Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1Edyk9e6oL

Overview

General Information

Sample Name:1Edyk9e6oL (renamed file extension from none to exe)
Analysis ID:528554
MD5:6a8ebc295dbde6256299d4236732cbdc
SHA1:6975e7c55935f838401f9682480ea3b6749f7307
SHA256:04595c3111276f02b6dc2ece0778cb5829c086484aeafa24e0aac3d8479deb4b
Tags:BABADEDA-CrypterexesignedUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
PE file has a writeable .text section
Writes or reads registry keys via WMI
Obfuscated command line found
Writes registry values via WMI
Potentially malicious time measurement code found
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1Edyk9e6oL.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\1Edyk9e6oL.exe" MD5: 6A8EBC295DBDE6256299D4236732CBDC)
    • 1Edyk9e6oL.tmp (PID: 5624 cmdline: "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" MD5: 760A37743734493F9932E546677C2EF2)
      • 1Edyk9e6oL.exe (PID: 5528 cmdline: "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT MD5: 6A8EBC295DBDE6256299D4236732CBDC)
        • 1Edyk9e6oL.tmp (PID: 6688 cmdline: "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT MD5: 760A37743734493F9932E546677C2EF2)
          • restsharp.exe (PID: 6728 cmdline: "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe" MD5: A445770520FEDB0462439C43D6D898C6)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      Process Memory Space: restsharp.exe PID: 6728JoeSecurity_UrsnifYara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        19.2.restsharp.exe.35294a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          19.2.restsharp.exe.1280000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            19.2.restsharp.exe.35294a0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 19.2.restsharp.exe.35294a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 1Edyk9e6oL.exeVirustotal: Detection: 44%Perma Link
              Source: 1Edyk9e6oL.exeMetadefender: Detection: 17%Perma Link
              Source: 1Edyk9e6oL.exeReversingLabs: Detection: 35%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 1Edyk9e6oL.exeAvira: detected
              Source: 19.2.restsharp.exe.100000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen8
              Source: 1Edyk9e6oL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
              Source: 1Edyk9e6oL.exeStatic PE information: certificate valid
              Source: 1Edyk9e6oL.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040AEF4 FindFirstFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060C2B0 FindFirstFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E6A0 FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
              Source: unknownDNS traffic detected: query: get.updates.avast.cn replaycode: Name error (3)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://0xeb.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://alioth.debian.org/forum/?group_id=31080
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.418367092.0000000005256000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416252588.00000000005E5000.00000002.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blag.oxff.net/#2sapnfkthvpzjscp3xwq)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blag.oxff.net/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.poxiao.me/p/wow64-process-inject-dll-into-win64-process/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1934#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=1943#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=30002#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31582#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=31630#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33151#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=33194#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38440#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=38497#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41470#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=41474#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=424#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44368#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44440#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=44560#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47364#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47365#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47373#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47375#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47392#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47406#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47408#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47413#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47431#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47645#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47646#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47652#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47659#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47660#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47661#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47662#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47663#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47722#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47723#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47754#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47756#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47957#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47964#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47969#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47991#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47992#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=47993#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48008#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48030#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48031#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48042#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48072#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48075#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48079#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=48088#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=50#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51969#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51972#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51989#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=51992#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=54#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=56#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60242#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=60901#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62454#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62459#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62466#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=62478#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64488#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64489#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64490#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64491#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64843#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64844#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64845#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=64853#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65012#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65050#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65057#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65075#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=102&replytocom=65081#respond)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=163)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=319)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?p=80)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=1730)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=41)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=47)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=679)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://blog.rewolf.pl/blog/?page_id=859)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yes
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://code.google.com/p/corkami/source/browse/trunk/misc/MakePE/examples/asm/usermode_test.asm?spec
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://code.google.com/p/rewolf-wow64ext/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://corkami.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://creativecommons.org/ns#
              Source: is-EAQ8J.tmp.10.drString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://dirty-joe.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://gdtr.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://github.com/rwfpl)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://github.com/rwfpl/rewolf-wow64ext)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://gynvael.coldwind.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://j00ru.vexillium.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://lync.in/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://omeg.pl/blog)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/8ZQa2heh)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://rewolf.pl/stuff/x86tox64.zip)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFL
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sdlpango.sourceforge.net
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://security.szurek.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tamaroth.eu/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://terminus.rewolf.pl/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/extra/matrix.html
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.alioth.debian.org
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.net/~jdandr2)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://waleedassar.blogspot.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://wordpress.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.galuzzi.it.
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.iisc.ernet.in
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.inkscape.org/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.inkscape.org/namespaces/inkscape
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/download-1.2.php
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_image/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf/
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.opensc.ws/c-c-help/19270-direct-code-injection-x32-x64-2.html#post176735)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: http://www.tux4kids.com.
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://blog.rewolf.pl/blog/?feed=rss2)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://dev.krzaq.cc/)
              Source: restsharp.exe, 00000013.00000002.554163309.00000000030CB000.00000004.00000010.sdmpString found in binary or memory: https://get.u
              Source: restsharp.exe, 00000013.00000002.553908667.0000000001524000.00000004.00000020.sdmp, restsharp.exe, 00000013.00000002.553930083.0000000001536000.00000004.00000020.sdmpString found in binary or memory: https://get.updates.avast.cn/
              Source: restsharp.exe, 00000013.00000002.553890287.0000000001510000.00000004.00000020.sdmpString found in binary or memory: https://get.updates.avast.cn/sreamble/byn8hRGg_2/B67AeijKX4tuEr1sn/dvpKbG1_2FYf/rPVCgZrAe_2/FPqeoAPF
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl/followers)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rwfpl/rewolf-wow64ext)
              Source: 1Edyk9e6oL.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
              Source: 1Edyk9e6oL.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://labs.nettitude.com/dll-injection-part-two/)
              Source: is-EAQ8J.tmp.10.drString found in binary or memory: https://openclipart.org/detail/188214/eraser-by-crisg-188214U2
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://pwningmad.wordpress.com/)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/follow?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&r
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/user?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&ref
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://vul.anbai.com/43355.html)
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpString found in binary or memory: https://www.corelan.be/index.php/2011/11/05/wow64-egghunter/)
              Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.innosetup.com/
              Source: 1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.remobjects.com/ps
              Source: is-SV4NE.tmp.10.drString found in binary or memory: https://www.tupitube.com
              Source: unknownDNS traffic detected: queries for: get.updates.avast.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
              Source: restsharp.exe, 00000013.00000002.553577591.000000000149A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

              System Summary:

              barindex
              PE file has a writeable .text sectionShow sources
              Source: is-DL2UG.tmp.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Writes or reads registry keys via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Writes registry values via WMIShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: 1Edyk9e6oL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004323DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004255DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040E9C4
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B786C
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040C938
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004323DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004255DC
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040E9C4
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B786C
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040C938
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384A00
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381600
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384EA0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38CADD
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3826D0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E385F70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E387F69
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3877A0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3853F0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E387BD0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E387017
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E386C70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E385050
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E382440
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3824AC
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381D20
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E384D70
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38995F
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3825A0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E385980
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E38A185
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3865F0
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 0060CD28 appears 31 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5C7C appears 50 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5F60 appears 62 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 005DE888 appears 40 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 006163B4 appears 38 times
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: String function: 00616130 appears 39 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 00427848 appears 42 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 0040CC60 appears 34 times
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: String function: 0040873C appears 36 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5C7C appears 50 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005F5F60 appears 62 times
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: String function: 005DE888 appears 40 times
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101C90 GetProcAddress,NtCreateSection,memset,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101703 NtMapViewOfSection,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_001019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: 1Edyk9e6oL.exe, 00000001.00000003.292668523.00000000023E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000000.283304261.00000000004DC000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000003.284182308.000000000270C000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000001.00000003.284869590.000000007FE68000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.291384347.00000000026FC000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.426104453.00000000023D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000000.290559398.00000000004DC000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exe, 00000009.00000003.293025032.000000007FE68000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exeBinary or memory string: OriginalFileName vs 1Edyk9e6oL.exe
              Source: 1Edyk9e6oL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: is-DL2UG.tmp.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeSection loaded: libtfs2.0.dll
              Source: is-P09CL.tmp.10.drStatic PE information: Number of sections : 12 > 10
              Source: is-E4UP5.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-9HHB4.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-BB30O.tmp.10.drStatic PE information: Number of sections : 13 > 10
              Source: is-K16NE.tmp.10.drStatic PE information: Number of sections : 14 > 10
              Source: 1Edyk9e6oL.exeVirustotal: Detection: 44%
              Source: 1Edyk9e6oL.exeMetadefender: Detection: 17%
              Source: 1Edyk9e6oL.exeReversingLabs: Detection: 35%
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile read: C:\Users\user\Desktop\1Edyk9e6oL.exeJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmpJump to behavior
              Source: classification engineClassification label: mal54.troj.evad.winEXE@9/305@1/0
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0062CFB8 GetVersion,CoCreateInstance,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0041A4DC GetDiskFreeSpaceW,
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: 1Edyk9e6oL.tmp, 0000000A.00000003.417952004.00000000051E5000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000002.552037408.0000000000574000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,
              Source: 1Edyk9e6oL.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
              Source: 1Edyk9e6oL.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
              Source: 1Edyk9e6oL.exeString found in binary or memory: /LOADINF="filename"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpWindow found: window name: TMainForm
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: 1Edyk9e6oL.exeStatic file information: File size 5210880 > 1048576
              Source: 1Edyk9e6oL.exeStatic PE information: certificate valid
              Source: 1Edyk9e6oL.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdbAu source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp
              Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: D:\dll\2016\Release\qtbase\Temp\Organizer\pdb\8\ClientDoc\x64\Crc32C\React.pdb source: 1Edyk9e6oL.tmp, 0000000A.00000003.418686912.00000000052B9000.00000004.00000001.sdmp, restsharp.exe, 00000013.00000000.416440648.0000000000648000.00000002.00020000.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeUnpacked PE file: 19.2.restsharp.exe.100000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
              Obfuscated command line foundShow sources
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp "C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B5000 push 004B50DEh; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B5980 push 004B5A48h; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B1084 push 004B10ECh; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004270BC push 00427104h; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049A260 push 0049A378h; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004592FC push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00430358 push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00430370 push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004224F0 push 004225F4h; ret
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00499490 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458564 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00458574 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx
              Source: 1Edyk9e6oL.exeStatic PE information: section name: .didata
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: section name: .didata
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: section name: .didata
              Source: is-K16NE.tmp.10.drStatic PE information: section name: /4
              Source: is-K16NE.tmp.10.drStatic PE information: section name: .xdata
              Source: is-K16NE.tmp.10.drStatic PE information: section name: /14
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: /4
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: .xdata
              Source: is-E4UP5.tmp.10.drStatic PE information: section name: /14
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: /4
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: .xdata
              Source: is-9HHB4.tmp.10.drStatic PE information: section name: /14
              Source: is-P09CL.tmp.10.drStatic PE information: section name: .xdata
              Source: is-BB30O.tmp.10.drStatic PE information: section name: /4
              Source: is-BB30O.tmp.10.drStatic PE information: section name: .xdata
              Source: is-BB30O.tmp.10.drStatic PE information: section name: /14
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101264 LoadLibraryA,GetProcAddress,
              Source: 1Edyk9e6oL.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x331370
              Source: 1Edyk9e6oL.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0x331370
              Source: is-T5J2K.tmp.10.drStatic PE information: real checksum: 0x234a01 should be: 0x24a5f6
              Source: is-DL2UG.tmp.10.drStatic PE information: real checksum: 0x690dcc should be: 0x69934a
              Source: is-K16NE.tmp.10.drStatic PE information: 0xA5E8A5E0 [Sat Mar 16 06:57:36 2058 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 6.89492529939
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmpJump to dropped file
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy)
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-DL2UG.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeFile created: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaad2.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe (copy)
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9UtilityJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9Utility\SharpDX Direct3D9Utility.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 6428Thread sleep time: -39000s >= -30000s
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe TID: 4596Thread sleep time: -90000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\tsharkdecode.dll (copy)
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381207 rdtsc
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040AEF4 FindFirstFileW,FindClose,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 9_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0060C2B0 FindFirstFileW,GetLastError,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E6A0 FindFirstFileW,FindClose,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: 10_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeThread delayed: delay time: 39000
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeThread delayed: delay time: 90000
              Source: restsharp.exe, 00000013.00000002.553869733.0000000001502000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

              Anti Debugging:

              barindex
              Potentially malicious time measurement code foundShow sources
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E3813D0
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381440
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_00101264 LoadLibraryA,GetProcAddress,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E381207 rdtsc
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41FF01 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E42E7EF mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E42E877 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_0053FBEC mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41BAA2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E41C4CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exeCode function: 19_2_6E423D7F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\Desktop\1Edyk9e6oL.exe "C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpProcess created: C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe "C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: restsharp.exe, 00000013.00000002.554020610.0000000001A20000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: GetLocaleInfoW,
              Source: C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_00405AE0 cpuid
              Source: C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmpCode function: 6_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_0041C3D8 GetLocalTime,
              Source: C:\Users\user\Desktop\1Edyk9e6oL.exeCode function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: restsharp.exe PID: 6728, type: MEMORYSTR
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.1280000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 19.2.restsharp.exe.35294a0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information11Input Capture1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Registry Run Keys / Startup Folder1DLL Side-Loading1Obfuscated Files or Information3LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter12Logon Script (Windows)Access Token Manipulation1Software Packing12Security Account ManagerSystem Information Discovery35SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Process Injection13Timestomp1NTDSSecurity Software Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1DLL Side-Loading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion11DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Owner/User Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection13/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 528554 Sample: 1Edyk9e6oL Startdate: 25/11/2021 Architecture: WINDOWS Score: 54 44 Found malware configuration 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 9 1Edyk9e6oL.exe 2 2->9         started        process3 file4 36 C:\Users\user\AppData\...\1Edyk9e6oL.tmp, PE32 9->36 dropped 52 Obfuscated command line found 9->52 13 1Edyk9e6oL.tmp 3 13 9->13         started        signatures5 process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->38 dropped 16 1Edyk9e6oL.exe 2 13->16         started        process8 file9 26 C:\Users\user\AppData\...\1Edyk9e6oL.tmp, PE32 16->26 dropped 42 Obfuscated command line found 16->42 20 1Edyk9e6oL.tmp 5 191 16->20         started        signatures10 process11 file12 28 C:\Users\user\...\restsharp.exe (copy), PE32 20->28 dropped 30 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 20->30 dropped 32 C:\Users\user\...\libtasn1-6.dll (copy), PE32+ 20->32 dropped 34 38 other files (none is malicious) 20->34 dropped 23 restsharp.exe 6 20->23         started        process13 dnsIp14 40 get.updates.avast.cn 23->40

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1Edyk9e6oL.exe45%VirustotalBrowse
              1Edyk9e6oL.exe17%MetadefenderBrowse
              1Edyk9e6oL.exe36%ReversingLabsWin32.Backdoor.Androm
              1Edyk9e6oL.exe100%AviraBDS/Androm.bikjn

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp2%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              19.2.restsharp.exe.100000.0.unpack100%AviraTR/Crypt.ZPACK.Gen8Download File
              19.2.restsharp.exe.1280000.1.unpack100%AviraHEUR/AGEN.1108168Download File

