...................~...=...R...p.................................."A.r.i.a.l...............................
..........................O..p........N.YI..;.................Y.YI...+.....|X.....L.P......@........H.......p........~^......1.......M.w..3.....4.w..w....P.......l.....P..................4....P.d...H.0.......O.H.0.......
..............................X..............|..O........|dv......
Category: dropped
Size (bytes): 6292
Entropy (8bit): 3.3264596530911508
Encrypted: false
SSDEEP: 48:bwKfavLU4dTKJHVekH27Xk+CmiyDANdjwaRGFBuSIp1P8OKrLlvgUsnl6xvr3gu2:bcvbKJHVekH27X4miKADVYFsS0QUbr
MD5: C64B7A6DC758FB16D256C736356ED0CB
SHA1: 597DF076EBE0D3EA03700E08ADD14A93D549D105

SHA-256: 622AA8F4B9DE121232DB38E723E3EEA029091AA08CBD21FD850EA245AE750BC4
SHA-512: F095F11A1BBD3CCB1D082B4A9CDE80B968BE6917802D37F6BEE81305C4E9240786832E055268E08FF2CDB7A99BFBB9C56B331888D5677A51FD29F75D6EB32B1
D
Malicious: false
Preview: ....l.......u...u.......-&......r3...... EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7........R......................R...3......................BHs..D....3BHs..D....:.JsP.Js.....Z?...........Ss.-DT...@......>v ...........H...x... `?.......................>v..........>v.....
...H... `?.....x.?...Js..!.d...0...................dv......%...........T...T...5.......=...........[$.BU%.B5...........L.......................P...N.......%...............................................%...........T...T...B......
.J...........[$.BU%.BB...........L.......................P...S.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...4.......:....
.........kzb..{%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4958DA57.emf
Category: dropped
Size (bytes): 5416
Entropy (8bit): 3.2975865640541526
Encrypted: false
SSDEEP: 48:Mfav8fTSZ0dUeW8fOz4i76GWTEMUABBnLF2uSvCVDtZG3M/rWOhD:tvUjW8fO0i76BTEMU0LFxSvMO3MqW
MD5: C0985D4200E59D3D9CC0C0827F944BA0
SHA1: BD716C956B785679A064941BBE09B3FD3E0756B0
SHA-256: D2DCA022561B7650FFC231E2B733928667EEFBF1F96C463057C3070B67647C54
SHA-512: 1C654EFD876FE845F22C39D11E7CDE03502273A2A4275DAA9E40C8D2429AD50CAADF1E2A5E442DA8E1D7E1FD43468A47FE3D9779B6F001A8EE14F96EF6A415
6F
Malicious: false
Preview: ....l.......Y...........'...2........... EMF....(.......................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

............................?..:=.................................?......................B>t..D....3B>t..D....:.@tP.@t.....P~...........It.-DT...@......Gv .............E.x...P.I.......................Gv..........Gv........H...P.I.
....(W~...@t0.!...E.0...................dv......%...........T...T.......y...............[$.BU%.B............L.......................P...N.......%...............................................%...........T...T.......c.......r.......
[$.BU%.B....p.......L.......................P...N.......%...............................................%...........T...T.......................[$.BU%.B............L.......................P...S.......%...........:...........$...
$......=...........=............_...8.......8.......8...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49AD2C2F.emf
Category: dropped
Size (bytes): 10604
Entropy (8bit): 3.317994176057732
Encrypted: false
SSDEEP: 192:tbfmlWuYJMVLAdOEUYGT0Evi9NgfdSGmF4TAITvC20:yWuEMVLAdVUYe0Si9ewGmWA4vO
MD5: 740127EA6ACAF425C7AB43BD04F71778
SHA1: 6F567CD44BCF0A483B2D84334D8919ADA46F0306
SHA-256: D3AAEEF86625EE11AC927652BD23B136D90D3DA25586A18B9AE66663E502B3F2
SHA-512: 841CF18A0B79DAC1C9D755FD3D22F5C656917856C8A4485AC9D6867D02D00C294F46693127D12E025D0874CCDBC0830ADDCDA6331A86270EDFF1502841DFFB7
4
Malicious: false
Preview: ....l.......s............%.......5...... EMF....l)..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@.............D..5D.@7D...C.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... ................C.DV]ED...
.....N...!.......b...............................................R...p...................................A.r.i.a.l...............................................................0^C..........\C......................]C..Z9.................l..
..BKp..Dx...3BKp..D....:.MpP.Mp.....v............Vp.|....DT.!.@......-u .......|...T....|.......v..........p...p.....-u..........-u.........|............Mpl"!...8.....................dv......%...........T...T...3...|...:
............0.B...B3...........L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49E591F2.emf
Category: dropped
Size (bytes): 4888
Entropy (8bit): 3.2937654577465714
Encrypted: false
SSDEEP: 48:57QnteSPyTdMk9CV2I80FsQcw1mLuPFBm+EEPFBNjmyW/cPkQLYcR:SteHyk9CVcPqmCzm+EEF3yjGVxR
MD5: 3C899CD2B78684FC0CB867C62B8078AF
SHA1: 7457E46595438067E861380F46F12B1E8258B336
SHA-256: C4E481E9C7C0929484EA31E861D6DECF13D70DF9EB75C78B941E6474DDB73637
SHA-512: 858B83AE8DF629188D4DAD0F4AB641516EF172BBAACA5622EAE8577F1EAD35E8638C8EDF733F9D817A2AF82229F060692A49D43DC187DC684368CFCA7ACB45
99
Malicious: false