              Domains

              SourceDetectionScannerLabelLink
              get.updates.avast.cn0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://blog.rewolf.pl/blog/?p=102&replytocom=47722#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?page_id=41)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47431#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=56#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47413#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=62459#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48075#respond)0%Avira URL Cloudsafe
              http://www.tux4kids.com.0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=50#respond)0%Avira URL Cloudsafe
              http://blag.oxff.net/#2sapnfkthvpzjscp3xwq)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=44440#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=41474#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=51#respond)0%Avira URL Cloudsafe
              http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=31582#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47375#respond)0%Avira URL Cloudsafe
              https://www.remobjects.com/ps0%URL Reputationsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47660#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?page_id=679)0%Avira URL Cloudsafe
              https://www.innosetup.com/0%URL Reputationsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47756#respond)0%Avira URL Cloudsafe
              http://security.szurek.pl/)0%Avira URL Cloudsafe
              http://omeg.pl/blog)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47661#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=33151#respond)0%Avira URL Cloudsafe
              http://j00ru.vexillium.org/)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=30002#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47957#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47662#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=62454#respond)0%Avira URL Cloudsafe
              http://lync.in/)0%Avira URL Cloudsafe
              http://gynvael.coldwind.pl/)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47365#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=31630#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47392#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=51989#respond)0%Avira URL Cloudsafe
              http://rewolf.pl/stuff/x86tox64.zip)0%Avira URL Cloudsafe
              http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=54#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?page_id=859)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=64853#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=60901#respond)0%Avira URL Cloudsafe
              https://blog.rewolf.pl/blog/?feed=rss2)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48#respond)0%Avira URL Cloudsafe
              http://www.galuzzi.it.0%Avira URL Cloudsafe
              https://vul.anbai.com/43355.html)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=64490#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48030#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47723#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=1934#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=33194#respond)0%Avira URL Cloudsafe
              https://get.updates.avast.cn/0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47373#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=62478#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=64489#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48008#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=65057#respond)0%Avira URL Cloudsafe
              https://labs.nettitude.com/dll-injection-part-two/)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47645#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=424#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=51969#respond)0%Avira URL Cloudsafe
              http://terminus.rewolf.pl/)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48072#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47964#respond)0%Avira URL Cloudsafe
              http://tamaroth.eu/)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=51972#respond)0%Avira URL Cloudsafe
              http://translationproject.org/extra/matrix.html0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47991#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=64845#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47969#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=48079#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=102&replytocom=47992#respond)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=80)0%Avira URL Cloudsafe
              http://blog.rewolf.pl/blog/?p=319)0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              get.updates.avast.cn
              		unknown
              		unknowntrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://blog.rewolf.pl/blog/?p=102&replytocom=47722#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://blog.rewolf.pl/blog/?page_id=41)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU1Edyk9e6oL.exefalse
                		high
                https://github.com/rwfpl/rewolf-wow64ext)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                  		high
                  http://tux4kids.alioth.debian.org1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                    		high
                    http://blog.rewolf.pl/blog/?p=102&replytocom=47431#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blog.rewolf.pl/blog/?p=102&replytocom=56#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.inkscape.org/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                      		high
                      http://www.iisc.ernet.in1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        		high
                        http://blog.rewolf.pl/blog/?p=102&replytocom=47413#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://blog.rewolf.pl/blog/?p=102&replytocom=62459#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://blog.rewolf.pl/blog/?p=102&replytocom=48075#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tux4kids.com.1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://blog.rewolf.pl/blog/?p=102&replytocom=50#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://blag.oxff.net/#2sapnfkthvpzjscp3xwq)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://blog.rewolf.pl/blog/?p=102&replytocom=44440#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.libsdl.org/projects/SDL_image1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                          		high
                          http://blog.rewolf.pl/blog/?p=102&replytocom=41474#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://blog.rewolf.pl/blog/?p=102&replytocom=51#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://wordpress.org/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            		high
                            http://www.ffri.jp/assets/files/research/research_papers/psj10-murakami_EN.pdf)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=31582#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=47375#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.remobjects.com/ps1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=47660#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?page_id=679)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.innosetup.com/1Edyk9e6oL.tmp, 1Edyk9e6oL.tmp, 0000000A.00000000.295154487.0000000000401000.00000020.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=47756#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://security.szurek.pl/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://omeg.pl/blog)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=47661#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.rewolf.pl/blog/?p=102&replytocom=33151#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://github.com/rwfpl)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              		high
                              http://j00ru.vexillium.org/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.rewolf.pl/blog/?p=102&replytocom=30002#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.rewolf.pl/blog/?p=102&replytocom=47957#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.rewolf.pl/blog/?p=102&replytocom=47662#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.rewolf.pl/blog/?p=102&replytocom=62454#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://lync.in/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gynvael.coldwind.pl/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://blog.rewolf.pl/blog/?p=102&replytocom=47365#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.libsdl.org/projects/SDL_mixer/1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drfalse
                                		high
                                http://blog.rewolf.pl/blog/?p=102&replytocom=31630#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                  		high
                                  http://0xeb.wordpress.com/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    		high
                                    http://blog.rewolf.pl/blog/?p=102&replytocom=47392#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.rewolf.pl/blog/?p=102&replytocom=51989#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://rewolf.pl/stuff/x86tox64.zip)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmp, is-I63UE.tmp.10.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.rewolf.pl/blog/?p=102&replytocom=54#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.rewolf.pl/blog/?page_id=859)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.rewolf.pl/blog/?p=102&replytocom=64853#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.rewolf.pl/blog/?p=102&replytocom=60901#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://blog.rewolf.pl/blog/?feed=rss2)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/rwfpl/followers)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                      		high
                                      http://blog.rewolf.pl/blog/?p=102&replytocom=48#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galuzzi.it.1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://vul.anbai.com/43355.html)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://blog.rewolf.pl/blog/?p=102&replytocom=64490#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://blog.rewolf.pl/blog/?p=102&replytocom=48030#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://blog.rewolf.pl/blog/?p=102&replytocom=47723#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://blog.rewolf.pl/blog/?p=102&replytocom=1934#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.libsdl.org/projects/SDL_mixer1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                          		high
                                          http://blog.rewolf.pl/blog/?p=102&replytocom=33194#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://gdtr.wordpress.com/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.inkscape.org/namespaces/inkscape1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                              		high
                                              https://get.updates.avast.cn/restsharp.exe, 00000013.00000002.553908667.0000000001524000.00000004.00000020.sdmp, restsharp.exe, 00000013.00000002.553930083.0000000001536000.00000004.00000020.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://blog.rewolf.pl/blog/?p=102&replytocom=47373#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://github.com/rwfpl)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                		high
                                                http://blog.rewolf.pl/blog/?p=102&replytocom=62478#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://blog.rewolf.pl/blog/?p=102&replytocom=64489#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.corelan.be/index.php/2011/11/05/wow64-egghunter/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://blog.rewolf.pl/blog/?p=102&replytocom=48008#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://blog.rewolf.pl/blog/?p=102&replytocom=65057#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://labs.nettitude.com/dll-injection-part-two/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://blog.rewolf.pl/blog/?p=102&replytocom=47645#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://blog.rewolf.pl/blog/?p=102&replytocom=424#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://blog.rewolf.pl/blog/?p=102&replytocom=51969#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://pwningmad.wordpress.com/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://terminus.rewolf.pl/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://twitter.com/intent/follow?original_referer=http%3A%2F%2Fblog.rewolf.pl%2Fblog%2F%3Fp%3D102&r1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://blog.rewolf.pl/blog/?p=102&replytocom=48072#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://blog.rewolf.pl/blog/?p=102&replytocom=47964#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://creativecommons.org/publicdomain/zero/1.0/is-EAQ8J.tmp.10.drfalse
                                                        		high
                                                        http://tamaroth.eu/)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://code.google.com/p/corkami/source/browse/trunk/misc/MakePE/examples/asm/usermode_test.asm?spec1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://blog.rewolf.pl/blog/?p=102&replytocom=51972#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://jrsoftware.org/ishelp/index.php?topic=setupcmdline1Edyk9e6oL.exefalse
                                                            		high
                                                            http://translationproject.org/extra/matrix.html1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://blog.rewolf.pl/blog/?p=102&replytocom=47991#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://blog.rewolf.pl/blog/?p=102&replytocom=64845#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://openclipart.org/detail/188214/eraser-by-crisg-188214U2is-EAQ8J.tmp.10.drfalse
                                                              		high
                                                              http://blog.rewolf.pl/blog/?p=102&replytocom=47969#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.libsdl.org/projects/SDL_ttf1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://blog.rewolf.pl/blog/?p=102&replytocom=48079#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://blog.rewolf.pl/blog/?p=102&replytocom=47992#respond)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://blog.rewolf.pl/blog/?p=80)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://blog.rewolf.pl/blog/?p=319)1Edyk9e6oL.tmp, 0000000A.00000003.419355543.0000000005390000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  No contacted IP infos

                                                                  General Information

                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                  Analysis ID:528554
                                                                  Start date:25.11.2021
                                                                  Start time:13:50:03
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 13m 1s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:1Edyk9e6oL (renamed file extension from none to exe)
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:27
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal54.troj.evad.winEXE@9/305@1/0
                                                                  EGA Information:Failed
                                                                  HDC Information:
                                                                  • Successful, ratio: 39% (good quality ratio 37.6%)
                                                                  • Quality average: 81.1%
                                                                  • Quality standard deviation: 25.4%
                                                                  HCA Information:Failed
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                  • Created / dropped Files have been reduced to 100
                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  13:51:59API Interceptor2x Sleep call for process: restsharp.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp
                                                                  Process:C:\Users\user\Desktop\1Edyk9e6oL.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):3284992
                                                                  Entropy (8bit):6.3579189698019185
                                                                  Encrypted:false
                                                                  SSDEEP:49152:rEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVz3338b:v92bz2Eb6pd7B6bAGx7J333g
                                                                  MD5:760A37743734493F9932E546677C2EF2
                                                                  SHA1:4BB319A4AD20E4EFDF2DFCF230E59808E35B46B2
                                                                  SHA-256:B85D912CDB8A4D222EC9AFF890BD2D531E7587DFE5DE1029DB6EB99EFFB2C1C1
                                                                  SHA-512:CEEFB0306750EEB52BC9C6EDF89A89BA21D55B3E5E22B8CDC35D23C2000CB12483509FE5970DAC74801A84B30E412F918300669D12B4330240387804F7F7FB59
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 2%
                                                                  Reputation:unknown
                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................3...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                                  C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  Process:C:\Users\user\Desktop\1Edyk9e6oL.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):3284992
                                                                  Entropy (8bit):6.3579189698019185
                                                                  Encrypted:false
                                                                  SSDEEP:49152:rEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVz3338b:v92bz2Eb6pd7B6bAGx7J333g
                                                                  MD5:760A37743734493F9932E546677C2EF2
                                                                  SHA1:4BB319A4AD20E4EFDF2DFCF230E59808E35B46B2
                                                                  SHA-256:B85D912CDB8A4D222EC9AFF890BD2D531E7587DFE5DE1029DB6EB99EFFB2C1C1
                                                                  SHA-512:CEEFB0306750EEB52BC9C6EDF89A89BA21D55B3E5E22B8CDC35D23C2000CB12483509FE5970DAC74801A84B30E412F918300669D12B4330240387804F7F7FB59
                                                                  Malicious:true
                                                                  Reputation:unknown
                                                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................3...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                                  C:\Users\user\AppData\Local\Temp\is-D9HG4.tmp\_isetup\_setup64.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6144
                                                                  Entropy (8bit):4.720366600008286
                                                                  Encrypted:false
                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\is-R4E5D.tmp\_isetup\_setup64.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6144
                                                                  Entropy (8bit):4.720366600008286
                                                                  Encrypted:false
                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SharpDX Direct3D9Utility\SharpDX Direct3D9Utility.lnk
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Nov 25 20:51:08 2021, mtime=Thu Nov 25 20:51:09 2021, atime=Wed Oct 6 01:36:38 2021, length=6905344, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1085
                                                                  Entropy (8bit):4.86313590384958
                                                                  Encrypted:false
                                                                  SSDEEP:24:8mB8ggcb9oCbwZZ4bwbtE4A4yTrktiCboJm:8mB8gge9/wZmbcmfzwgCboJ
                                                                  MD5:0F102A4D33C8C2FD797731E6819534CD
                                                                  SHA1:55792903B3A5999AD94DFD4D42D5BBA3F7FE66AD
                                                                  SHA-256:39DC6B364B73C0534A282004179D8F286FA26811F05220B9AB0C40614782B50A
                                                                  SHA-512:49C5D68191B4128A9D514E50D21E095048783B5E31C83CC316DC6DCA46F1D826E48884ACE7F311136AC47F90AE741F4E0483CD80F00345D8AE6E10F7CCAA2344
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: L..................F.... ...u$..F.....5.F.......Z....^i.......................:..DG..Yr?.D..U..k0.&...&...........-..VR<N........F.......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny.ySU......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny.ySU......Y....................D1,.R.o.a.m.i.n.g.....z.1.....ySx...SHARPD~1..b......ySc.ySx..........................._...S.h.a.r.p.D.X. .D.i.r.e.c.t.3.D.9.U.t.i.l.i.t.y.....h.2..^i.FS.. .RESTSH~1.EXE..L......ySe.ySe.....Q.........................r.e.s.t.s.h.a.r.p...e.x.e.......t...............-.......s...........{.zw.....C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe..5.....\.....\.....\.....\.....\.S.h.a.r.p.D.X. .D.i.r.e.c.t.3.D.9.U.t.i.l.i.t.y.\.r.e.s.t.s.h.a.r.p...e.x.e.7.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.S.h.a.r.p.D.X. .D.i.r.e.c.t.3.D.9.U.t.i.l.i.t.y.`.......X.......238576...........!a..%.H.VZAj...6..M..........-..!a..%.H.VZAj...6..M
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\ABOUT-NLS (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):76502
                                                                  Entropy (8bit):2.4185965872860735
                                                                  Encrypted:false
                                                                  SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                                  MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                                  SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                                  SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                                  SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\AUTHORS (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:UTF-8 Unicode text
                                                                  Category:dropped
                                                                  Size (bytes):4390
                                                                  Entropy (8bit):5.0878631480288785
                                                                  Encrypted:false
                                                                  SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                                  MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                                  SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                                  SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                                  SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\COPYING (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):15131
                                                                  Entropy (8bit):4.682434970392502
                                                                  Encrypted:false
                                                                  SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                                  MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                                  SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                                  SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                                  SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\ChangeLog (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:UTF-8 Unicode text
                                                                  Category:dropped
                                                                  Size (bytes):29717
                                                                  Entropy (8bit):4.7846516544735325
                                                                  Encrypted:false
                                                                  SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                                  MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                                  SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                                  SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                                  SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\INSTALL (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):10644
                                                                  Entropy (8bit):4.801280319778263
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                                  MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                                  SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                                  SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                                  SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\OFL (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):4599
                                                                  Entropy (8bit):4.991877820151237
                                                                  Encrypted:false
                                                                  SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                                  MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                                  SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                                  SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                                  SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\README (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):3612
                                                                  Entropy (8bit):4.707814791494116
                                                                  Encrypted:false
                                                                  SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                                  MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                                  SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                                  SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                                  SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\TODO (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1043
                                                                  Entropy (8bit):4.6860266698980135
                                                                  Encrypted:false
                                                                  SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                                  MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                                  SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                                  SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                                  SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\TuxType_port_Mac.txt (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):4056
                                                                  Entropy (8bit):4.947683257149111
                                                                  Encrypted:false
                                                                  SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                                  MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                                  SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                                  SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                                  SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\howtotheme.html (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:HTML document, ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):12081
                                                                  Entropy (8bit):4.803085884480498
                                                                  Encrypted:false
                                                                  SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                                  MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                                  SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                                  SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                                  SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-10PCM.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1043
                                                                  Entropy (8bit):4.6860266698980135
                                                                  Encrypted:false
                                                                  SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                                  MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                                  SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                                  SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                                  SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-7BUSD.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:UTF-8 Unicode text
                                                                  Category:dropped
                                                                  Size (bytes):4390
                                                                  Entropy (8bit):5.0878631480288785
                                                                  Encrypted:false
                                                                  SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                                  MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                                  SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                                  SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                                  SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-9HB46.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):3612
                                                                  Entropy (8bit):4.707814791494116
                                                                  Encrypted:false
                                                                  SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                                  MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                                  SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                                  SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                                  SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-A4NET.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:UTF-8 Unicode text
                                                                  Category:dropped
                                                                  Size (bytes):29717
                                                                  Entropy (8bit):4.7846516544735325
                                                                  Encrypted:false
                                                                  SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                                  MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                                  SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                                  SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                                  SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-DKB8H.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):76502
                                                                  Entropy (8bit):2.4185965872860735
                                                                  Encrypted:false
                                                                  SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                                  MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                                  SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                                  SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                                  SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-F1A0H.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):10644
                                                                  Entropy (8bit):4.801280319778263
                                                                  Encrypted:false
                                                                  SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                                  MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                                  SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                                  SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                                  SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-I63UE.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):4056
                                                                  Entropy (8bit):4.947683257149111
                                                                  Encrypted:false
                                                                  SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                                  MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                                  SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                                  SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                                  SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-JKD0P.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:HTML document, ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):12081
                                                                  Entropy (8bit):4.803085884480498
                                                                  Encrypted:false
                                                                  SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                                  MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                                  SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                                  SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                                  SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-MTM5B.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):4599
                                                                  Entropy (8bit):4.991877820151237
                                                                  Encrypted:false
                                                                  SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                                  MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                                  SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                                  SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                                  SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-S5ANL.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):15131
                                                                  Entropy (8bit):4.682434970392502
                                                                  Encrypted:false
                                                                  SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                                  MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                                  SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                                  SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                                  SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\is-U3QQK.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:HTML document, ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):36160
                                                                  Entropy (8bit):4.7594335666742
                                                                  Encrypted:false
                                                                  SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                                  MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                                  SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                                  SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                                  SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\doc\lesson_scripting_reference.html (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:HTML document, ASCII text, with very long lines
                                                                  Category:dropped
                                                                  Size (bytes):36160
                                                                  Entropy (8bit):4.7594335666742
                                                                  Encrypted:false
                                                                  SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                                  MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                                  SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                                  SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                                  SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\Kedage-n.ttf (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                                  Category:dropped
                                                                  Size (bytes):100056
                                                                  Entropy (8bit):6.938355019015695
                                                                  Encrypted:false
                                                                  SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                                  MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                                  SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                                  SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                                  SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\is-FKQB3.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                                  Category:dropped
                                                                  Size (bytes):64760
                                                                  Entropy (8bit):6.514217361307989
                                                                  Encrypted:false
                                                                  SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                                  MD5:2E6070E9B26AC1377F9208C320D62591
                                                                  SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                                  SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                                  SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\is-H8GRE.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                                  Category:dropped
                                                                  Size (bytes):100056
                                                                  Entropy (8bit):6.938355019015695
                                                                  Encrypted:false
                                                                  SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                                  MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                                  SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                                  SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                                  SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\is-R7I1J.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                                  Category:dropped