Preview: ....l.......2.......Z.......oM..."...R.. EMF............................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................
............................?..:=..... ......................@....?.............9........B>t./.D....3B>t./.D....:.@tP.@t.....P~.....4.....ItP.I......-DT.!.@L.....Gv ...........P.I......P~.......................Gv........
..Gv............(W~...@t..!)..E.........9...........dv......%...........T...T.......M.......Z.......[$.BU%.B....X.......L.......................P...O.......%...........:...........$...$......=...........=............_...
8.......8.......8........ ..........................%...........%...........W...$.......D.......Q.......M..$..[$%...........%...........$...$......A...........A............(...........:...........:...........$...$......=..........
.=............_...8.......8.......8........ ..........................%.......
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A0DE334.emf
Category: dropped
Size (bytes): 4292
Entropy (8bit): 3.400979255329495
Encrypted: false
SSDEEP: 48:nzfawGUhL9Hngeg70G9PePLmo9TpFBuSXxCU/GuX4B:nGwT5ngeg73mFsSXx1G/
MD5: 84F56076EC1788B77CA6C4E68A1839C0
SHA1: 61EA9E7E400BB193B3F87A9C104C6F7A670C2263
SHA-256: CCA6BFFE57BB17E27395A48A56D831E5730F4DC1136212CCE88BF0CA62F22011
SHA-512: 0AED0CF484306D6D92B70F0B3FCC214086E66016EEE66F7859200961856A572B5FC87C29C68B1A8E1AF60E34A15342B2265866A16EA8A620ED079521A0547880
Malicious: false
Preview: ....l...........2...+...u....$...*..B).. EMF........n...................V...........................fZ..U"..!.......b...............................................R...p...................................A.r.i.a.l.....................................

..........................h.9.H7......@.R.....................`.R...3......................BHs..D....3BHs..D....:.Js..D.....Z?...........Ss.-DT...@......>v ...........X...x... `?.......................>v..........>v.....
...H... `?.....x.?...Js..!nt...0...................dv......%...........T...T...............$.......[$.BU%.B....".......L.......................P...N.......%...............................................%...........T...T..........
.....$.......[$.BU%.B....".......L.......................P...H.......%...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$.........................l
.....%...........%...........$...$......A...........A....
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4A8DF1D4.emf
Category: dropped
Size (bytes): 9628
Entropy (8bit): 3.607738602771606
Encrypted: false
SSDEEP: 192:cUmHrkvCLTwUfr6MeHWsd8XSQKmMjYOFk2CI347V:hmHrkqLTwUfzstJ3YOm0347V
MD5: 11EFA5C3A2398782E157A5B725F696B8
SHA1: 4EEEB2C89E19FD2E9E65C887D905762E13E85CEE
SHA-256: B6BE21076CF4381107D8989C253910F02FC312E4134B749378013847861A5B88
SHA-512: 02CFE17A7C71299E3ACC06A57B91DA5F273BD37E9B1C27B71A567A1A6366F98BB819D5D7195BE10B43D480B0063D710143A5B3EAE9D809DBBAA5F0A279A2E1
41
Malicious: false
Preview: ....l.......t...k............y...)...~.. EMF.....%..............................Q...r......................F...,... ...EMF+.@..................`...`...F...........EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@...........(FF.p.E..JD..|C.@..D...8......................A...........?.........................@.. ...........+.JFb..E+.LFb..E!.......b...........:...........$...$......>...........>.........
..._...8.......8.......8........ ..........................%...........%...........W...$...........2............@..{A..%...........%...........$...$......A...........A............(...........:...........F...t...h...EMF+.@..D...8..
....................A...........?.........................@.. .............KFi.E.sLFi.E:...........$...$......>...........>............_...8.......8.......8........ ..........................%...........%...........W...$.........../........
....@..iA..%...........%...........$...$......A...........A............(...........:...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B0A2BFF.emf
Category: dropped
Size (bytes): 4664
Entropy (8bit): 3.410988395276297
Encrypted: false
SSDEEP: 48:lwk6Ue+tEzfavR+fTSWQyLxVvRzilCUYeF2uSmA9gIg0iUovlE:lwk6Ue+tEGvRmFVvg9FxSRgl03P
MD5: 026DB301C5E93519D5828FDF5BE73711
SHA1: 1AAB2FCAC3870F6B8409F6D9556DA2103B09D5D0
SHA-256: 1A884AE6BE0326386EA33B122ED9CA6ED73946D4C1F528B2AD344520917E1C70
SHA-512: 6FE7EBFDD5851163E5159996C27F5A13D288935663E44B80C1497DAE75D6680A17557D0F1CB8FF479B30D77FD14353BCFE7049C63C2E6D532A34C622BB1D94E2
Malicious: false
Preview: ....l..........."..........."f..;....k.. EMF....8.......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$........................=...>..%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........................>..}?./%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......................}?./.>.0%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........