                                                                  Size (bytes):76600
                                                                  Entropy (8bit):6.3178993263494165
                                                                  Encrypted:false
                                                                  SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                                  MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                                  SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                                  SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                                  SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\is-VV3AK.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                                  Category:dropped
                                                                  Size (bytes):58240
                                                                  Entropy (8bit):5.620492732134304
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                                  MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                                  SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                                  SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                                  SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\lohit_hi.ttf (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                                  Category:dropped
                                                                  Size (bytes):76600
                                                                  Entropy (8bit):6.3178993263494165
                                                                  Encrypted:false
                                                                  SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                                  MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                                  SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                                  SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                                  SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\lohit_pa.ttf (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                                  Category:dropped
                                                                  Size (bytes):58240
                                                                  Entropy (8bit):5.620492732134304
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                                  MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                                  SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                                  SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                                  SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\fonts\lohit_ta.ttf (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                                  Category:dropped
                                                                  Size (bytes):64760
                                                                  Entropy (8bit):6.514217361307989
                                                                  Encrypted:false
                                                                  SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                                  MD5:2E6070E9B26AC1377F9208C320D62591
                                                                  SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                                  SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                                  SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-3FHQG.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PDF document, version 1.4
                                                                  Category:dropped
                                                                  Size (bytes):406834
                                                                  Entropy (8bit):7.922529686374347
                                                                  Encrypted:false
                                                                  SSDEEP:12288:gXd1z8FnTeLJ7LDlvF1eJEMtSwEA9VDuAUFQ:p6FktS9GSAT
                                                                  MD5:8BDA397B14FBA66375203F5030F74140
                                                                  SHA1:630DE841DB88EF0778391620D2F89DC71ABA3589
                                                                  SHA-256:53EB0618FF764DEC0BE20847AA2FB293A7E3735384C817027861DE9D3378B250
                                                                  SHA-512:26908000EEE54880E371D5E62EECD091DCEEC5CF3BAAB62A1E7FD627E32B47797651DC51033D81C2B268481A57493978725713C9E23DDC6E225E4B05A4C83B00
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: %PDF-1.4.%.....1 0 obj.<</Creator (Mozilla/5.0 \(Windows NT 10.0; WOW64\) AppleWebKit/537.36 \(KHTML, like Gecko\) Chrome/61.0.3163.102 Safari/537.36 Vivaldi/1.93.955.38)./Producer (Skia/PDF m61)./CreationDate (D:20171021162542+00'00')./ModDate (D:20171021162542+00'00')>>.endobj.2 0 obj.<</Type /XObject./Subtype /Image./Width 415./Height 93./ColorSpace /DeviceRGB./BitsPerComponent 8./Filter /FlateDecode./Length 2579>> stream.x..=..9........@.*..+`.D...B&......MW.e.>..s.CFY.K.m.e..B.!..!...D..a..-...+/.-;o.<Y%K.6..R...p6 WZI...d......H...d......H...d......H...d......H...d.. n..i5B.C...g.........d...6..Bq..M..Fg.m`..........>......$4=$..}..]...HhzH6:.l.. .7....lt...vA(n ..!.....P.@B.C...g.........d...6..Bq..M..Fg.m`..........>......$4=$..}..]...HhzH6:.l.. .7....lt...vA...7....t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#.+n...X.y....B..Bq.....8.h..,...P..A(n .5.g*..*d9*........x....AK...x4.......!.7....3.EX....
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8I9B6.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):94720
                                                                  Entropy (8bit):6.2283195662657125
                                                                  Encrypted:false
                                                                  SSDEEP:1536:lJ46GFya7vjnxvoPENgBPIO4qHlCef0vovpg/1H6lbEdozX5mAofEsyQh9:lJkBvjx2Ov1/8lgKb53Rah
                                                                  MD5:4299D8C96853F2210A3E7827AB6A4E80
                                                                  SHA1:3906ABBE7463D5E2DC50CC676E1AE8B51ADCAA06
                                                                  SHA-256:7F79589F36CFB1613ABB2F2338C6177AFD4984F3D6A8E18C08F13561796B3A7D
                                                                  SHA-512:58F86BC1639694499648F07BC3BA7B7B4BF7E95F4A6B3A93B4A1B271D587DF909771C7669CC34BE56098663231BB6B39BD9B17F7D844B9B2D9387A3594C64EF1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........n......0........0....|n................................=F........ .........................u.......l...................................................................................t................................text...4...........................`.P`.data....&...0...(..................@.`..rdata.......`.......>..............@.`@.bss..................................`..edata..u............V..............@.0@.idata..l............^..............@.0..CRT....,............f..............@.0..tls.... ............h..............@.0..reloc...............j..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-8ICQF.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):63488
                                                                  Entropy (8bit):6.300610257983227
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Opi4OKRmDCqQPlwXVXKXHWRi6H7hubmKvp08k:OpLmDCqQWXVamRLMbpvp08k
                                                                  MD5:49055810FCC813A8E1BDE0A64233F06F
                                                                  SHA1:70F9B4F9668CEDE76B785DD3A1D54146B7F8F68A
                                                                  SHA-256:D1111915F3E27EF605141A56CC5BEDEA25684ED44784DE1213E99F5FE9E5A41E
                                                                  SHA-512:7FCA8D488BC30385011AEAC999943A7BC6BA9E2E15CE83D8CCB77AE72A7C0AF1391D6F7A8966443C31F83C54C10A67722D976E7D69F0D442234264C8856A5C50
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............Hj.........................`................ .........................:.... ...............................P...............................@.......................!..p............................text...............................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..:...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.... ....@......................@.0..reloc.......P......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-9HHB4.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32585
                                                                  Entropy (8bit):5.416596489081668
                                                                  Encrypted:false
                                                                  SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                                  MD5:F68C187D209127BB0A4487B23EC29A25
                                                                  SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                                  SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                                  SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-BB30O.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80653
                                                                  Entropy (8bit):5.935029812256724
                                                                  Encrypted:false
                                                                  SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                                  MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                                  SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                                  SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                                  SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-DL2UG.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6905344
                                                                  Entropy (8bit):6.5837046092295175
                                                                  Encrypted:false
                                                                  SSDEEP:98304:N4Fh1Qy6f03K4DZfMGjC6TZm3IJiwwQYOfh:iyd0a4Dvq3IxwQn
                                                                  MD5:A445770520FEDB0462439C43D6D898C6
                                                                  SHA1:B2C434ECCF56D86875C4BEB5033C5F7E2BABAA67
                                                                  SHA-256:23636FA2194AED077112DFC0FAE7B86D9022BFA6E9BDC62E3A338A068B3E92AC
                                                                  SHA-512:EEF738FD18FA1FCA745EE461C8FFA530AA104897E5476FEA692EEAE99A109110BB81F9DFF87CCDD2BD0BF36C4C4C7993EC7000CAD1489BEBDEE9227650DAA4D4
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M.1..`_E.`_E.`_E..\D.`_E..ZD.`_E[.[D.`_E[.\D.`_E[.ZDQ`_E..[D.`_E..^D.`_E.`^E.a_EQ.VD7`_EQ._D.`_EQ..E.`_E.`.E.`_EQ.]D.`_ERich.`_E|!.}!C..TA.}!C.Rich|!C.........PE..L...0i\a..................C..l%.......-.......D...@...........................i.......i...@..................................._......`c.h_....................f.4...0.\.p.....................\.......\.@.............D..............................text...6.C.......C................. ....rdata..8.....D.......C.............@..@.data........_..l...._.............@....rsrc...h_...`c..`....b.............@..@.reloc..4.....f......^f.............@..B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-E4UP5.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):182365
                                                                  Entropy (8bit):6.791628337519772
                                                                  Encrypted:false
                                                                  SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                                  MD5:854C550450BEDDEBAAFE1DD74F073641
                                                                  SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                                  SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                                  SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-FA52M.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):71168
                                                                  Entropy (8bit):6.40885208921363
                                                                  Encrypted:false
                                                                  SSDEEP:1536:zJYutTAkscOGfUsditx65XjxqzH6oPA4Ol/mGdiP99bQXFCw3:zJYAJss3d3zxfoIV/bCw3
                                                                  MD5:BC738DA6535B5015E9EABA90F56F8B59
                                                                  SHA1:CE7C7865645A09DCF59DAF519BADE328DDF04B67
                                                                  SHA-256:4EEA44B0B4EA4C248595BB1E573334005EC538792E3BB9D2A07EE01265443327
                                                                  SHA-512:FD2A5C1EB9C5FE4BD2FD87EF912297F463CB623E12D5E9CCF8CC7FCCB39858765E289F4A9102FC02F68B0845048ABB1390DD32AFE2329B143ED331F678C4792B
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............dd................................%......... ......................0..A....@...............................p..X............................`.......................A..p............................text...............................`.P`.data...d...........................@.`..rdata...-..........................@.`@.bss......... ........................`..edata..A....0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc..X....p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IKHRO.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80384
                                                                  Entropy (8bit):6.466525325104407
                                                                  Encrypted:false
                                                                  SSDEEP:1536:iRc06HCdj3uTEv22Ec1eFOCvgxqHm04rgl1ammsUZNIEklJMxb+:iRc0aC13oC1eF7G0MoamzK9klJMxb
                                                                  MD5:87B32E6ED0B33019DDB113DB9EE52B23
                                                                  SHA1:F6661C6150B3AFA8F5603381911B87645F932B44
                                                                  SHA-256:4C99C72663C1944D031D6B4D0AA18C3356E964EF874103CBFAC61589590D742B
                                                                  SHA-512:3D44792B6E556B2AEFD9BD796E092067AF72252AA38B70A7A2294F9718D4519D59C8106C59D2AAF7E08AAF6871FC4B1C306BAD4C7B785E0365405386DA1DD59F
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........6......0..............n.......................................... ......................`.......p..`....................................................................................q..X............................text...............................`.P`.data...D...........................@.0..rdata....... ......................@.`@.bss....(....@........................`..edata.......`......................@.0@.idata..`....p......................@.0..CRT....,............*..............@.0..tls.... ............,..............@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IOVRI.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):86528
                                                                  Entropy (8bit):6.300346716213912
                                                                  Encrypted:false
                                                                  SSDEEP:1536:7JXErVqLiEb/Zp/Yz6V3JNmODTYaxIHsVn9HIjUmY5e2oC2K9lZ:7JXEBqLiCHAz6V9V9GURe2oC2KTZ
                                                                  MD5:893C149773BFF81B55530820207C73F0
                                                                  SHA1:46C6B5F00B463D31140A0B9972D4BC2B04BA0D0A
                                                                  SHA-256:83F074DBACF3D3DC4C7D5646D056359BB7CB29DCD1A2D109CD07EE21DBDB42AF
                                                                  SHA-512:33F1F08051632756396EE906BCB7285726484EBA1D8C67ECF884A42F824261D9B73BA0BCA52EB8A7D68E7544D79C6FEEA2C98A46C1E0E2CE98E3BBDC3B6B63EA
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........N......0............. i.......................................... ......................p..S.......0...................................................................................l................................text...............................`.P`.data...T...........................@.0..rdata...3... ...4..................@.`@.bss.........`........................`..edata..S....p.......,..............@.0@.idata..0............0..............@.0..CRT....,............@..............@.0..tls.... ............B..............@.0..reloc...............D..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-IQQ0L.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):87040
                                                                  Entropy (8bit):6.204875539391202
                                                                  Encrypted:false
                                                                  SSDEEP:1536:G3KDgzmAgyM0tlnOZO5WfQeN7VHS6WnjFFbm9B8JTKAFh2:Ga2SOtAZO5cQe5s6+rb2WzFh2
                                                                  MD5:4C85DFBA434A42BCD7E31D33E480DCE2
                                                                  SHA1:271B47765442FC9E50E0CDF46D0ADB8A854FD496
                                                                  SHA-256:8E96A33FC8635E1F12E14E3C9AAC6AD5EA21F7B70F0E9E423B487BB57EBBCE1E
                                                                  SHA-512:0E0BD76353D88B40FE77E81108A01EB61931B13FEC1846985FB0508702967FE4177D2A5C48E8C292EDF0F666813DC54B3757843A95846132D41964552E79E7EF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........P......0..............q................................!......... ......................`.......p..................................X....................................................q..X............................text...............................`.P`.data...D...........................@.0..rdata...O.......P..................@.`@.bss.........P........................`..edata.......`.......*..............@.0@.idata.......p.......:..............@.0..CRT....,............D..............@.0..tls.... ............F..............@.0..reloc..X............H..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K16NE.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):120774
                                                                  Entropy (8bit):6.037077757732975
                                                                  Encrypted:false
                                                                  SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                                  MD5:082A8171C726E58C1618DA3781AB7833
                                                                  SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                                  SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                                  SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-K9D4V.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):71680
                                                                  Entropy (8bit):6.249755448787507
                                                                  Encrypted:false
                                                                  SSDEEP:768:5ONkZWr2iwGZYSK8wHieEbRuzwoQs4HwU4XJPcCqqTPtzY0Xcd6e2XGem3SObDQy:5ONkZqhGHi1uzZGHwlOSs/2fmiOQ
                                                                  MD5:613283CE438722CC027B2F0CAFC910D7
                                                                  SHA1:06D1F1B97A1041A58D55D6EE227DF887511041A5
                                                                  SHA-256:D953E18D73AF16D5B0E2EBC79CBB6F85871DD5CD4EBD45A5B1D54F50AABAAD3E
                                                                  SHA-512:44897BBBA77779A0DCAAABB8B91FC6338320B86A88B10132A1841D35D1605118FC7FFE66B1BEA18813E40B0EE5BFB8942B831C5E52DFB767A2572C204A071112
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............<p................................1......... ...................... .......0..@............................p..d............................`......................<3...............................text...............................`.P`.data...............................@.`..rdata...$.......&..................@.`@.bss..................................`..edata....... ......................@.0@.idata..@....0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc..d....p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-L6LQH.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):78848
                                                                  Entropy (8bit):6.246337898053042
                                                                  Encrypted:false
                                                                  SSDEEP:1536:1ISc1+2KuvhLeGwUNHsdvisJy2bmN0+RveV6yG:1e1+so5d6AbB+EV2
                                                                  MD5:8B89A31D5D3F3173F5E3BB9118D04A7E
                                                                  SHA1:B9829C7DF23D7190928041753E2E07069C7ABFEE
                                                                  SHA-256:C5616071D5D2E858BF26CEA64BCDA17B6C494B1507EA96A17816811C6071E4A8
                                                                  SHA-512:67ED465D0AF1E933DEE09C95A3E5945CB33308F0DE21182128F9D19C5AE85ED048B5CEF685B322A6BA4C33830F5844A5EED507B3475017A845391305D872FF12
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........0......0..............f.................................?........ ......................0..h....P..................................<............................p......................HR...............................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss......... ........................`..edata..h....0......................@.0@.idata.......P......................@.0..CRT....,....`.......&..............@.0..tls.... ....p.......(..............@.0..reloc..<............*..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-M842K.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.9471839268980276
                                                                  Encrypted:false
                                                                  SSDEEP:1536:1qkfBMFLAlVQtlJR5E7kGJasMaooupW51+SXKl6U22Ol2B:RZ4LRa7ksasM3f4C6d2Ol2B
                                                                  MD5:8E8285AAC0EF77A6CEDE53EAFE9C5298
                                                                  SHA1:8A4715C1C8591B83B925282AF5BA72832C1CA0FC
                                                                  SHA-256:3A94A8E5F9AB0ECA82611F95DC78C07C5093574C772B9C19D590F8E959191973
                                                                  SHA-512:04F24CFA4F187FBE897033359EB3A2DA19C4225B514E0D6EE269D741C8BF86D9F7A5860AE2DE676DF1748C0D64CCB9DD58758CBE1524FF938C99224AFD30997F
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z^su>?.&>?.&>?.&.q.&??.&QI.&??.&QI.&5?.&QI.&:?.&QI.&8?.&7G.&=?.&>?.&v?.&%..&:?.&%..&??.&%..&??.&Rich>?.&........PE..d....M.U.........." .........N...............................................P............@.........................................@...........P....0....... ...............@..h...0................................................................................text............................... ..`.rdata...;.......<..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-N1KLR.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57856
                                                                  Entropy (8bit):6.295204788467111
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Wztan7pk13bHPH/VDMzp4wpmKBVzOf1JJKDo7wvNyGUC:st29kHVoCwpZBpOf1JJKDo7wvNyJ
                                                                  MD5:40F2B954259FF75979920FA7546C89F0
                                                                  SHA1:C93F6BC6C7F68DD02DCF66C57A71FCF8DDBC35E5
                                                                  SHA-256:460960B7A0A0F5F0A40B33203A46E840AD01E260AFB4540ECD4E6C779D5B041B
                                                                  SHA-512:D992DDD9271422914335DE85F0CB6991F4389F7E2C9A8B4606C435DC30CEEE31671D725EFA4DA397502551D1B45F826692D486612AFE435A51D30B13DACD295D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............(k.........................`................ .........................>.......t....@..l....................P..d............................0......................`................................text...(...........................`.P`.data...H...........................@.0..rdata...2.......4..................@.`@.bss..................................`..edata..>...........................@.0@.idata..t...........................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc...l....@......................@.0..reloc..d....P......................@.0B................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-O8CLQ.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):67584
                                                                  Entropy (8bit):6.383793162041836
                                                                  Encrypted:false
                                                                  SSDEEP:1536:rfPpv2oNi2l7RyqgAVn21UH+KUf7jDq6LmG1h85:rfPpv2oYmGAVu5K4T7LRH8
                                                                  MD5:29F7AAB4E7367014DB45F866AB052327
                                                                  SHA1:F2BC284D7ACBEF09FEA7136B9156ED79289059F7
                                                                  SHA-256:2204684F02AE5185DEAA3704ED8355A737018CAE320E68E3209311D1F2506237