Category: dropped
Size (bytes): 19500
Entropy (8bit): 3.853306165932194
Encrypted: false
SSDEEP: 192:3lm+0OqcV9SmzLkQTOnl0+euPb0szdFrRLsSvQ2E8Gv8PNUXlP3gOJ4V:3lm+LqcWmYeiBLLzvQ+6Rxq
MD5: E63781E6F711713E80370BEB7189A935
SHA1: 5D44FF77000A4E264828C6741FDBE3BF5F8AE7BF
SHA-256: DBF567A36BBB28BB95667CDE741736E2153E07C845B7588DA95A98A781D437D0
SHA-512: BFF62FED093AFDDC847046E326D892DEBCF1CBED88331CF0C153AE34474F3FD952556A3726F9C4D41EEEB8EE345BD474090F9DE75D48E8C6443CD47F9E0C0A
6B
Malicious: false
Preview: ....l...Q.......4...p....q...W..U....a.. EMF....,L..m.......................8...X....................?......F...,... ...EMF+.@..........................F...........EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@...........p.E...E..rD...D.@......................4@...........@..@...4......................@...........@.....................@.. ............H.E[j.EO..E[J.E!.......b...........:...........
$...$......=...........=............_...8.......8.......8........ ..........................%...........%...........W...$...Q.......q............f.PEe.Q%...........%...........$...$......A...........A............(...........:.....
......F...p...d...EMF+.@..@...4......................@...........@.....................@.. ............H.E.1.E...E...E:...........$...$......=...........=............_...8.......8.......8........ ........................
..%...........%...........W...$...V.......q..."........f/Q.e.Q%...........%...........$...$......A...........A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C0CF77.emf
Category: dropped
Size (bytes): 7444
Entropy (8bit): 3.0122522029708936
Encrypted: false
SSDEEP: 192:g0NM3BtOO33JwGH6MYkJ+BkvJLA6Fsx3QKSob:g0NM3BtOO3iMYksBkvVA6Kb
MD5: 35EA1EAE4DE3023B803E9026A0AECC84
SHA1: 5F2A36B9C6A8FB2A82DB8C9426CD147795172A28
SHA-256: 3318A181D39CEE25A547DF6C588CA8D173C14F0BC96FABE63C663C03B255C18D
SHA-512: 53E276AFBAAC7A66A72B5CD3A0B63F8CD964224290DCC737882B503C53C3475A2E0439314A4A0D73FA034DF70A81CB973DCE6E691C0E5C0F497E686A3AEFE1
5B
Malicious: false
Preview: ....l.......R...^........!...Q...0...Y.. EMF............................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......a.......w.......v.'&v.Z'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$.......c.......u.........G&..:'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......t...............v.Z'...'%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4CE85770.emf
Category: dropped
Size (bytes): 25852
Entropy (8bit): 3.7150539204999693
Encrypted: false
SSDEEP: 768:lE6MjqXsJoCL1GxVqota6ssN+XxPdGcCUCMGq7V1weyzCZYO:FBI1GxVqota6ssN+XxPdGrUCMGqfwey6
MD5: EEEEB63A2A08C42A0AA09353DAAC0333
SHA1: 4139610A1032D13C94F81F3C0AC24B64258FF2CF
SHA-256: F28575C0666711092A477BB8675CD3A249E3D6160CB609D7A19510F8402C6274
SHA-512: EC196E94E809F8B238AD0C0836ED08D2604FC98A2B064A299A58F7F97798DF52FD599C072F9CD143AE3F0F586FDE546C6B93FA8776E46845932834CCC5360676
Malicious: false
Preview: ....l................................... EMF.....d..........................8.......}................U..H...........................S................................"..K...............R...p.......j.........................."A.r.i.a.l.................

........................................7..Y..h........u...!......l.....^......u..`!......X.8."D..P...m.B........H.8...8.py....8...7..............M.w........4.w..w....P....<........P.....8........<...4....P.......:.......7...:...8
.....4.w..w...........?........X...H.8........|..7........|dv......%...................................&...........................%.......................P#..6............#..............%...........&...........................%...........(
...................................*#..............%...........(...........'.......................%...........&...........................%...................-...\#..6.......-....#..........................*#..............%...........(...........'..
.....................%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D18E0EE.emf

Category: dropped
Size (bytes): 23136
Entropy (8bit): 3.5286883224467287
Encrypted: false
SSDEEP: 384:iunwdvUNRt57+8Ofs3RlVY42jfG8X+MnyeB0J3DaFiZi/Bo4ZdSOxkb6MZEQS:iunwdMNRX7+8Ofe2jfG8X+MyeCJ3DaFt
MD5: 3D06C4C876B2FD0BC5927380B7D61C11
SHA1: 52F328EDD308AFC2A3C8C9CDC1FBA07C21BD0474
SHA-256: 3059E5B739333040D3E456777EBE6D4C7D8D943D535C23B8391C8DA644E3EB88
SHA-512: 088632128EC562AAAB122A00B29D263AAC0617825E5528B350328B94C52FBC413E94B04A8ECF550D164CDFB28F89E7F39183A72D0F8BE883BAD50D4904A5E83
E
Malicious: false
Preview: ....l...........................}...3... EMF....`Z..........................8.......}................U..H.......................................................9.......K...............R...p.......j.........................."A.r.i.a.l.................

........................................7..^..h...........E..`G..l...x.^...N...........X.8."D..P...m.B........H.8...8......8...7..............M.w........4.w..w....P....'........P.....8........'...4....P.......:.......7...:...8....
.4.w..w...........?........X...H.8........|..7........|dv......%...................................&...........................%...................M...:...6.......M...................%...........&...........................%...........(....
...........................b...:...............%...........(...........'.......................%...........&...........................%...................b...F...6.......b...........................b...:...............%...........(...........'......
.................%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4DC63CEB.emf
Category: dropped
Size (bytes): 21356
Entropy (8bit): 3.5565830819705213
Encrypted: false
SSDEEP: 384:CsTL3ryUwtODWgQW/7fYb6rYeWVu50IebyCFOmIbkLD9a:e9zliea
MD5: E66044381CEAE3153DB7AE5E508CBB80
SHA1: FE1A8037CD38DB7320CE6152F1163A34EBD1F896
SHA-256: 96558D7E186808BDA10BFE20F5316773824E60137BDEF4BED59249F166BEA15C
SHA-512: 22D227BADE712FD0DE8BB28B0A729E3955DCE05E57282C67281208F3E91E56875DD2D257A0FD6E792C42A3D013EE2353ACF4D3573D8BFDC6EE36BD7A21B759
D3
Malicious: false
Preview: ....l...y...:...........N...X+...#...<.. EMF....lS..............................Q...r......................F...,... ...EMF+.@..................`...`...F... .......EMF+.@.........."@...........@..........!@..........0@...

..........?0@............#>2@............8D...D..]D..@D.@..0...$.......UU.B................A.R.I.A.L....@..H...<........h.........................................?.............@..,... ..................D...E........N...!
.......b...............................................R...p...................................A.r.i.a.l...............................................................0^C.........`............................Z9.................l....BKp..Dx.
..3BKp..D....:.Mp..D.....v............Vp.|....DT.!.@......-u .......|...T....|.......v..........p...p.....-u..........-u.........|............Mp..!...8.....................dv......%...........T...T.......t...............
.0.B...B............L.......................P...N.......%...........F...l...`...EMF+.@..0...$...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4DF8A925.emf
Category: dropped
Size (bytes): 12828
Entropy (8bit): 4.262909708424546
Encrypted: false
SSDEEP: 192:IADt2YztbdFrCFK/tc8Hq2E8Gv8QNUXlr3gOJ4P:3vf/t5Hq+dJx8
MD5: AD6B4AF4650532700033E1D97600AA62
SHA1: 58280FA1880DA57411A7FFD56C112596744FDAC3
SHA-256: B05E1AD216D68DE3551AD8E9F61CD509996708019882BD67DEF9D87CC17AF2BB
SHA-512: 192C42D88B52F47BCEF54E9F41494074676421681E220E32E3A1CC01DB61F358246A847AEA956BC67BB3D3635BA679A75513AB761FC74D2827580D112CFD64D9
Malicious: false
Preview: ....l...w.../...........0...&...J#..c... EMF.....2..........................8...X....................?......F...,... ...EMF+.@..........................F...D...8...EMF+.@.........."@...........@..........!@..........0@..

...........?0@............u>2@.............D..;C...D...C.@......................4@...........@..0...$.........B................A.R.I.A.L....@..H...<........h.........................................?.............@..,...
.................D..C........N...!.......b...............................................R...p...................................A.r.i.a.l...........................................................$...x.w....$y.w.....................O.w..............
.........H@......L9.v....=.!c........D...<.v.............................v.............>..8>..=.!cH..H@..=.!c........... T.. ......1.v.....VBr.>..........(..HWBr=.!c....VBr.>......x......udv......%...........T.
..T.......K.......a.......UU.A%..A....^.......L.......................P...N.......%...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4EDF2723.emf
Category: dropped
Size (bytes): 6980
Entropy (8bit): 3.132621206414898
Encrypted: false

SSDEEP: 192:XVVIX3WkikllHcwsDs9/7iJGuZ0FsBHNVd59s0anx6HKXP:XVVIX3WkikllHk49/7iJGuZ0+Hjv9s0c
MD5: B25152CEC406246775C34634B6C0E3AF
SHA1: 2EF32C1DD6549A9898F1449783381C45E31B9050
SHA-256: A5D2D38EA9D64604ADA6C13EC29A963E2C0E22D061FB0A0307A0152EBD5519FD
SHA-512: 8EF4F44BE1897884176FC6041B6E199811FD6D02B64C9C39336EC3E071DC135DC4BADDE7E68BFCF565782365740943862EA386A86446DDC0C712B751DC63B566
Malicious: false
Preview: ....l...........:...........&........... EMF....D.......................V...........................fZ..U"..!.......b...........:...........$...$......=...........=............_...8.......8.......8........ ..........................%.......

....%...........W...$.......................V?.}V?.~%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........................
%...........%...........W...$........................?.}.?.~%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..................
........%...........%...........W...$.......................V?.~`@t.%...........%...........$...$......A...........A............(...........:...........:...........$...$......=...........=............_...8.......8.......8........ ..........
................%...........%...........
Static File Info
General
File type: ISO 9660 CD-ROM filesystem data 'recent inventory& our specialtie'
Entropy (8bit): 7.1276435422118025
TrID: ImgBurn Image (2052548/1) 49.86%

null bytes (2050048/1) 49.80%
Photoshop Action (5010/6) 0.12%
Lotus 123 Worksheet (generic) (2007/4) 0.05%
HSC music composer song (1267/141) 0.03%
File name: pupy-rat.iso
File size: 11079680
MD5: d069812aa63b631897498621de353519
SHA1: 6b0cd7ae05f88d474c361fab658bf4b70c434cd4
SHA256: 17a3c8d822309ce792bcfaac2f1b52eda4974ebfce17a5a7c9821daf6b5fc61f
SHA512: 6dbee994501a4179e7cbbde3a46d26701f046f806b124c671284b8ac12abcfb428816eea4980c807e7588e5fa0005f9a585f23501eb5494e43049dc35602e27b
SSDEEP: 196608:liNPuXPM0cjq/RLx5xsDT/wY//Z/V4On1OFn:sJuXPM0aqFxO9H13o
TLSH: 61B6BF19BB848713D038573080D78B097B39A4107B03472F63A972ADBEFE3E56E67A55
File Content ...............................................................................................................................................................................................................................................................

Preview:
File Icon
Icon Hash: 74f0ccccd4c4ecf4
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Feb 1, 2023 19:56:01.014087915 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.178797007 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.178937912 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.313070059 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.477612972 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.480434895 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.480514050 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.480614901 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.485225916 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.649765968 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.650487900 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.660849094 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:01.864799976 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:01.867187977 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:02.031977892 CET 8443 49730 103.79.76.40 192.168.2.3

Feb 1, 2023 19:56:02.161715984 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:02.163845062 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:02.328583956 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:02.330058098 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:02.494611979 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:02.496246099 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:02.661962032 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:02.663203001 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:02.829607010 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:02.942729950 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.452328920 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.636281013 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636352062 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636398077 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636418104 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.636445045 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636490107 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636502028 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.636533976 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636576891 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636590004 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.636621952 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636667013 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636676073 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.636713982 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.636769056 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801218987 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801281929 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801327944 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801354885 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801378012 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801422119 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801429033 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801472902 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801517963 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801522017 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801562071 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801605940 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801610947 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801649094 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801692963 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801697969 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.801729918 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.801779985 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.804826975 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:03.970154047 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:03.971971989 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.137577057 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:04.241317987 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.310092926 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.475429058 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:04.476191044 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.640638113 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:04.641269922 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.806399107 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:04.807854891 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:04.973546028 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:04.999707937 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:05.165455103 CET 8443 49730 103.79.76.40 192.168.2.3