                                                                  SHA-512:46917B7C58E46DCAAA7F9740BC65C7323FE4A999CE35D3C670C7B8DCB205BE2667A7A5D21DFEE8F32F42A1EE41F6118DF896D02A96AD85A0B0F88C3B79B87143
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0..............j.................................3........ ......................0.......@...............................p...............................`......................XA...............................text...............................`.P`.data...D...........................@.0..rdata..............................@.`@.bss......... ........................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-P09CL.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):95232
                                                                  Entropy (8bit):6.030616936830931
                                                                  Encrypted:false
                                                                  SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                                  MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                                  SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                                  SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                                  SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-QKKTN.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):84992
                                                                  Entropy (8bit):6.265898506164664
                                                                  Encrypted:false
                                                                  SSDEEP:1536:HEbGfT4u4bdi3txtGwY4HmUo5B8NC5Uw4tmfee2K0nXqJUDdsXNSSG3H00StLebU:k6fTTkdi3AwmUo78/tIeeOnXq2sX8SGq
                                                                  MD5:6BA630B7EFB75E1A7BD1DDE921269CAF
                                                                  SHA1:747A70F6AA881371987D17C777A8AC2F9ACD97DF
                                                                  SHA-256:469082F964FEDD6014CF97DE7C30F85D471E6C41248A48A8870657E330D7E36C
                                                                  SHA-512:F401ADB86F6CB3BDEBFF0C6310A2AE7C0B2E59BDFB9EC3C8008A941AE22DEA3EE4D39ECB6D7C7331A8DEDC96E03A8C1C70AC14DCA5C183D509F253755FDFA376
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........H......0..............e......................................... ......................`..k....p.......................................................................................r..@............................text...T...........................`.P`.data...D...........................@.0..rdata...'... ...(..................@.`@.bss.........P........................`..edata..k....`......."..............@.0@.idata.......p.......(..............@.0..CRT....,............<..............@.0..tls.... ............>..............@.0..reloc...............@..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-SNH0L.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):52224
                                                                  Entropy (8bit):6.245414002002033
                                                                  Encrypted:false
                                                                  SSDEEP:768:OsH/CHGrCasbXzxUuAEZ1rXK4bgCAosF14HYs44HZcCq+TEbbJwziIHc42+ewBmV:OsRvQras7jHYN1u+JwZmwdtmns
                                                                  MD5:00D68E20169F763376095705C1520C4F
                                                                  SHA1:75EC5E1974654613C9EEEFF047F1EB58694FD656
                                                                  SHA-256:3C12F0A9F43CF88D82F5CC482627237F51A63A293EF95F2342222EBDE1FB909F
                                                                  SHA-512:4E180A8CE0E30CFC82883D05D8708FE82442541A4C522055D00F381BF47A0A4F269BC1F5E1EBBFEC888EDBE455CE145E24CB4C734E682E830322E13479A62C34
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............i.........................@............... .................................`............................0............................... .......................................................text...$...........................`.P`.data...D...........................@.0..rdata..T...........................@.`@.bss..................................`..edata..............................@.0@.idata..`...........................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc.......0......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\is-T5J2K.tmp
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2388992
                                                                  Entropy (8bit):6.921889533772244
                                                                  Encrypted:false
                                                                  SSDEEP:49152:aps9nHkSQxMT4ol90axV8TCPVYVqkuU4D7+dS/:apsZESQxMTr8TGYQkuU
                                                                  MD5:D78F53CA162BD9BF22E7E7249B2E9FFE
                                                                  SHA1:0ABB2D2DED9B321D38DBDA941352398329275A7F
                                                                  SHA-256:65DAC0E0B94E59D95050E8589639ADDCF1F91623DE7FD64E5850A16756FAA68E
                                                                  SHA-512:C5766BC17349E75D319BECAE4EACBEFF620B9696A2738B42C5CC714579B00931C608E6668514EEF1A437EEFC49261A44A2FAD2C910580F64420DA4DE19E1262D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........h..............|~..............|......Rich......q.du...v.du...p..du.du.du...q..fu.7.p.du..t.du.dt.ndu.7.|.du.7.u.du.7...du.7.w.du.Rich.du.........PE..L....i\a...........!..........................................................$......J#...@.........................`.!.D.....!......0".......................#.`....S!......................T!......S!.@............................................text............................... ..`.rdata..0...........................@..@.data.........!..P....!.............@....rsrc........0".......!.............@..@.reloc..`.....#......r#.............@..B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libchromaprint.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80384
                                                                  Entropy (8bit):6.466525325104407
                                                                  Encrypted:false
                                                                  SSDEEP:1536:iRc06HCdj3uTEv22Ec1eFOCvgxqHm04rgl1ammsUZNIEklJMxb+:iRc0aC13oC1eF7G0MoamzK9klJMxb
                                                                  MD5:87B32E6ED0B33019DDB113DB9EE52B23
                                                                  SHA1:F6661C6150B3AFA8F5603381911B87645F932B44
                                                                  SHA-256:4C99C72663C1944D031D6B4D0AA18C3356E964EF874103CBFAC61589590D742B
                                                                  SHA-512:3D44792B6E556B2AEFD9BD796E092067AF72252AA38B70A7A2294F9718D4519D59C8106C59D2AAF7E08AAF6871FC4B1C306BAD4C7B785E0365405386DA1DD59F
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........6......0..............n.......................................... ......................`.......p..`....................................................................................q..X............................text...............................`.P`.data...D...........................@.0..rdata....... ......................@.`@.bss....(....@........................`..edata.......`......................@.0@.idata..`....p......................@.0..CRT....,............*..............@.0..tls.... ............,..............@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaac.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):94720
                                                                  Entropy (8bit):6.2283195662657125
                                                                  Encrypted:false
                                                                  SSDEEP:1536:lJ46GFya7vjnxvoPENgBPIO4qHlCef0vovpg/1H6lbEdozX5mAofEsyQh9:lJkBvjx2Ov1/8lgKb53Rah
                                                                  MD5:4299D8C96853F2210A3E7827AB6A4E80
                                                                  SHA1:3906ABBE7463D5E2DC50CC676E1AE8B51ADCAA06
                                                                  SHA-256:7F79589F36CFB1613ABB2F2338C6177AFD4984F3D6A8E18C08F13561796B3A7D
                                                                  SHA-512:58F86BC1639694499648F07BC3BA7B7B4BF7E95F4A6B3A93B4A1B271D587DF909771C7669CC34BE56098663231BB6B39BD9B17F7D844B9B2D9387A3594C64EF1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........n......0........0....|n................................=F........ .........................u.......l...................................................................................t................................text...4...........................`.P`.data....&...0...(..................@.`..rdata.......`.......>..............@.`@.bss..................................`..edata..u............V..............@.0@.idata..l............^..............@.0..CRT....,............f..............@.0..tls.... ............h..............@.0..reloc...............j..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libfaad2.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2388992
                                                                  Entropy (8bit):6.921889533772244
                                                                  Encrypted:false
                                                                  SSDEEP:49152:aps9nHkSQxMT4ol90axV8TCPVYVqkuU4D7+dS/:apsZESQxMTr8TGYQkuU
                                                                  MD5:D78F53CA162BD9BF22E7E7249B2E9FFE
                                                                  SHA1:0ABB2D2DED9B321D38DBDA941352398329275A7F
                                                                  SHA-256:65DAC0E0B94E59D95050E8589639ADDCF1F91623DE7FD64E5850A16756FAA68E
                                                                  SHA-512:C5766BC17349E75D319BECAE4EACBEFF620B9696A2738B42C5CC714579B00931C608E6668514EEF1A437EEFC49261A44A2FAD2C910580F64420DA4DE19E1262D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........h..............|~..............|......Rich......q.du...v.du...p..du.du.du...q..fu.7.p.du..t.du.dt.ndu.7.|.du.7.u.du.7...du.7.w.du.Rich.du.........PE..L....i\a...........!..........................................................$......J#...@.........................`.!.D.....!......0".......................#.`....S!......................T!......S!.@............................................text............................... ..`.rdata..0...........................@..@.data.........!..P....!.............@....rsrc........0".......!.............@..@.reloc..`.....#......r#.............@..B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libffi-6.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32585
                                                                  Entropy (8bit):5.416596489081668
                                                                  Encrypted:false
                                                                  SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                                  MD5:F68C187D209127BB0A4487B23EC29A25
                                                                  SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                                  SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                                  SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57856
                                                                  Entropy (8bit):6.295204788467111
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Wztan7pk13bHPH/VDMzp4wpmKBVzOf1JJKDo7wvNyGUC:st29kHVoCwpZBpOf1JJKDo7wvNyJ
                                                                  MD5:40F2B954259FF75979920FA7546C89F0
                                                                  SHA1:C93F6BC6C7F68DD02DCF66C57A71FCF8DDBC35E5
                                                                  SHA-256:460960B7A0A0F5F0A40B33203A46E840AD01E260AFB4540ECD4E6C779D5B041B
                                                                  SHA-512:D992DDD9271422914335DE85F0CB6991F4389F7E2C9A8B4606C435DC30CEEE31671D725EFA4DA397502551D1B45F826692D486612AFE435A51D30B13DACD295D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............(k.........................`................ .........................>.......t....@..l....................P..d............................0......................`................................text...(...........................`.P`.data...H...........................@.0..rdata...2.......4..................@.`@.bss..................................`..edata..>...........................@.0@.idata..t...........................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc...l....@......................@.0..reloc..d....P......................@.0B................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgpg-error6-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):95232
                                                                  Entropy (8bit):6.030616936830931
                                                                  Encrypted:false
                                                                  SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                                  MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                                  SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                                  SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                                  SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstapp-1.0-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):71680
                                                                  Entropy (8bit):6.249755448787507
                                                                  Encrypted:false
                                                                  SSDEEP:768:5ONkZWr2iwGZYSK8wHieEbRuzwoQs4HwU4XJPcCqqTPtzY0Xcd6e2XGem3SObDQy:5ONkZqhGHi1uzZGHwlOSs/2fmiOQ
                                                                  MD5:613283CE438722CC027B2F0CAFC910D7
                                                                  SHA1:06D1F1B97A1041A58D55D6EE227DF887511041A5
                                                                  SHA-256:D953E18D73AF16D5B0E2EBC79CBB6F85871DD5CD4EBD45A5B1D54F50AABAAD3E
                                                                  SHA-512:44897BBBA77779A0DCAAABB8B91FC6338320B86A88B10132A1841D35D1605118FC7FFE66B1BEA18813E40B0EE5BFB8942B831C5E52DFB767A2572C204A071112
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............<p................................1......... ...................... .......0..@............................p..d............................`......................<3...............................text...............................`.P`.data...............................@.`..rdata...$.......&..................@.`@.bss..................................`..edata....... ......................@.0@.idata..@....0......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc..d....p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstcontroller-1.0-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):84992
                                                                  Entropy (8bit):6.265898506164664
                                                                  Encrypted:false
                                                                  SSDEEP:1536:HEbGfT4u4bdi3txtGwY4HmUo5B8NC5Uw4tmfee2K0nXqJUDdsXNSSG3H00StLebU:k6fTTkdi3AwmUo78/tIeeOnXq2sX8SGq
                                                                  MD5:6BA630B7EFB75E1A7BD1DDE921269CAF
                                                                  SHA1:747A70F6AA881371987D17C777A8AC2F9ACD97DF
                                                                  SHA-256:469082F964FEDD6014CF97DE7C30F85D471E6C41248A48A8870657E330D7E36C
                                                                  SHA-512:F401ADB86F6CB3BDEBFF0C6310A2AE7C0B2E59BDFB9EC3C8008A941AE22DEA3EE4D39ECB6D7C7331A8DEDC96E03A8C1C70AC14DCA5C183D509F253755FDFA376
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.........H......0..............e......................................... ......................`..k....p.......................................................................................r..@............................text...T...........................`.P`.data...D...........................@.0..rdata...'... ...(..................@.`@.bss.........P........................`..edata..k....`......."..............@.0@.idata.......p.......(..............@.0..CRT....,............<..............@.0..tls.... ............>..............@.0..reloc...............@..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstfft-1.0-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):67584
                                                                  Entropy (8bit):6.383793162041836
                                                                  Encrypted:false
                                                                  SSDEEP:1536:rfPpv2oNi2l7RyqgAVn21UH+KUf7jDq6LmG1h85:rfPpv2oYmGAVu5K4T7LRH8
                                                                  MD5:29F7AAB4E7367014DB45F866AB052327
                                                                  SHA1:F2BC284D7ACBEF09FEA7136B9156ED79289059F7
                                                                  SHA-256:2204684F02AE5185DEAA3704ED8355A737018CAE320E68E3209311D1F2506237
                                                                  SHA-512:46917B7C58E46DCAAA7F9740BC65C7323FE4A999CE35D3C670C7B8DCB205BE2667A7A5D21DFEE8F32F42A1EE41F6118DF896D02A96AD85A0B0F88C3B79B87143
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0..............j.................................3........ ......................0.......@...............................p...............................`......................XA...............................text...............................`.P`.data...D...........................@.0..rdata..............................@.`@.bss......... ........................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstriff-1.0-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):86528
                                                                  Entropy (8bit):6.300346716213912
                                                                  Encrypted:false
                                                                  SSDEEP:1536:7JXErVqLiEb/Zp/Yz6V3JNmODTYaxIHsVn9HIjUmY5e2oC2K9lZ:7JXEBqLiCHAz6V9V9GURe2oC2KTZ
                                                                  MD5:893C149773BFF81B55530820207C73F0
                                                                  SHA1:46C6B5F00B463D31140A0B9972D4BC2B04BA0D0A
                                                                  SHA-256:83F074DBACF3D3DC4C7D5646D056359BB7CB29DCD1A2D109CD07EE21DBDB42AF
                                                                  SHA-512:33F1F08051632756396EE906BCB7285726484EBA1D8C67ECF884A42F824261D9B73BA0BCA52EB8A7D68E7544D79C6FEEA2C98A46C1E0E2CE98E3BBDC3B6B63EA
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........N......0............. i.......................................... ......................p..S.......0...................................................................................l................................text...............................`.P`.data...T...........................@.0..rdata...3... ...4..................@.`@.bss.........`........................`..edata..S....p.......,..............@.0@.idata..0............0..............@.0..CRT....,............@..............@.0..tls.... ............B..............@.0..reloc...............D..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libgstsdp-1.0-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):78848
                                                                  Entropy (8bit):6.246337898053042
                                                                  Encrypted:false
                                                                  SSDEEP:1536:1ISc1+2KuvhLeGwUNHsdvisJy2bmN0+RveV6yG:1e1+so5d6AbB+EV2
                                                                  MD5:8B89A31D5D3F3173F5E3BB9118D04A7E
                                                                  SHA1:B9829C7DF23D7190928041753E2E07069C7ABFEE
                                                                  SHA-256:C5616071D5D2E858BF26CEA64BCDA17B6C494B1507EA96A17816811C6071E4A8
                                                                  SHA-512:67ED465D0AF1E933DEE09C95A3E5945CB33308F0DE21182128F9D19C5AE85ED048B5CEF685B322A6BA4C33830F5844A5EED507B3475017A845391305D872FF12
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........0......0..............f.................................?........ ......................0..h....P..................................<............................p......................HR...............................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss......... ........................`..edata..h....0......................@.0@.idata.......P......................@.0..CRT....,....`.......&..............@.0..tls.... ....p.......(..............@.0..reloc..<............*..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libid3tag.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):87040
                                                                  Entropy (8bit):6.204875539391202
                                                                  Encrypted:false
                                                                  SSDEEP:1536:G3KDgzmAgyM0tlnOZO5WfQeN7VHS6WnjFFbm9B8JTKAFh2:Ga2SOtAZO5cQe5s6+rb2WzFh2
                                                                  MD5:4C85DFBA434A42BCD7E31D33E480DCE2
                                                                  SHA1:271B47765442FC9E50E0CDF46D0ADB8A854FD496
                                                                  SHA-256:8E96A33FC8635E1F12E14E3C9AAC6AD5EA21F7B70F0E9E423B487BB57EBBCE1E
                                                                  SHA-512:0E0BD76353D88B40FE77E81108A01EB61931B13FEC1846985FB0508702967FE4177D2A5C48E8C292EDF0F666813DC54B3757843A95846132D41964552E79E7EF
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........P......0..............q................................!......... ......................`.......p..................................X....................................................q..X............................text...............................`.P`.data...D...........................@.0..rdata...O.......P..................@.`@.bss.........P........................`..edata.......`.......*..............@.0@.idata.......p.......:..............@.0..CRT....,............D..............@.0..tls.... ............F..............@.0..reloc..X............H..............@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libintl-8.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):120774
                                                                  Entropy (8bit):6.037077757732975
                                                                  Encrypted:false
                                                                  SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                                  MD5:082A8171C726E58C1618DA3781AB7833
                                                                  SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                                  SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                                  SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libmms-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):71168
                                                                  Entropy (8bit):6.40885208921363
                                                                  Encrypted:false
                                                                  SSDEEP:1536:zJYutTAkscOGfUsditx65XjxqzH6oPA4Ol/mGdiP99bQXFCw3:zJYAJss3d3zxfoIV/bCw3
                                                                  MD5:BC738DA6535B5015E9EABA90F56F8B59
                                                                  SHA1:CE7C7865645A09DCF59DAF519BADE328DDF04B67
                                                                  SHA-256:4EEA44B0B4EA4C248595BB1E573334005EC538792E3BB9D2A07EE01265443327
                                                                  SHA-512:FD2A5C1EB9C5FE4BD2FD87EF912297F463CB623E12D5E9CCF8CC7FCCB39858765E289F4A9102FC02F68B0845048ABB1390DD32AFE2329B143ED331F678C4792B
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#................0.............dd................................%......... ......................0..A....@...............................p..X............................`.......................A..p............................text...............................`.P`.data...d...........................@.`..rdata...-..........................@.`@.bss......... ........................`..edata..A....0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..reloc..X....p......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libnettle-4-6.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):182365
                                                                  Entropy (8bit):6.791628337519772
                                                                  Encrypted:false
                                                                  SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                                  MD5:854C550450BEDDEBAAFE1DD74F073641
                                                                  SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                                  SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                                  SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\liborc-test-0.4-0.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):52224
                                                                  Entropy (8bit):6.245414002002033