Feb 1, 2023 19:56:05.167295933 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:05.332730055 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:56:05.333555937 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:56:05.537740946 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:57:05.680883884 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:57:05.845530033 CET 8443 49730 103.79.76.40 192.168.2.3
Feb 1, 2023 19:58:05.852493048 CET 49730 8443 192.168.2.3 103.79.76.40
Feb 1, 2023 19:58:06.018815041 CET 8443 49730 103.79.76.40 192.168.2.3
Statistics
Behavior
• explorer.exe
• ScriptRunner.exe
• conhost.exe
• WerFault.exe
• EXCEL.EXE
Click to jump to process
System Behavior
Analysis Process: explorer.exe PID: 3840, Parent PID: -1
General
Target ID: 12
Start time: 19:55:36
Start date: 01/02/2023
Path: C:\Windows\explorer.exe
Wow64 process (32bit): false
Commandline: C:\Windows\Explorer.EXE
Imagebase: 0x7ff7c7a20000
File size: 4612520 bytes
MD5 hash: D7874DD30BA935AAED6F730A0ED84610
Has elevated privileges: false
Has administrator false

privileges:
Programmed in: C, C++ or other language
Reputation: moderate
File Activities
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
File Path Access Attributes Options Completion Count Source Address Symbol
File Path Completion Count Source Address Symbol

File Path Offset Length Value Ascii Completion Count Source Address Symbol
File Path Offset Length Completion Count Source Address Symbol
Registry Activities
Key Path Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Source
Key Path Name Type Old Data New Data Completion Count Symbol
Address
Analysis Process: ScriptRunner.exe PID: 6620, Parent PID: 3840
General
Target ID: 13
Path: C:\Windows\System32\ScriptRunner.exe
Commandline: "C:\windows\system32\scriptrunner.exe" -appvscript WerFault.exe
Imagebase: 0x2bd67df0000
MD5 hash: 256DB41CC475676223E444781711AF17

privileges:
Programmed in: .Net C# or VB.NET
Reputation: low
File Activities
File Created
C:\Users\user\AppData\Local\Mi read attributes | device synchronous io success or wait 1 7FFFC2578115 CreateFileW

crosoft\CLR_v4.0\UsageLogs\scriptrunner.exe.log synchronize | non alert | non
generic write directory file
File Written
\Device\ConDrv 0 0 75 6e 6b 6e 6f 77 6e unknown success or wait 1 7FFFC0E1C958 WriteFile
\Device\ConDrv 33 33 53 63 72 69 70 74 20 61 script arguments are Wait success or wait 1 7FFFC0E1C958 WriteFile

72 67 75 6d 65 6e 74 73 is Fa
20 61 72 65 20 0d 0a 57
61 69 74 20 69 73 20 46
61
\Device\ConDrv 56 23 57 61 69 74 20 69 73 20 Wait is FalseTimeout success or wait 1 7FFFC0E1C958 WriteFile

46 61 6c 73 65 0d 0a 54
69 6d 65 6f 75 74 20
\Device\ConDrv 71 15 54 69 6d 65 6f 75 74 20 Timeout is -1 success or wait 1 7FFFC0E1C958 WriteFile

69 73 20 2d 31 0d 0a
\Device\ConDrv 86 15 52 6f 6c 6c 62 61 63 6b Rollback is Fal success or wait 1 7FFFC0E1C958 WriteFile

20 69 73 20 46 61 6c
\Device\ConDrv 105 19 0d 0a 4e 75 6d 62 65 72 Number of scripts success or wait 1 7FFFC0E1C958 WriteFile

20 6f 66 20 73 63 72 69
70 74 73
\Device\ConDrv 107 2 4e 75 Nu success or wait 1 7FFFC0E1C958 WriteFile
\Device\ConDrv 136 29 53 63 72 69 70 74 20 69 script is success or wait 1 7FFFC0E1C958 WriteFile

73 20 57 65 72 46 61 75 WerFault.exeWait
6c 74 2e 65 78 65 0d 0a
57 61 69 74 20

\Device\ConDrv 160 24 57 61 69 74 20 69 73 20 Wait is FalseRollbackO success or wait 1 7FFFC0E1C958 WriteFile

46 61 6c 73 65 0d 0a 52
6f 6c 6c 62 61 63 6b 4f
\Device\ConDrv 175 15 52 6f 6c 6c 62 61 63 6b 4f RollbackOnError success or wait 1 7FFFC0E1C958 WriteFile

6e 45 72 72 6f 72
\Device\ConDrv 201 26 0d 0a success or wait 1 7FFFC0E1C958 WriteFile
\Device\ConDrv 203 2 75 6e 6b 6e 6f 77 6e unknown success or wait 1 7FFFC0E1C958 WriteFile
C:\Users\user\AppData\Local\Mi 0 425 31 2c 22 66 75 73 69 6f 1,"fusion","GAC",01,"Win success or wait 1 7FFFC2578190 WriteFile

crosoft\CLR_v4.0\UsageLogs\scr 6e 22 2c 22 47 41 43 22 RT","N
iptrunner.exe.log 2c 30 0d 0a 31 2c 22 57 otApp",13,"System,
69 6e 52 54 22 2c 22 4e Version=4.0.0.0,
6f 74 41 70 70 22 2c 31 Culture=neutral, PublicK
0d 0a 33 2c 22 53 79 73 eyToken=b77a5c561934
74 65 6d 2c 20 56 65 72 e089","C:\
73 69 6f 6e 3d 34 2e 30 Windows\assembly\Nativ
2e 30 2e 30 2c 20 43 75 eImages_
6c 74 75 72 65 3d 6e 65 v4.0.30319_64\System\e
75 74 72 61 6c 2c 20 50 074a852d
75 62 6c 69 63 4b 65 79 0b7a87fc8713d9727b9a1
54 6f 6b 65 6e 3d 62 37 bb\System
37 61 35 63 35 36 31 39 .ni.dll",03,"System.Core,
33 34 65 30 38 39 22 2c Version=4.0.0
22 43 3a 5c 57 69 6e 64
6f 77 73 5c 61 73 73 65
6d 62 6c 79 5c 4e 61 74
69 76 65 49 6d 61 67 65
73 5f 76 34 2e 30 2e 33
30 33 31 39 5f 36 34 5c
53 79 73 74 65 6d 5c 65
30 37 34 61 38 35 32 64
30 62 37 61 38 37 66 63
38 37 31 33 64 39 37 32
37 62 39 61 31 62 62 5c
53 79 73 74 65 6d 2e 6e
69 2e 64 6c 6c 22 2c 30
0d 0a 33 2c 22 53 79 73
74 65 6d 2e 43 6f 72 65
2c 20 56 65 72 73 69 6f
6e 3d 34 2e 30 2e 30
File Read
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machi unknown 4095 success or wait 1 7FFFC200BEE3 unknown

ne.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machi unknown 6135 success or wait 1 7FFFC200BEE3 unknown

ne.config
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\8d60 unknown 176 success or wait 1 7FFFC1F5797A ReadFile

a20bcb7b36d0ddf74b96d554c96e\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ec23 unknown 176 success or wait 1 7FFFC1F5797A ReadFile

d1294499b4ffba61f212cb1217cd\mscorlib.ni.dll.aux
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machi unknown 4095 success or wait 1 7FFFC2011EF6 ReadFile

ne.config
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\5 unknown 900 success or wait 1 7FFFC1F5797A ReadFile

aa66136dfbf2cc6e3ba6b00dd4d2e9f\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\e074a8 unknown 620 success or wait 1 7FFFC1F5797A ReadFile

52d0b7a87fc8713d9727b9a1bb\System.ni.dll.aux
Analysis Process: conhost.exe PID: 6628, Parent PID: 6620
General
Target ID: 14
Path: C:\Windows\System32\conhost.exe
Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase: 0x7ff7603a0000
MD5 hash: C5E9B1D1103EDCEA2E408E9497A5A88F

privileges:
File Activities
Analysis Process: WerFault.exe PID: 6716, Parent PID: 6620
General
Target ID: 15
Path: \Device\CdRom1\WerFault.exe
Commandline: "E:\WerFault.exe"
Imagebase: 0x7ff642a00000
MD5 hash: FD27D9F6D02763BDE32511B5DF7FF7A0

privileges:
Yara matches: Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source:

0000000F.00000002.2768445444.0000028E05150000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Rule: ReflectiveLoader, Description: Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation
recommended, Source: 0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
(Nextron Systems)
Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source:
0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source:
0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like
beacon)., Source: 0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source:
0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many
other malware families., Source: 0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Trickbot_2d89e9cd, Description: Targets tabDll64.dll module containing functionality using SMB for lateral movement, Source:
0000000F.00000003.1581503034.0000028E03B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source:
0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source:
0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like
beacon)., Source: 0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source:
0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many
other malware families., Source: 0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Rule: Windows_Trojan_Trickbot_2d89e9cd, Description: Targets tabDll64.dll module containing functionality using SMB for lateral movement, Source:
0000000F.00000002.2685150639.0000028E042DA000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation: low
File Activities
File Created
c:\users\user\appdata\local\temp\qpb3zv read attributes | device synchronous io success or wait 1 28E03B7F072 CreateFileA

synchronize | non alert | non
generic read | directory file
generic write
c:\users\user\appdata\local\temp\tmp00tobq read attributes | device synchronous io success or wait 1 28E03B7F072 CreateFileA

generic write

c:\users\user\appdata\local\temp\tmpxgxyuu read attributes | device synchronous io success or wait 1 28E03B7F072 CreateFileA

generic write
c:\users\user\appdata\local\temp\tmpotncfg read attributes | device synchronous io success or wait 1 28E03B7F072 CreateFileA

generic write
File Deleted
C:\Users\user\AppData\Local\Temp\qpb3zv success or wait 1 28E04E49E13 DeleteFileA
C:\Users\user\AppData\Local\Temp\tmp00tobq success or wait 1 28E04E49E13 DeleteFileA
C:\Users\user\AppData\Local\Temp\tmpxgxyuu success or wait 1 28E04E49E13 DeleteFileA
C:\Users\user\AppData\Local\Temp\tmpotncfg success or wait 1 28E04E49E13 DeleteFileA
File Written
C:\Users\user\AppData\Local\Te 0 4 62 6c 61 74 blat success or wait 1 28E03B7E969 WriteFile

mp\qpb3zv
C:\Users\user\AppData\Local\Te 0 1099 2d 2d 2d 2d 2d 42 45 47 -----BEGIN success or wait 1 28E03B7EBB5 WriteFile