                                                                  Encrypted:false
                                                                  SSDEEP:768:OsH/CHGrCasbXzxUuAEZ1rXK4bgCAosF14HYs44HZcCq+TEbbJwziIHc42+ewBmV:OsRvQras7jHYN1u+JwZmwdtmns
                                                                  MD5:00D68E20169F763376095705C1520C4F
                                                                  SHA1:75EC5E1974654613C9EEEFF047F1EB58694FD656
                                                                  SHA-256:3C12F0A9F43CF88D82F5CC482627237F51A63A293EF95F2342222EBDE1FB909F
                                                                  SHA-512:4E180A8CE0E30CFC82883D05D8708FE82442541A4C522055D00F381BF47A0A4F269BC1F5E1EBBFEC888EDBE455CE145E24CB4C734E682E830322E13479A62C34
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............i.........................@............... .................................`............................0............................... .......................................................text...$...........................`.P`.data...D...........................@.0..rdata..T...........................@.`@.bss..................................`..edata..............................@.0@.idata..`...........................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..reloc.......0......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libplist.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):63488
                                                                  Entropy (8bit):6.300610257983227
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Opi4OKRmDCqQPlwXVXKXHWRi6H7hubmKvp08k:OpLmDCqQWXVamRLMbpvp08k
                                                                  MD5:49055810FCC813A8E1BDE0A64233F06F
                                                                  SHA1:70F9B4F9668CEDE76B785DD3A1D54146B7F8F68A
                                                                  SHA-256:D1111915F3E27EF605141A56CC5BEDEA25684ED44784DE1213E99F5FE9E5A41E
                                                                  SHA-512:7FCA8D488BC30385011AEAC999943A7BC6BA9E2E15CE83D8CCB77AE72A7C0AF1391D6F7A8966443C31F83C54C10A67722D976E7D69F0D442234264C8856A5C50
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............Hj.........................`................ .........................:.... ...............................P...............................@.......................!..p............................text...............................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..:...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.... ....@......................@.0..reloc.......P......................@.0B........................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\libtasn1-6.dll (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):80653
                                                                  Entropy (8bit):5.935029812256724
                                                                  Encrypted:false
                                                                  SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                                  MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                                  SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                                  SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                                  SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\mi (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:PDF document, version 1.4
                                                                  Category:dropped
                                                                  Size (bytes):406834
                                                                  Entropy (8bit):7.922529686374347
                                                                  Encrypted:false
                                                                  SSDEEP:12288:gXd1z8FnTeLJ7LDlvF1eJEMtSwEA9VDuAUFQ:p6FktS9GSAT
                                                                  MD5:8BDA397B14FBA66375203F5030F74140
                                                                  SHA1:630DE841DB88EF0778391620D2F89DC71ABA3589
                                                                  SHA-256:53EB0618FF764DEC0BE20847AA2FB293A7E3735384C817027861DE9D3378B250
                                                                  SHA-512:26908000EEE54880E371D5E62EECD091DCEEC5CF3BAAB62A1E7FD627E32B47797651DC51033D81C2B268481A57493978725713C9E23DDC6E225E4B05A4C83B00
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: %PDF-1.4.%.....1 0 obj.<</Creator (Mozilla/5.0 \(Windows NT 10.0; WOW64\) AppleWebKit/537.36 \(KHTML, like Gecko\) Chrome/61.0.3163.102 Safari/537.36 Vivaldi/1.93.955.38)./Producer (Skia/PDF m61)./CreationDate (D:20171021162542+00'00')./ModDate (D:20171021162542+00'00')>>.endobj.2 0 obj.<</Type /XObject./Subtype /Image./Width 415./Height 93./ColorSpace /DeviceRGB./BitsPerComponent 8./Filter /FlateDecode./Length 2579>> stream.x..=..9........@.*..+`.D...B&......MW.e.>..s.CFY.K.m.e..B.!..!...D..a..-...+/.-;o.<Y%K.6..R...p6 WZI...d......H...d......H...d......H...d......H...d.. n..i5B.C...g.........d...6..Bq..M..Fg.m`..........>......$4=$..}..]...HhzH6:.l.. .7....lt...vA(n ..!.....P.@B.C...g.........d...6..Bq..M..Fg.m`..........>......$4=$..}..]...HhzH6:.l.. .7....lt...vA...7....t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#Bq...t...{....m..~xjE.#.+n...X.y....B..Bq.....8.h..,...P..A(n .5.g*..*d9*........x....AK...x4.......!.7....3.EX....
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Bears.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11099
                                                                  Entropy (8bit):4.521039979356267
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8YDwylbCBB7FxS8vHK+7GrkeyL2eJc6zgqkT3ruyS0OB:9YVuBT9v1SrsLJJc6zgnT3ruyBq
                                                                  MD5:1DC710129081EC71B533232C139DA1E6
                                                                  SHA1:E6D91A05D7E09F4BFBFD5B6E74CB913FC8237B12
                                                                  SHA-256:5A428D282087283879837AE7ACEEDF5440B543B0A1A1453C5F00B0B7819CC1BC
                                                                  SHA-512:9E20FD606C2F8DA629964E6E8900C79194247D3E3AF97273301C2054B34119C17D702C2692645EE353052D43C0E5ABF467B7006F4952A483225CD812D42B3BD7
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Bears" >. <Color colorName="#080808" alpha="255" />. <Color colorName="#442c2c" alpha="255" />. <Color colorName="#50080c" alpha="255" />. <Color colorName="#483838" alpha="255" />. <Color colorName="#685444" alpha="255" />. <Color colorName="#746050" alpha="255" />. <Color colorName="#54382c" alpha="255" />. <Color colorName="#8c6858" alpha="255" />. <Color colorName="#ac745c" alpha="255" />. <Color colorName="#442c38" alpha="255" />. <Color colorName="#584844" alpha="255" />. <Color colorName="#70544c" alpha="255" />. <Color colorName="#08081c" alpha="255" />. <Color colorName="#686054" alpha="255" />. <Color colorName="#807460" alpha="255" />. <Color colorName="#a48868" alpha="255" />. <Color colorName="#787474" alpha="255" />. <Color colorName="#88806c" alpha="255" />. <Color colorName="#cca070" alpha="255" />. <Color colorName="#dcb87c" alpha="255" />. <Color colorName="#68646c" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Bgold.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11099
                                                                  Entropy (8bit):4.521546649991855
                                                                  Encrypted:false
                                                                  SSDEEP:48:c86999BBhkHr68lQ77I68dXX0VVVIubWdr96IBIBWLZvRvmPV+kQ1xdrpR:9tHr68lI8dXX0VVV/bWdr9Q+kQ1xd9R
                                                                  MD5:0355D5D6840EBE4B10C35302116F0775
                                                                  SHA1:6B16C065A7AAA7817C177A6D0559CDE4EE42563B
                                                                  SHA-256:519E38D7A61151E89EA53CF7B9C807DBB79CFAE68E90EA0182E176F2242593CB
                                                                  SHA-512:4702666B1648B089B0EC809A7A4503A1BFC4B8345C3C0D8DA561549C05664719F7FDD57B09AC2363C1BA0BCB14DA798D39E68885BB191264B09EE4EA254C909C
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Bgold" >. <Color colorName="#ecd814" alpha="255" />. <Color colorName="#ecd814" alpha="255" />. <Color colorName="#ecd814" alpha="255" />. <Color colorName="#ecd414" alpha="255" />. <Color colorName="#ecd414" alpha="255" />. <Color colorName="#ecd018" alpha="255" />. <Color colorName="#ecd018" alpha="255" />. <Color colorName="#e8cc18" alpha="255" />. <Color colorName="#e8cc18" alpha="255" />. <Color colorName="#e8cc18" alpha="255" />. <Color colorName="#e8c818" alpha="255" />. <Color colorName="#e8c818" alpha="255" />. <Color colorName="#e8c418" alpha="255" />. <Color colorName="#e8c418" alpha="255" />. <Color colorName="#e4c018" alpha="255" />. <Color colorName="#e4c01c" alpha="255" />. <Color colorName="#e4bc1c" alpha="255" />. <Color colorName="#e4bc1c" alpha="255" />. <Color colorName="#e4b81c" alpha="255" />. <Color colorName="#e4b81c" alpha="255" />. <Color colorName="#e4b81c" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Blues.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11099
                                                                  Entropy (8bit):4.4630297261884495
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8KYpiwnllJoOTcXE9REjvyyvcr1KnlKZ:9KYpdltkRjZ/lKZ
                                                                  MD5:4E921EE57C9BD403B003398CF48BD626
                                                                  SHA1:7FD6B75A53D5441F3EFA68BDD584376062CA4AD6
                                                                  SHA-256:F41D714E0FE850DA0FD4CE191189D052A81AF89D4BB00A3D2E8565EA74AAE371
                                                                  SHA-512:5C32355D3997F5E1B246DC46B658239512E29282E367828E5D62DB72ED6616EEA29A943253DBCB1486CB8A1849CFECBE3BA88209620A0A819A378AADD9C26B51
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Blues" >. <Color colorName="#000000" alpha="255" />. <Color colorName="#000000" alpha="255" />. <Color colorName="#000004" alpha="255" />. <Color colorName="#00000c" alpha="255" />. <Color colorName="#000010" alpha="255" />. <Color colorName="#000018" alpha="255" />. <Color colorName="#000020" alpha="255" />. <Color colorName="#000024" alpha="255" />. <Color colorName="#00002c" alpha="255" />. <Color colorName="#000030" alpha="255" />. <Color colorName="#000038" alpha="255" />. <Color colorName="#000040" alpha="255" />. <Color colorName="#000044" alpha="255" />. <Color colorName="#00004c" alpha="255" />. <Color colorName="#000050" alpha="255" />. <Color colorName="#000058" alpha="255" />. <Color colorName="#000060" alpha="255" />. <Color colorName="#000064" alpha="255" />. <Color colorName="#00006c" alpha="255" />. <Color colorName="#000074" alpha="255" />. <Color colorName="#000078" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Borders.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11101
                                                                  Entropy (8bit):4.542203244391445
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8w3ZxjRhlnXqyDdt3alSyqqJmU03jtv0LZEEd6b0Hs62OfEiXkWOisqXa:9sZxRXq6de1wt7EEIHs6rfExWOYXa
                                                                  MD5:1711FC04ABAD15A9A3FD30B10088EB53
                                                                  SHA1:53E11FD716CE8C00D16B8F3381FD7B240A0AF71B
                                                                  SHA-256:5502DA0B916AF88B80F385F2057E356C32194DA32D953B19BEF64BAC76388195
                                                                  SHA-512:E5D5F19CF7F4E4F94EEFEB17B5CA60093388FF6A80BE6843C8A5DDC144F7B00CA5D4EDE67352105FACCE25E30D179070BC4E582A9777C4E81E6B0E660A7C6F45
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Borders" >. <Color colorName="#cc34b4" alpha="255" />. <Color colorName="#cc34b4" alpha="255" />. <Color colorName="#cc34b8" alpha="255" />. <Color colorName="#cc30bc" alpha="255" />. <Color colorName="#c830c0" alpha="255" />. <Color colorName="#c82cc8" alpha="255" />. <Color colorName="#c82ccc" alpha="255" />. <Color colorName="#c428d0" alpha="255" />. <Color colorName="#c428d4" alpha="255" />. <Color colorName="#c424dc" alpha="255" />. <Color colorName="#c024e0" alpha="255" />. <Color colorName="#c020e4" alpha="255" />. <Color colorName="#c020e8" alpha="255" />. <Color colorName="#bc1cf0" alpha="255" />. <Color colorName="#bc1cf4" alpha="255" />. <Color colorName="#bc18f8" alpha="255" />. <Color colorName="#bc18fc" alpha="255" />. <Color colorName="#c01cf8" alpha="255" />. <Color colorName="#c020f8" alpha="255" />. <Color colorName="#c424f8" alpha="255" />. <Color colorName="#c428f4" alpha="255" />. <Color colorNa
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\BrownsAndYellows.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1050
                                                                  Entropy (8bit):4.692876636956054
                                                                  Encrypted:false
                                                                  SSDEEP:24:2d8fHqjKwI0U0yjKNdEqqI0CD3cqpIoqwIb3LPXVqv:c8vExHt7oM
                                                                  MD5:68A91F330C057C4B09024F8A61D76683
                                                                  SHA1:D9E9A9A61B750FE5CA7691E754452242154B7088
                                                                  SHA-256:BEA0E70D85CD0E9BCC4E6083B88A4062DA73751CE3DF765587940AAA379D1BFF
                                                                  SHA-512:7EF53086C5D838DD2F5D6585FFBE52C06B5AF32EC5B1A721119AA58DEE1181D3D4EE62F83A734264FCD5C043FCEAAF29760DE623B383816B2D273B1CD83236A5
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Browns And Yellows" >. <Color colorName="#bdb76b" alpha="255" />. <Color colorName="#f0e68c" alpha="255" />. <Color colorName="#eee8aa" alpha="255" />. <Color colorName="#fafad2" alpha="255" />. <Color colorName="#ffffe0" alpha="255" />. <Color colorName="#ffff00" alpha="255" />. <Color colorName="#ffd700" alpha="255" />. <Color colorName="#eedd82" alpha="255" />. <Color colorName="#daa520" alpha="255" />. <Color colorName="#b8860b" alpha="255" />. <Color colorName="#bc8f8f" alpha="255" />. <Color colorName="#8b4513" alpha="255" />. <Color colorName="#a0522d" alpha="255" />. <Color colorName="#cd853f" alpha="255" />. <Color colorName="#deb887" alpha="255" />. <Color colorName="#f5f5dc" alpha="255" />. <Color colorName="#f5deb3" alpha="255" />. <Color colorName="#f4a460" alpha="255" />. <Color colorName="#d2b48c" alpha="255" />. <Color colorName="#d2691e" alpha="255" />. <Color colorName="#ffa500" alpha="255" />. <Co
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Caramel.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11101
                                                                  Entropy (8bit):4.516595588414972
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8DYdnffnqF/m8vNA8OpuOojY7Ji6bdblCoqg86LCP5+4:98vqFJwujjY7JiublCw86i+4
                                                                  MD5:0CE40760E381E5049A723E79F88669D0
                                                                  SHA1:033B51FF18D470E7BF244CC89F0FF03E7CEF238C
                                                                  SHA-256:7FCBFEB0E28EAF8B1D0A506CEB729B6725AA2ABA551B797C0380BBCFE10A4AC4
                                                                  SHA-512:9D8C31FC5AB58F7714BB8D6A3A59B5F52B8AA9C35B96925191B5C479B565028C480DEC5C737FC25C782E168E9CDD0E4F60053F634D0BED2336ABA8E133F0AF38
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Caramel" >. <Color colorName="#303030" alpha="255" />. <Color colorName="#a488c0" alpha="255" />. <Color colorName="#ac8cc0" alpha="255" />. <Color colorName="#b490c0" alpha="255" />. <Color colorName="#bc94c0" alpha="255" />. <Color colorName="#c498c0" alpha="255" />. <Color colorName="#cc98c0" alpha="255" />. <Color colorName="#d49cc0" alpha="255" />. <Color colorName="#dca0c0" alpha="255" />. <Color colorName="#e4a4c0" alpha="255" />. <Color colorName="#eca8c0" alpha="255" />. <Color colorName="#e4a0bc" alpha="255" />. <Color colorName="#d894b8" alpha="255" />. <Color colorName="#cc88b4" alpha="255" />. <Color colorName="#c07cb0" alpha="255" />. <Color colorName="#b470a8" alpha="255" />. <Color colorName="#a868a4" alpha="255" />. <Color colorName="#9c5ca0" alpha="255" />. <Color colorName="#90509c" alpha="255" />. <Color colorName="#844498" alpha="255" />. <Color colorName="#783890" alpha="255" />. <Color colorNa
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Cascade.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11101
                                                                  Entropy (8bit):4.517294231791309
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8bKovLmpFtVe/+++Hmmfss6WWsAD333+qGG86:9bKkLyn3ss6WWsAD333M6
                                                                  MD5:8F4FD0FB6EBA0E036B26DFBCA377F0B1
                                                                  SHA1:2D834A27497795BF3474CB699782360720EA3025
                                                                  SHA-256:3604874BADAD549B7680006F4ACF15C0DD1B96939D0233538FA849C794172606
                                                                  SHA-512:B93B7611273B68E7ACB53EC2ACF331197BAB7DAF9028B9133082EB1ADDB4A02FBFF5E634B4CEAC61F15E290991C2486C2B36EB87AD1CFC40087F90090A7A5703
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Cascade" >. <Color colorName="#6c5880" alpha="255" />. <Color colorName="#6c5880" alpha="255" />. <Color colorName="#6c5880" alpha="255" />. <Color colorName="#685c84" alpha="255" />. <Color colorName="#685c84" alpha="255" />. <Color colorName="#645c84" alpha="255" />. <Color colorName="#605c84" alpha="255" />. <Color colorName="#606088" alpha="255" />. <Color colorName="#5c6088" alpha="255" />. <Color colorName="#5c6088" alpha="255" />. <Color colorName="#586088" alpha="255" />. <Color colorName="#54648c" alpha="255" />. <Color colorName="#54648c" alpha="255" />. <Color colorName="#50648c" alpha="255" />. <Color colorName="#4c6088" alpha="255" />. <Color colorName="#50648c" alpha="255" />. <Color colorName="#546890" alpha="255" />. <Color colorName="#586894" alpha="255" />. <Color colorName="#5c6c94" alpha="255" />. <Color colorName="#607098" alpha="255" />. <Color colorName="#64709c" alpha="255" />. <Color colorNa
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\China.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11099
                                                                  Entropy (8bit):4.5436058428416395
                                                                  Encrypted:false
                                                                  SSDEEP:96:91wuESUTQNNNNttK444Ut7Ou8saS4pvSsLDGxOW:91wGf07WSLR
                                                                  MD5:293CEE28AA8E6D993D1302ACE9370E38
                                                                  SHA1:0D02602435FB8C4AD1CF48FBF179B26186505F6B
                                                                  SHA-256:2ACE81250383F6E244713D2F318570AA28871CF70D076428D80BA6627139E046
                                                                  SHA-512:EAD9F4F61E8E62A04E235EE948B130E68B4EF7FE7287C24D3D596213A72B9CB828D21150926B3FF3376C21E7F13E0E2D1248A971079356F70B42BFFBCC66A2F4
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="China" >. <Color colorName="#e04cf0" alpha="255" />. <Color colorName="#e04cf0" alpha="255" />. <Color colorName="#e050f0" alpha="255" />. <Color colorName="#e054f0" alpha="255" />. <Color colorName="#e458f0" alpha="255" />. <Color colorName="#e45cf0" alpha="255" />. <Color colorName="#e460f0" alpha="255" />. <Color colorName="#e460f0" alpha="255" />. <Color colorName="#e464f0" alpha="255" />. <Color colorName="#e468f0" alpha="255" />. <Color colorName="#e46cf0" alpha="255" />. <Color colorName="#e870f0" alpha="255" />. <Color colorName="#e874f0" alpha="255" />. <Color colorName="#e878f0" alpha="255" />. <Color colorName="#e878f0" alpha="255" />. <Color colorName="#e87cf0" alpha="255" />. <Color colorName="#e880f0" alpha="255" />. <Color colorName="#e884f0" alpha="255" />. <Color colorName="#e888f0" alpha="255" />. <Color colorName="#ec8cf0" alpha="255" />. <Color colorName="#ec8cf0" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Coldfire.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11102
                                                                  Entropy (8bit):4.522402394593415
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8mvK/6xwQZEl9m4vkUYQHHqmu4KK22UldeaHN:9adxovkU9HY
                                                                  MD5:D448BB01E8902429F2BEF222C53D28A0
                                                                  SHA1:07453AEE1FA4B522AD9BCA7B0E2FC4A1518E5EEF
                                                                  SHA-256:10C7AAC4EAB5958928539E841A1842BEA8BA8209D5EA0B174F384CB23BB7E714
                                                                  SHA-512:83C09B8A1A71B5BC7FE0B32A73110CFD8D0D72F72D5047BAEDF2C4C93F91205FCCA5A99446D5366527755FC02DADBDCC59B2DC1275B6A2D511D348716B5D4C2D
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Coldfire" >. <Color colorName="#00acfc" alpha="255" />. <Color colorName="#00acfc" alpha="255" />. <Color colorName="#00acfc" alpha="255" />. <Color colorName="#00a8fc" alpha="255" />. <Color colorName="#00a4fc" alpha="255" />. <Color colorName="#00a0fc" alpha="255" />. <Color colorName="#009cfc" alpha="255" />. <Color colorName="#0098fc" alpha="255" />. <Color colorName="#0098fc" alpha="255" />. <Color colorName="#0094fc" alpha="255" />. <Color colorName="#0090fc" alpha="255" />. <Color colorName="#008cfc" alpha="255" />. <Color colorName="#0088fc" alpha="255" />. <Color colorName="#0084fc" alpha="255" />. <Color colorName="#0084fc" alpha="255" />. <Color colorName="#0080fc" alpha="255" />. <Color colorName="#007cfc" alpha="255" />. <Color colorName="#0078fc" alpha="255" />. <Color colorName="#0074fc" alpha="255" />. <Color colorName="#0070fc" alpha="255" />. <Color colorName="#0070fc" alpha="255" />. <Color colorN
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\CoolColors.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):441
                                                                  Entropy (8bit):4.778302988981003
                                                                  Encrypted:false
                                                                  SSDEEP:12:TMHd89y/eFahgerwgegnhgeygewgemge5geMWhhg:2d89y/SaquNFnqg+QRB9
                                                                  MD5:0117B756BA1ADF57FC7174E4CA129F9B
                                                                  SHA1:73991BF7AB90C93C83C253459A96F09C3A8A30B6
                                                                  SHA-256:8EAC6B815D8592CA469F73EA7EB135A59CB1D01240341BD2B25122C078EF7969
                                                                  SHA-512:BE410F4AC8086FDCBB7AFAFCBC14972EB9A7FEBB7697EC5F0E7554D2403E9B928ECF999BB1CCC6EC0255D0C978D9EA6E602296435C1CB20B130022CE560EF343
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Cool Colors" >. <Color colorName="#112ac6" alpha="255" />. <Color colorName="#539be2" alpha="255" />. <Color colorName="#161066" alpha="255" />. <Color colorName="#40234c" alpha="255" />. <Color colorName="#073f93" alpha="255" />. <Color colorName="#2c6ccc" alpha="255" />. <Color colorName="#265121" alpha="255" />. <Color colorName="#04422c" alpha="255" />.</Palette>.
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Cranes.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11100
                                                                  Entropy (8bit):4.529756828731143
                                                                  Encrypted:false
                                                                  SSDEEP:96:9DKeijz3LRWCfy9eXS29C/v6bSiZdPsbZun:9DKeOLwsThC/vijPgZun
                                                                  MD5:965513CD3FAECC248B9BD74826973763
                                                                  SHA1:00EB93C95A11ED6F454AB4FA7E1A91710C85BD49
                                                                  SHA-256:EFC578E3ACD95A1A02B4256EFAE6B667B57F89FFA8802CBD0FC76158BCFE3C3B
                                                                  SHA-512:7417ECDF4FD22E6A8C2C19D370CE3BDCAC16340CF39B19274F778D684BA32CC4172F737BDD14DF8991C50AB20E9BD94FB1C15A406673BD2440D65C5BA2BF2C68
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Cranes" >. <Color colorName="#080808" alpha="255" />. <Color colorName="#c0b090" alpha="255" />. <Color colorName="#c0a480" alpha="255" />. <Color colorName="#504844" alpha="255" />. <Color colorName="#708c58" alpha="255" />. <Color colorName="#688460" alpha="255" />. <Color colorName="#5c6854" alpha="255" />. <Color colorName="#18080c" alpha="255" />. <Color colorName="#606c5c" alpha="255" />. <Color colorName="#80684c" alpha="255" />. <Color colorName="#2c1c18" alpha="255" />. <Color colorName="#9c8c74" alpha="255" />. <Color colorName="#9c9474" alpha="255" />. <Color colorName="#44443c" alpha="255" />. <Color colorName="#d4c494" alpha="255" />. <Color colorName="#90886c" alpha="255" />. <Color colorName="#a09480" alpha="255" />. <Color colorName="#d8dcd8" alpha="255" />. <Color colorName="#2c1c28" alpha="255" />. <Color colorName="#440c10" alpha="255" />. <Color colorName="#0c0820" alpha="255" />. <Color colorNam
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Darkpastels.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11106
                                                                  Entropy (8bit):4.520954509267113
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8tJXTREE1xQSN+3aX5TNZsU2bRERvvQVPttl+lIofeWfgqzmGfHRII:9XTPcKJNZWbRE2+lIoGWgqzBv
                                                                  MD5:7DD9866633CE45F76060C588E030465B
                                                                  SHA1:93976533A4B005FC12A96113738EF75A15761DB9
                                                                  SHA-256:FC9E858A9B4DC26C25C345C91AF753F0B60998F5041EFE4A1FEC63979A5B8AF9