mp\tmp00tobq 49 4e 20 43 45 52 54 49 CERTIFICATE-----MII
46 49 43 41 54 45 2d 2d C/jCCAeagAwIBAwIBBT
2d 2d 2d 0a 4d 49 49 43 ANBgkqhkiG9
2f 6a 43 43 41 65 61 67 w0BAQsFADAVMRMwE
41 77 49 42 41 77 49 42 QYDVQQKDApBTmF
42 54 41 4e 42 67 6b 71 la3l1UmxKMB4XDTIyMT
68 6b 69 47 39 77 30 42 ExNzEzMjA0M
41 51 73 46 41 44 41 56 1oXDTI1MTExNjEzMjA0
4d 52 4d 77 45 51 59 44 M1owJjETMBE
56 51 51 4b 44 41 70 42 GA1UECgwKenJ1QWxB
54 6d 46 6c 0a 61 33 6c WHNVYTEPMA0GA
31 55 6d 78 4b 4d 42 34 1UECwwGQ0xJRU5UMII
58 44 54 49 79 4d 54 45 BIjANBgkqhki
78 4e 7a 45 7a 4d 6a 41 G9w0BAQEFAAOCAQ8
30 4d 31 6f 58 44 54 49 AMIIBCgKCAQEA1
31 4d 54 45 78 4e 6a 45 45wqxM8ux1I
7a 4d 6a 41 30 4d 31 6f
77 4a 6a 45 54 4d 42 45
47 41 31 55 45 0a 43 67
77 4b 65 6e 4a 31 51 57
78 42 57 48 4e 56 59 54
45 50 4d 41 30 47 41 31
55 45 43 77 77 47 51 30
78 4a 52 55 35 55 4d 49
49 42 49 6a 41 4e 42 67
6b 71 68 6b 69 47 39 77
30 42 41 51 45 46 0a 41
41 4f 43 41 51 38 41 4d
49 49 42 43 67 4b 43 41
51 45 41 31 34 35 77 71
78 4d 38 75 78 31 49

C:\Users\user\AppData\Local\Te 0 1704 2d 2d 2d 2d 2d 42 45 47 -----BEGIN PRIVATE success or wait 1 28E03B7EBB5 WriteFile

mp\tmpxgxyuu 49 4e 20 50 52 49 56 41 KEY-----MII
54 45 20 4b 45 59 2d 2d EvgIBADANBgkqhkiG9w
2d 2d 2d 0a 4d 49 49 45 0BAQEFAASCB
76 67 49 42 41 44 41 4e KgwggSkAgEAAoIBAQD
42 67 6b 71 68 6b 69 47 XjnCrEzy7HUg
39 77 30 42 41 51 45 46 fJAfcUrXWZSUq6KHu8f3
41 41 53 43 42 4b 67 77 crH0e3TljZ
67 67 53 6b 41 67 45 41 6lVwbRe+t2NCVgaOJbn
41 6f 49 42 41 51 44 58 D30WxBlIxve
6a 6e 43 72 45 7a 79 37 6h2rFglsdUU/f9wkuVKwx
48 55 67 66 0a 4a 41 66 IvhTjvXDW
63 55 72 58 57 5a 53 55 DRhZV8uibqm73ycofbS2
71 36 4b 48 75 38 66 33 sOT8cx82Z8
63 72 48 30 65 33 54 6c 4CgpRqdu93YIx+Ukegc
6a 5a 36 6c 56 77 62 52 ObsXqRyByxj
65 2b 74 32 4e 43 56 67 /WQ6cdSAJhn
61 4f 4a 62 6e 44 33 30
57 78 42 6c 49 78 76 65
36 68 32 72 46 0a 67 6c
73 64 55 55 2f 66 39 77
6b 75 56 4b 77 78 49 76
68 54 6a 76 58 44 57 44
52 68 5a 56 38 75 69 62
71 6d 37 33 79 63 6f 66
62 53 32 73 4f 54 38 63
78 38 32 5a 38 34 43 67
70 52 71 64 75 39 0a 33
59 49 78 2b 55 6b 65 67
63 4f 62 73 58 71 52 79
42 79 78 6a 2f 57 51 36
63 64 53 41 4a 68 6e
C:\Users\user\AppData\Local\Te 0 1038 2d 2d 2d 2d 2d 42 45 47 -----BEGIN success or wait 1 28E03B7EBB5 WriteFile

mp\tmpotncfg 49 4e 20 43 45 52 54 49 CERTIFICATE-----MII
46 49 43 41 54 45 2d 2d C0DCCAbigAwIBAwIBAT
2d 2d 2d 0a 4d 49 49 43 ANBgkqhkiG9
30 44 43 43 41 62 69 67 w0BAQsFADAVMRMwE
41 77 49 42 41 77 49 42 QYDVQQKDApBTmF
41 54 41 4e 42 67 6b 71 la3l1UmxKMB4XDTIyMT
68 6b 69 47 39 77 30 42 ExNzEzMjA0M
41 51 73 46 41 44 41 56 1oXDTIzMTExNzEzMjA0
4d 52 4d 77 45 51 59 44 M1owFTETMBE
56 51 51 4b 44 41 70 42 GA1UECgwKQU5hZWt5
54 6d 46 6c 0a 61 33 6c dVJsSjCCASIwD
31 55 6d 78 4b 4d 42 34 QYJKoZIhvcNAQEBBQA
58 44 54 49 79 4d 54 45 DggEPADCCAQo
78 4e 7a 45 7a 4d 6a 41 CggEBAKyRb2hazRDTs
30 4d 31 6f 58 44 54 49 E/LcKTKo2Yw4
7a 4d 54 45 78 4e 7a 45 o3Q5/2Ekj+I
7a 4d 6a 41 30 4d 31 6f
77 46 54 45 54 4d 42 45
47 41 31 55 45 0a 43 67
77 4b 51 55 35 68 5a 57
74 35 64 56 4a 73 53 6a
43 43 41 53 49 77 44 51
59 4a 4b 6f 5a 49 68 76
63 4e 41 51 45 42 42 51
41 44 67 67 45 50 41 44
43 43 41 51 6f 43 67 67
45 42 41 4b 79 52 0a 62
32 68 61 7a 52 44 54 73
45 2f 4c 63 4b 54 4b 6f
32 59 77 34 6f 33 51 35
2f 32 45 6b 6a 2b 49
File Read
\Device\CdRom1\faultrep.dll unknown 5649412 success or wait 1 7FFFE78A16A6 ReadFile
C:\Users\user\AppData\Local\Temp\tmpotncfg unknown 4096 success or wait 1 28E03B7DC36 ReadFile
C:\Users\user\AppData\Local\Temp\tmpotncfg unknown 4096 end of file 1 28E03B7DC36 ReadFile
C:\Users\user\AppData\Local\Temp\tmp00tobq unknown 4096 success or wait 1 28E03B7DC36 ReadFile
C:\Users\user\AppData\Local\Temp\tmp00tobq unknown 4096 end of file 1 28E03B7DC36 ReadFile
C:\Users\user\AppData\Local\Temp\tmpxgxyuu unknown 4096 success or wait 1 28E03B7DC36 ReadFile
Registry Activities