                                                                  SHA-512:04285509F540E047DC21D89E95D4608385C80BF3C207A4CE3AE3E17AC5AEB7DE7EDA6D4E679C16F0F44C810539A8BF6962DE1E89DB20DB10056554DC123A3DB6
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Dark pastels" >. <Color colorName="#3868b8" alpha="255" />. <Color colorName="#3468b4" alpha="255" />. <Color colorName="#3468b4" alpha="255" />. <Color colorName="#3468b0" alpha="255" />. <Color colorName="#3468b0" alpha="255" />. <Color colorName="#3068ac" alpha="255" />. <Color colorName="#3068ac" alpha="255" />. <Color colorName="#3064a8" alpha="255" />. <Color colorName="#3064a8" alpha="255" />. <Color colorName="#2c64a4" alpha="255" />. <Color colorName="#2c64a4" alpha="255" />. <Color colorName="#2c64a4" alpha="255" />. <Color colorName="#2c64a0" alpha="255" />. <Color colorName="#2c64a0" alpha="255" />. <Color colorName="#28649c" alpha="255" />. <Color colorName="#28649c" alpha="255" />. <Color colorName="#286098" alpha="255" />. <Color colorName="#286098" alpha="255" />. <Color colorName="#246094" alpha="255" />. <Color colorName="#246094" alpha="255" />. <Color colorName="#246090" alpha="255" />. <Color co
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Default.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):7844
                                                                  Entropy (8bit):4.635293636307541
                                                                  Encrypted:false
                                                                  SSDEEP:48:c86EXoQn/Yd/TQ6zXB6F29/TfdvgK6Dw4yECGwk:962r/YVEkh3awCZl
                                                                  MD5:9E2FD870F0AA02E4F83CE0CD84A6D1B1
                                                                  SHA1:0F6EA68107C4FCD6E071F78CDF4074DAC126FBE2
                                                                  SHA-256:364FEF379510A503BA894521456CAEDACA07E6897997DC647F6BEC34736C7C3B
                                                                  SHA-512:08BC5B7CA976B2E2D7C9194CADB51E303E3627FF6F6055958E1D5ABF888D679FA279343A388792FD0C24E5E1CF87D01E896542CE665C7B0F3567771B492BA38A
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Default Palette" >. Row 0 -->. <Color colorName="#ea0003" alpha="255" />. <Color colorName="#cc1294" alpha="255" />. <Color colorName="#990099" alpha="255" />. <Color colorName="#2408dd" alpha="255" />. <Color colorName="#0067ce" alpha="255" />. <Color colorName="#003663" alpha="255" />. <Color colorName="#005b7b" alpha="255" />. <Color colorName="#005952" alpha="255" />. <Color colorName="#005826" alpha="255" />. <Color colorName="#005e20" alpha="255" />. <Color colorName="#406618" alpha="255" />. <Color colorName="#827b00" alpha="255" />. <Color colorName="#7d4900" alpha="255" />. <Color colorName="#7b2e00" alpha="255" />. <Color colorName="#790000" alpha="255" />. <Color colorName="#7a0026" alpha="255" />. Row 1 -->. <Color colorName="#ff171a" alpha="255" />. <Color colorName="#e814a9" alpha="255" />. <Color colorName="#930d93" alpha="255" />. <Color colorName="#361cff" alpha="255" />. <Color colorName=
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Ega.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):10409
                                                                  Entropy (8bit):4.404098133451595
                                                                  Encrypted:false
                                                                  SSDEEP:24:2d8+KKVG0v/+Hpf+19h0L3TKKVG0v/+Hpf+19h0L3TKKVG0v/+Hpf+19h0L3TKKJ:c83iiiiiiiiiiiiii3
                                                                  MD5:F0FA14A067634EAB20068E39683FE4B9
                                                                  SHA1:B371614418D57E2E0BDCEAAA65E31868EE2CBB4A
                                                                  SHA-256:05133D0E4128B2A15DAF6A1C98A71D1578934C02B1ADE5AEC1C24318486EC600
                                                                  SHA-512:AFDEF18AC9BD9B6760A23C96062F77B7C14EC67C34513A3DBED77A86FC730B8C1360991A3EAF90A41FC43F922C466A45387992419EFA27D0C1936EFD43378496
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Ega" >. <Color colorName="#000000" alpha="255" />. <Color colorName="#a800a8" alpha="255" />. <Color colorName="#fc5454" alpha="255" />. <Color colorName="#fc54a8" alpha="255" />. <Color colorName="#fc54fc" alpha="255" />. <Color colorName="#fca8fc" alpha="255" />. <Color colorName="#fcfc00" alpha="255" />. <Color colorName="#fcfca8" alpha="255" />. <Color colorName="#fcfcfc" alpha="255" />. <Color colorName="#a8fcfc" alpha="255" />. <Color colorName="#00fcfc" alpha="255" />. <Color colorName="#54a8fc" alpha="255" />. <Color colorName="#0000fc" alpha="255" />. <Color colorName="#0054a8" alpha="255" />. <Color colorName="#000054" alpha="255" />. <Color colorName="#545454" alpha="255" />. <Color colorName="#000000" alpha="255" />. <Color colorName="#a800a8" alpha="255" />. <Color colorName="#fc5454" alpha="255" />. <Color colorName="#fc54a8" alpha="255" />. <Color colorName="#fc54fc" alpha="255" />. <Color colorName="
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Firecode.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11102
                                                                  Entropy (8bit):4.466369461275854
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8gGTMs3/4+plYPFawx9VXDZZZZ5MwUUQwalbaN:9fl3/4+p+PFawx9FZZZZ5t
                                                                  MD5:0B35D57AB8DF8F1D8E5C76CF9293F427
                                                                  SHA1:AEC01875BBAA8EBBE7A8EE7AA49B694A4B21AA4B
                                                                  SHA-256:1F6E201FB810FB2860A5E39ECE07344BAABA0BF8D79F597D3026B5E716716B0E
                                                                  SHA-512:648817DCE5E9721BFC6082AA6E72E830D4F4CDECA35299577B10A30A230A0500A4122C306ABACA018B22E09C2B11B9DCFC192AFC74306B05976AA0CBB4865125
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Firecode" >. <Color colorName="#000000" alpha="255" />. <Color colorName="#000018" alpha="255" />. <Color colorName="#000018" alpha="255" />. <Color colorName="#00001c" alpha="255" />. <Color colorName="#000020" alpha="255" />. <Color colorName="#000020" alpha="255" />. <Color colorName="#000024" alpha="255" />. <Color colorName="#000028" alpha="255" />. <Color colorName="#080028" alpha="255" />. <Color colorName="#100024" alpha="255" />. <Color colorName="#180024" alpha="255" />. <Color colorName="#200020" alpha="255" />. <Color colorName="#28001c" alpha="255" />. <Color colorName="#30001c" alpha="255" />. <Color colorName="#380018" alpha="255" />. <Color colorName="#400014" alpha="255" />. <Color colorName="#480014" alpha="255" />. <Color colorName="#500010" alpha="255" />. <Color colorName="#580010" alpha="255" />. <Color colorName="#60000c" alpha="255" />. <Color colorName="#680008" alpha="255" />. <Color colorN
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Gold.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11098
                                                                  Entropy (8bit):4.482834229821559
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8ulntN1hdL4jwBhhhuaaamQQQX111yiii1:9ulnDBhhhuaaamQQQj
                                                                  MD5:7977E01B76DB83866358B2B41322C15F
                                                                  SHA1:DCCE15C205F55D57BF4BB8D0BE9191773E7B8B6F
                                                                  SHA-256:88C2044553D083F0C61349F5F0A07B31EDD8CE09F1CE72AF3863835DFB69BC7C
                                                                  SHA-512:D087A7C58040224BB5433A825D63DDCBBDC61D8D6CF97A06EEA0EB259FB5D6FE738B5DEFEBD6B14A977BC49B9C70DB0F8EC6DB3371B5961E603A88EF68D3B890
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Gold" >. <Color colorName="#fcfc80" alpha="255" />. <Color colorName="#fcfc80" alpha="255" />. <Color colorName="#fcf87c" alpha="255" />. <Color colorName="#fcf87c" alpha="255" />. <Color colorName="#fcf478" alpha="255" />. <Color colorName="#f8f478" alpha="255" />. <Color colorName="#f8f074" alpha="255" />. <Color colorName="#f8f070" alpha="255" />. <Color colorName="#f8ec70" alpha="255" />. <Color colorName="#f4ec6c" alpha="255" />. <Color colorName="#f4e86c" alpha="255" />. <Color colorName="#f4e868" alpha="255" />. <Color colorName="#f4e468" alpha="255" />. <Color colorName="#f0e464" alpha="255" />. <Color colorName="#f0e060" alpha="255" />. <Color colorName="#f0e060" alpha="255" />. <Color colorName="#f0dc5c" alpha="255" />. <Color colorName="#ecdc5c" alpha="255" />. <Color colorName="#ecd858" alpha="255" />. <Color colorName="#ecd854" alpha="255" />. <Color colorName="#ecd454" alpha="255" />. <Color colorName=
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\GrayViolet.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11104
                                                                  Entropy (8bit):4.5402144827643705
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8uSLtvw3VcClq4m24gygvJWb4qNWmk+sH5mlg3nwntPmYYOjOrG1UpM:9jvwlcClqMgoZmwnUQlOjOrG1UpM
                                                                  MD5:E1C4FC5A5F9CF9AE8505662465102BF0
                                                                  SHA1:545CDE2EEEDF122AA4F48C72A583207AD6E7431E
                                                                  SHA-256:6EAE7D2BF9A9407D53425DE940A727A0E0E2F79C5D445A7FAF71BA1853ED1A06
                                                                  SHA-512:2FA2F41AE044AEEEA2D4B1CAADD9696B043C4EDC571A0EF719A46DEF78022EFAFA3BA485CD0BF6BA1D4897AAD13583A6C4A8B9BFC2342AA20D6F00DF5AF227B7
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="GrayViolet" >. <Color colorName="#000000" alpha="255" />. <Color colorName="#000000" alpha="255" />. <Color colorName="#040404" alpha="255" />. <Color colorName="#040404" alpha="255" />. <Color colorName="#080808" alpha="255" />. <Color colorName="#080808" alpha="255" />. <Color colorName="#0c0c0c" alpha="255" />. <Color colorName="#0c0c0c" alpha="255" />. <Color colorName="#101010" alpha="255" />. <Color colorName="#101010" alpha="255" />. <Color colorName="#141414" alpha="255" />. <Color colorName="#141414" alpha="255" />. <Color colorName="#141818" alpha="255" />. <Color colorName="#181818" alpha="255" />. <Color colorName="#181c1c" alpha="255" />. <Color colorName="#1c1c1c" alpha="255" />. <Color colorName="#1c2020" alpha="255" />. <Color colorName="#202020" alpha="255" />. <Color colorName="#202024" alpha="255" />. <Color colorName="#242424" alpha="255" />. <Color colorName="#242428" alpha="255" />. <Color colo
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Grayblue.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11102
                                                                  Entropy (8bit):4.510794721838206
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8EzBsigWoNmmc3hIggg2YSrSrSrSqttNWS4444c3x11oSSSyyyOOslGmmmbBBw:92BgWoAMeeeqttwx118mmmE
                                                                  MD5:C91880ADED9B78732A397979BEC65E2D
                                                                  SHA1:A01B99311DD1E6A47E204B85239DB5B75FE0CED9
                                                                  SHA-256:B4192C468E0F217FAF1553E7B4F66746B8443AADEFE187A11F4363144FF368CF
                                                                  SHA-512:DA92F840ABCFB60A719AF9BC804CE1BF26EF638FE4A7A835546821324FD48911FEEBAE478F4719104079BD38E399AA7C114CD4C4897BA9BC0254D24C462B31C6
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Grayblue" >. <Color colorName="#7ca480" alpha="255" />. <Color colorName="#7ca480" alpha="255" />. <Color colorName="#7ca47c" alpha="255" />. <Color colorName="#7ca07c" alpha="255" />. <Color colorName="#7ca07c" alpha="255" />. <Color colorName="#78a07c" alpha="255" />. <Color colorName="#78a07c" alpha="255" />. <Color colorName="#789c7c" alpha="255" />. <Color colorName="#789c7c" alpha="255" />. <Color colorName="#789c78" alpha="255" />. <Color colorName="#749c78" alpha="255" />. <Color colorName="#749878" alpha="255" />. <Color colorName="#749878" alpha="255" />. <Color colorName="#749878" alpha="255" />. <Color colorName="#749878" alpha="255" />. <Color colorName="#709474" alpha="255" />. <Color colorName="#709474" alpha="255" />. <Color colorName="#709474" alpha="255" />. <Color colorName="#709474" alpha="255" />. <Color colorName="#709074" alpha="255" />. <Color colorName="#6c9074" alpha="255" />. <Color colorN
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Grays.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1424
                                                                  Entropy (8bit):4.637437827073644
                                                                  Encrypted:false
                                                                  SSDEEP:24:2d8p1kqYeqC7+qP53qYMq/xqUt+qVUyqe+0MpqUIAOqKz+qwtL+qRnnqq+0Ypqvj:c8pGCCqq+e
                                                                  MD5:6D1133FBC427F3DA6A9C55EF7E2D7F58
                                                                  SHA1:EF743865A9FF382D2F3821505CA255CBA76CE9A6
                                                                  SHA-256:E3E4A67D02E7436F6A6C9905598A706E33FD2EBAD4FF935FA22DB9711B150405
                                                                  SHA-512:8FC006CE578B37083C219086B5C5ACC66069AF0A1375EF726741BD41389AF5A9372CA2BB4B8B26FDE74C0A7456E7F1AD59369ECE5BE26625DF562BC62353E49B
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Grays" >. <Color colorName="#070707" alpha="255" />. <Color colorName="#0f0f0f" alpha="255" />. <Color colorName="#171717" alpha="255" />. <Color colorName="#1f1f1f" alpha="255" />. <Color colorName="#272727" alpha="255" />. <Color colorName="#2f2f2f" alpha="255" />. <Color colorName="#373737" alpha="255" />. <Color colorName="#3f3f3f" alpha="255" />. <Color colorName="#474747" alpha="255" />. <Color colorName="#4f4f4f" alpha="255" />. <Color colorName="#575757" alpha="255" />. <Color colorName="#5f5f5f" alpha="255" />. <Color colorName="#676767" alpha="255" />. <Color colorName="#6f6f6f" alpha="255" />. <Color colorName="#777777" alpha="255" />. <Color colorName="#7f7f7f" alpha="255" />. <Color colorName="#878787" alpha="255" />. <Color colorName="#8f8f8f" alpha="255" />. <Color colorName="#979797" alpha="255" />. <Color colorName="#9f9f9f" alpha="255" />. <Color colorName="#a7a7a7" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Greens.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11100
                                                                  Entropy (8bit):4.462825236322438
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8GFFpU3JZqjKEJ3c1ZlboQSUEHHvtNbZixjZa:90iX+Hvncw
                                                                  MD5:98FFBC8069263E57999786204EBCBE86
                                                                  SHA1:B1BABEB3E7554716EFC305E40BC04DC4B9C4357B
                                                                  SHA-256:EC87139E70B4B4FDD070DF210FC671F2CC85395ACC8CD2177B3D05BC2E253BAA
                                                                  SHA-512:AFBB9D8707361DAAC0631C3039A00BB7F0827464C6BC30440D45D2FEBB4DDD003587330900D38A47A49EDA9C30C328246E9F4C4F9FA8DE8FA423EFDE05D60CC7
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Greens" >. <Color colorName="#000000" alpha="255" />. <Color colorName="#000000" alpha="255" />. <Color colorName="#000400" alpha="255" />. <Color colorName="#000c00" alpha="255" />. <Color colorName="#001000" alpha="255" />. <Color colorName="#001800" alpha="255" />. <Color colorName="#002000" alpha="255" />. <Color colorName="#002400" alpha="255" />. <Color colorName="#002c00" alpha="255" />. <Color colorName="#003000" alpha="255" />. <Color colorName="#003800" alpha="255" />. <Color colorName="#004000" alpha="255" />. <Color colorName="#004400" alpha="255" />. <Color colorName="#004c00" alpha="255" />. <Color colorName="#005000" alpha="255" />. <Color colorName="#005800" alpha="255" />. <Color colorName="#006000" alpha="255" />. <Color colorName="#006400" alpha="255" />. <Color colorName="#006c00" alpha="255" />. <Color colorName="#007400" alpha="255" />. <Color colorName="#007800" alpha="255" />. <Color colorNam
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Hilite.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11100
                                                                  Entropy (8bit):4.534046987862113
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8vfUU/0BcGGLn3aXqtgbH7t0JTJ7F5BBSOihj7XP6PWUfIzzB//q3r:9vPGGLKXogeFK7XiB3r
                                                                  MD5:B4D3F6AFE3D6B208E889C165358FDFCC
                                                                  SHA1:43A63F43BF3BD0D97A3ABFE0BF9D7930B5AFF6D6
                                                                  SHA-256:611A50A838237E67ED3C842B5B1F70D0634AFA44ED1F805B24CF455B137028DC
                                                                  SHA-512:9810808FAC6C565D3F9F9D2118B3AC41927B37FCCA73AB0392CDCBFF3A8BE9AAE59DC0F0DFDEFCDFB9CB41DE1D85D473FB25DE33DD7F66F245CE00879DFE4088
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Hilite" >. <Color colorName="#a490b4" alpha="255" />. <Color colorName="#a090b4" alpha="255" />. <Color colorName="#a090b4" alpha="255" />. <Color colorName="#a090b0" alpha="255" />. <Color colorName="#a090b0" alpha="255" />. <Color colorName="#a08cac" alpha="255" />. <Color colorName="#a08cac" alpha="255" />. <Color colorName="#a08ca8" alpha="255" />. <Color colorName="#a08ca8" alpha="255" />. <Color colorName="#a08ca8" alpha="255" />. <Color colorName="#a08ca4" alpha="255" />. <Color colorName="#a088a4" alpha="255" />. <Color colorName="#9c88a0" alpha="255" />. <Color colorName="#9c88a0" alpha="255" />. <Color colorName="#9c889c" alpha="255" />. <Color colorName="#9c889c" alpha="255" />. <Color colorName="#9c889c" alpha="255" />. <Color colorName="#9c8498" alpha="255" />. <Color colorName="#9c8498" alpha="255" />. <Color colorName="#9c8494" alpha="255" />. <Color colorName="#9c8494" alpha="255" />. <Color colorNam
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Khaki.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):11099
                                                                  Entropy (8bit):4.513677329893502
                                                                  Encrypted:false
                                                                  SSDEEP:96:9oimmq++ZthhNiu37RQBBhhlew/gugug5lkXddgptttI:9Y7RQBBhhD//Sk40
                                                                  MD5:29A8B7BD0D763691535158B4E6901082
                                                                  SHA1:9411117C64A9E9226A6CF7C5CFC4AF47130C8BBB
                                                                  SHA-256:28CC002FBBDC1C9F642ACD5833006971129224474D281B215EBA84D8057F0E17
                                                                  SHA-512:504C2DFA593F4F883A60B6459CBA1073DB9DE6D99CBD8CD2E6F8FAB8316D17A1A38C3F5DB84ABE7B68612F665A5F92B7BD603F2FF6CEF2C189FBEA9BAE00FF16
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Khaki" >. <Color colorName="#90846c" alpha="255" />. <Color colorName="#908470" alpha="255" />. <Color colorName="#908470" alpha="255" />. <Color colorName="#908474" alpha="255" />. <Color colorName="#908874" alpha="255" />. <Color colorName="#908878" alpha="255" />. <Color colorName="#908878" alpha="255" />. <Color colorName="#908c78" alpha="255" />. <Color colorName="#908c7c" alpha="255" />. <Color colorName="#908c7c" alpha="255" />. <Color colorName="#908c80" alpha="255" />. <Color colorName="#909080" alpha="255" />. <Color colorName="#909084" alpha="255" />. <Color colorName="#909084" alpha="255" />. <Color colorName="#909088" alpha="255" />. <Color colorName="#909488" alpha="255" />. <Color colorName="#909488" alpha="255" />. <Color colorName="#90948c" alpha="255" />. <Color colorName="#90988c" alpha="255" />. <Color colorName="#909890" alpha="255" />. <Color colorName="#909890" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Lights.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):1167
                                                                  Entropy (8bit):4.563970618798404
                                                                  Encrypted:false
                                                                  SSDEEP:24:2d8q9eNjqvjFw4qEYqNqmIEorFw9EHMJ+C5qUyqz9Eyc:c8qrW1
                                                                  MD5:408E80BCEE5CA28CF0975443D5C64FB3
                                                                  SHA1:63B98D8F1C05AA61E32C82F9918D9F878F620868
                                                                  SHA-256:4ABDC44792D22B4AD4127D0223CF4251B6CC3A7DB375E7C654DB6C1DBF6508A5
                                                                  SHA-512:83D3EB545C408F52B1C53CC164B0F73705D1E51166C2E17D6BEEEBA2216F5063390C0D40A36646327C6FFFB39A578F42A62D2E090A94931FED6C0760DF3926D1
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Lights" >. <Color colorName="#fffafa" alpha="255" />. <Color colorName="#f8f8ff" alpha="255" />. <Color colorName="#f5f5f5" alpha="255" />. <Color colorName="#dcdcdc" alpha="255" />. <Color colorName="#fffaf0" alpha="255" />. <Color colorName="#fdf5e6" alpha="255" />. <Color colorName="#faf0e6" alpha="255" />. <Color colorName="#faebd7" alpha="255" />. <Color colorName="#ffefd5" alpha="255" />. <Color colorName="#ffebcd" alpha="255" />. <Color colorName="#ffe4c4" alpha="255" />. <Color colorName="#ffdab9" alpha="255" />. <Color colorName="#ffdead" alpha="255" />. <Color colorName="#ffe4b5" alpha="255" />. <Color colorName="#fff8dc" alpha="255" />. <Color colorName="#fffff0" alpha="255" />. <Color colorName="#fffacd" alpha="255" />. <Color colorName="#fff5ee" alpha="255" />. <Color colorName="#f0fff0" alpha="255" />. <Color colorName="#f5fffa" alpha="255" />. <Color colorName="#f0ffff" alpha="255" />. <Color colorNam
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\Muted.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):3445
                                                                  Entropy (8bit):4.585233717349798
                                                                  Encrypted:false
                                                                  SSDEEP:24:2d82UASDj24TnsEq+nVtzsOtHe0CqtrKcnM3WqNuKFc4FIPcHlryZeCKxqoZAP0h:c8r3eu6ZLgmbo2P
                                                                  MD5:62FF50650F4445EFED8372C38FDB1A3D
                                                                  SHA1:BEC662C8C5D5CE9C8EE3040F7960443E74EC3F86
                                                                  SHA-256:8DA14B7FAA69DAEBE69EADFAD448CCE10E9FAAB5217059CDA4EE1E81345F78FB
                                                                  SHA-512:C64A3956631E67171A71EA96E2EA001C4137814EE7019C5AE6BB589E7241351E8D50480DBD987071DC9A956A3DBEEE9141F6991AC7E867A4126EE2CD9772DF5E
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Muted" >. <Color colorName="#8b8989" alpha="255" />. <Color colorName="#8b8682" alpha="255" />. <Color colorName="#8b8378" alpha="255" />. <Color colorName="#8b7d6b" alpha="255" />. <Color colorName="#8b7765" alpha="255" />. <Color colorName="#8b795e" alpha="255" />. <Color colorName="#8b8970" alpha="255" />. <Color colorName="#8b8878" alpha="255" />. <Color colorName="#8b8b83" alpha="255" />. <Color colorName="#838b83" alpha="255" />. <Color colorName="#8b8386" alpha="255" />. <Color colorName="#8b7d7b" alpha="255" />. <Color colorName="#838b8b" alpha="255" />. <Color colorName="#473c8b" alpha="255" />. <Color colorName="#27408b" alpha="255" />. <Color colorName="#00008b" alpha="255" />. <Color colorName="#104e8b" alpha="255" />. <Color colorName="#36648b" alpha="255" />. <Color colorName="#00688b" alpha="255" />. <Color colorName="#4a708b" alpha="255" />. <Color colorName="#607b8b" alpha="255" />. <Color colorName
                                                                  C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\palettes\NamedColors.tpal (copy)
                                                                  Process:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  File Type:XML 1.0 document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):19362
                                                                  Entropy (8bit):4.547790104932671
                                                                  Encrypted:false
                                                                  SSDEEP:48:c8+ZWGPlIbNYbOiZHt77jV8BUlqUYVNY7Qfdm0sUR50jtesnSjAEGaaFac02LqKe:9+ZW6IbNMZHtx8apucU1snGAEG/0zCk/
                                                                  MD5:301C15EBC9B8696007D0464CE84DF930
                                                                  SHA1:2463698396FAB36DBABB8D6F295AAD4630568431
                                                                  SHA-256:1252689CD56CF5DD1BF892A5FA89582AE488E5C83F8AC3EF6B2B2462162799E7
                                                                  SHA-512:AE4A21BF7D204A879F5097209D63BFC8CC1B12065DA3A0416406A658CEDC73274906FE2861715F9721FE95E14F7738887331942707E56ACD6F0C2188EE74C214
                                                                  Malicious:false
                                                                  Reputation:unknown
                                                                  Preview: <?xml version="1.0" encoding="UTF-8"?>.<Palette editable="false" name="Named Colors" >. <Color colorName="#fffafa" alpha="255" />. <Color colorName="#f8f8ff" alpha="255" />. <Color colorName="#f5f5f5" alpha="255" />. <Color colorName="#dcdcdc" alpha="255" />. <Color colorName="#fffaf0" alpha="255" />. <Color colorName="#fdf5e6" alpha="255" />. <Color colorName="#faf0e6" alpha="255" />. <Color colorName="#faebd7" alpha="255" />. <Color colorName="#ffefd5" alpha="255" />. <Color colorName="#ffebcd" alpha="255" />. <Color colorName="#ffe4c4" alpha="255" />. <Color colorName="#ffdab9" alpha="255" />. <Color colorName="#ffdead" alpha="255" />. <Color colorName="#ffe4b5" alpha="255" />. <Color colorName="#fff8dc" alpha="255" />. <Color colorName="#fffff0" alpha="255" />. <Color colorName="#fffacd" alpha="255" />. <Color colorName="#fff5ee" alpha="255" />. <Color colorName="#f0fff0" alpha="255" />. <Color colorName="#f5fffa" alpha="255" />. <Color colorName="#f0ffff" alpha="255" />. <Color co