Source
Address
Analysis Process: EXCEL.EXE PID: 6796, Parent PID: 6716
General
Target ID: 16
Path: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Commandline: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "E:\file.xls
Imagebase: 0x7ff6add80000
MD5 hash: 23CAD504B3E04BB54CD636AD2874041A

privileges:
File Activities
File Deleted
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\50620B07.tmp success or wait 1 7FF6AECCD026 DeleteFileW
Old File Path New File Path Completion Count Source Address Symbol
Registry Activities
Key Path Completion Count Source Address Symbol
Source
Address
Disassembly
⊘ No disassembly

Report

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Report

Uploaded by

Copyright:

Available Formats

ID: 796320

Sample Name: pupy-rat.iso

Copyright Joe Security LLC 2023 Page 2 of 57

Copyright Joe Security LLC 2023 Page 3 of 57

Copyright Joe Security LLC 2023 Page 4 of 57

General Information Detection Signatures Classiﬁcation

SHA1: Malicious sample detected (through…

SHA256: 17a3c8d82230… Multi AV Scanner detection for drop… Miner Spreading

Infos: Queries the volume information (nam… malicious

Yara signature match

Antivirus or Machine Learning detec… Exploiter Banker

One or more processes crash

May sleep (evasive loops) to hinder… Adware

Confidence: 100% Contains functionality to detect virtu…

Detected potential crypto function

Found potential string decryption / a…

Process Tree Sample execution stops while proce…

Contains long sleeps (>= 3 min)

Monitors certain registry keys / valu…

Creates a process in suspended mo…

0000000F.00000002.2768445444.0000028E05150000.0000 Pupy_Backdoor Detects Pupy Florian Roth 0x84210:$x4: reflective_inject_dll

0000000F.00000003.1581503034.0000028E03B30000.0000 ReflectiveLoader Detects a Florian Roth 0x218b8:$x1: ReflectiveLoader

Copyright Joe Security LLC 2023 Page 5 of 57

0000000F.00000003.1581503034.0000028E03B30000.0000 APT_PupyRAT_P Detects Pupy RAT Florian Roth 0x63ec0:$x1: reflective_inject_dll

0000000F.00000003.1581503034.0000028E03B30000.0000 Pupy_Backdoor Detects Pupy Florian Roth 0x63ec0:$x4: reflective_inject_dll

0000000F.00000003.1581503034.0000028E03B30000.0000 Windows_Trojan_ Identifies the API unknown 0x6431e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 1

Click to see the 11 entries

15.3.WerFault.exe.28e03b30000.2.unpack ReflectiveLoader Detects a Florian Roth 0x20cb8:$x1: ReflectiveLoader

15.3.WerFault.exe.28e03b30000.2.unpack APT_PupyRAT_P Detects Pupy RAT Florian Roth 0x632c0:$x1: reflective_inject_dll

15.3.WerFault.exe.28e03b30000.2.unpack Pupy_Backdoor Detects Pupy Florian Roth 0x632c0:$x4: reflective_inject_dll

15.3.WerFault.exe.28e03b30000.2.unpack Windows_Trojan_ Identifies the API unknown 0x6371e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 1

15.3.WerFault.exe.28e03b30000.2.unpack Windows_Trojan_ Identifies the API unknown 0x635f7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B

Click to see the 24 entries

Copyright Joe Security LLC 2023 Page 6 of 57

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Malicious sample detected (through community Yara rule)

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Mitre Att&ck Matrix

Valid 2 Path 1 2 1 OS 1 Remote 1 1 Exfiltration 1 Eavesdrop Remotely Modify

Copyright Joe Security LLC 2023 Page 7 of 57

Malicious sample detected DNS/IP Info

34 25 Number of created Files

103.79.76.40, 49730, 8443

Copyright Joe Security LLC 2023 Page 8 of 57

pupy-rat.iso 55% Virustotal Browse

\Device\CdRom1\FAULTREP.DLL 77% ReversingLabs Win64.Backdoor.P

15.2.WerFault.exe.28e07473090.8.unpack 100% Avira TR/Crypt.ZPACK Download File

Copyright Joe Security LLC 2023 Page 9 of 57

vpaste.net/ 0% Avira URL Cloud safe

ix.ios 0% Avira URL Cloud safe

https://cloudflare-dns.com/dns-querys$ 0% Avira URL Cloud safe

https://go.microsoftb 0% Avira URL Cloud safe

https://phpaste.sourceforge.ios 0% Avira URL Cloud safe

wpad/wpad.dats 0% Avira URL Cloud safe

https://dns1.nextdns.io/dns-query$ 0% Avira URL Cloud safe

vpaste.net/ 1% Virustotal Browse

https://pastebin.coms 0% Avira URL Cloud safe

https://cloudflare-dns.com/dns-queryfile 0% Avira URL Cloud safe

https://dns.quad9.net:5053/dns-query 0% Avira URL Cloud safe

https://ghostbin.coms 0% Avira URL Cloud safe

https://pastebin.comngebrary 0% Avira URL Cloud safe