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.872976404778307
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  File name:1Edyk9e6oL.exe
                                                                  File size:5210880
                                                                  MD5:6a8ebc295dbde6256299d4236732cbdc
                                                                  SHA1:6975e7c55935f838401f9682480ea3b6749f7307
                                                                  SHA256:04595c3111276f02b6dc2ece0778cb5829c086484aeafa24e0aac3d8479deb4b
                                                                  SHA512:358a5bf4f0907bc0dac3c172abfc0bb31eba4ad567d59e3a7780cde73150536c0d376ed07ad80c2f569bc90e26731e6ae9f0bce2d33644b7d53143c5b7a12253
                                                                  SSDEEP:98304:qSihcSphfXv9xbIk1ROqoHSL7Tcu2tBLn0hHcgOsr1SFFb:bSj/9xbIkoqHzcuNE
                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                  File Icon

                                                                  Icon Hash:a68abab29aa6a200

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b5eec
                                                                  Entrypoint Section:.itext
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:6
                                                                  OS Version Minor:1
                                                                  File Version Major:6
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:6
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                                  Authenticode Signature

                                                                  Signature Valid:true
                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                  Signature Validation Error:The operation completed successfully
                                                                  Error Number:0
                                                                  Not Before, Not After
                                                                  • 9/1/2021 5:00:00 PM 9/2/2022 4:59:59 PM
                                                                  Subject Chain
                                                                  • CN=Baltic Auto SIA, O=Baltic Auto SIA, S=R&#196;&#171;ga, C=LV, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=LV, SERIALNUMBER=40103318287
                                                                  Version:3
                                                                  Thumbprint MD5:80D1AF7742336F8CCA96BF7A44976DF2
                                                                  Thumbprint SHA-1:30576D884D8311D503D9CB030FD547DC26D1AB6B
                                                                  Thumbprint SHA-256:1F893C08CE7915D76394082DD884A6771493247B9169B6579AED99F8606AD484
                                                                  Serial:3D3FC30099D6C7AEB806D4181992AF90

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  add esp, FFFFFFA4h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  xor eax, eax
                                                                  mov dword ptr [ebp-3Ch], eax
                                                                  mov dword ptr [ebp-40h], eax
                                                                  mov dword ptr [ebp-5Ch], eax
                                                                  mov dword ptr [ebp-30h], eax
                                                                  mov dword ptr [ebp-38h], eax
                                                                  mov dword ptr [ebp-34h], eax
                                                                  mov dword ptr [ebp-2Ch], eax
                                                                  mov dword ptr [ebp-28h], eax
                                                                  mov dword ptr [ebp-14h], eax
                                                                  mov eax, 004B10F0h
                                                                  call 00007FAF20C5DF85h
                                                                  xor eax, eax
                                                                  push ebp
                                                                  push 004B65E2h
                                                                  push dword ptr fs:[eax]
                                                                  mov dword ptr fs:[eax], esp
                                                                  xor edx, edx
                                                                  push ebp
                                                                  push 004B659Eh
                                                                  push dword ptr fs:[edx]
                                                                  mov dword ptr fs:[edx], esp
                                                                  mov eax, dword ptr [004BE634h]
                                                                  call 00007FAF20D006AFh
                                                                  call 00007FAF20D00202h
                                                                  lea edx, dword ptr [ebp-14h]
                                                                  xor eax, eax
                                                                  call 00007FAF20C739F8h
                                                                  mov edx, dword ptr [ebp-14h]
                                                                  mov eax, 004C1D84h
                                                                  call 00007FAF20C58B77h
                                                                  push 00000002h
                                                                  push 00000000h
                                                                  push 00000001h
                                                                  mov ecx, dword ptr [004C1D84h]
                                                                  mov dl, 01h
                                                                  mov eax, dword ptr [004237A4h]
                                                                  call 00007FAF20C74A5Fh
                                                                  mov dword ptr [004C1D88h], eax
                                                                  xor edx, edx
                                                                  push ebp
                                                                  push 004B654Ah
                                                                  push dword ptr fs:[edx]
                                                                  mov dword ptr fs:[edx], esp
                                                                  call 00007FAF20D00737h
                                                                  mov dword ptr [004C1D90h], eax
                                                                  mov eax, dword ptr [004C1D90h]
                                                                  cmp dword ptr [eax+0Ch], 01h
                                                                  jne 00007FAF20D06D1Ah
                                                                  mov eax, dword ptr [004C1D90h]
                                                                  mov edx, 00000028h
                                                                  call 00007FAF20C75354h
                                                                  mov edx, dword ptr [004C1D90h]

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x2e908.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x4f5ca00x2660
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000xb361c0xb3800False0.344863934105data6.35605820433IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .itext0xb50000x16880x1800False0.544921875data5.97275005522IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .data0xb70000x37a40x3800False0.360979352679data5.04440056201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .idata0xc20000xf360x1000False0.3681640625data4.89870464796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .didata0xc30000x1a40x200False0.345703125data2.75636286825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .edata0xc40000x9a0x200False0.2578125data1.87222286659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .rdata0xc60000x5d0x200False0.189453125data1.38389437522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xc70000x2e9080x2ea00False0.138572386059data4.31174215086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xc75e80x280aPNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                  RT_ICON0xc9df40x13abPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                  RT_ICON0xcb1a00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                  RT_ICON0xdb9c80x94a8dataEnglishUnited States
                                                                  RT_ICON0xe4e700x5488dataEnglishUnited States
                                                                  RT_ICON0xea2f80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                  RT_ICON0xee5200x25a8dataEnglishUnited States
                                                                  RT_ICON0xf0ac80x10a8dataEnglishUnited States
                                                                  RT_ICON0xf1b700x988dataEnglishUnited States
                                                                  RT_ICON0xf24f80x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                  RT_STRING0xf29600x360data
                                                                  RT_STRING0xf2cc00x260data
                                                                  RT_STRING0xf2f200x45cdata
                                                                  RT_STRING0xf337c0x40cdata
                                                                  RT_STRING0xf37880x2d4data
                                                                  RT_STRING0xf3a5c0xb8data
                                                                  RT_STRING0xf3b140x9cdata
                                                                  RT_STRING0xf3bb00x374data
                                                                  RT_STRING0xf3f240x398data
                                                                  RT_STRING0xf42bc0x368data
                                                                  RT_STRING0xf46240x2a4data
                                                                  RT_RCDATA0xf48c80x10data
                                                                  RT_RCDATA0xf48d80x2c4data
                                                                  RT_RCDATA0xf4b9c0x2cdata
                                                                  RT_GROUP_ICON0xf4bc80x92dataEnglishUnited States
                                                                  RT_VERSION0xf4c5c0x584dataEnglishUnited States
                                                                  RT_MANIFEST0xf51e00x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                  comctl32.dllInitCommonControls
                                                                  version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                  user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                  oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                  netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                  advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                  Exports

                                                                  NameOrdinalAddress
                                                                  TMethodImplementationIntercept30x454060
                                                                  __dbk_fcall_wrapper20x40d0a0
                                                                  dbkFCallWrapperAddr10x4be63c

                                                                  Version Infos

                                                                  DescriptionData
                                                                  LegalCopyright
                                                                  FileVersion3.2.38.8
                                                                  CompanyNameAlexandre Mutel
                                                                  CommentsThis installation was built with Inno Setup.
                                                                  ProductNameSharpDX Direct3D9Utility
                                                                  ProductVersion3.2.38.8
                                                                  FileDescriptionSharpDX Direct3D9Utility Setup
                                                                  OriginalFileName
                                                                  Translation0x0000 0x04b0

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Nov 25, 2021 13:52:16.888530016 CET6035253192.168.2.38.8.8.8
                                                                  Nov 25, 2021 13:52:16.926651001 CET53603528.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Nov 25, 2021 13:52:16.888530016 CET192.168.2.38.8.8.80x31f4Standard query (0)get.updates.avast.cnA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Nov 25, 2021 13:52:16.926651001 CET8.8.8.8192.168.2.30x31f4Name error (3)get.updates.avast.cnnonenoneA (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: 1Edyk9e6oL.exe PID: 5256 Parent PID: 5944

                                                                  General

                                                                  Start time:13:50:56
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\Desktop\1Edyk9e6oL.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\1Edyk9e6oL.exe"
                                                                  Imagebase:0x400000
                                                                  File size:5210880 bytes
                                                                  MD5 hash:6A8EBC295DBDE6256299D4236732CBDC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low

                                                                  Analysis Process: 1Edyk9e6oL.tmp PID: 5624 Parent PID: 5256

                                                                  General

                                                                  Start time:13:50:58
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-5B16D.tmp\1Edyk9e6oL.tmp" /SL5="$203F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe"
                                                                  Imagebase:0x400000
                                                                  File size:3284992 bytes
                                                                  MD5 hash:760A37743734493F9932E546677C2EF2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Antivirus matches:
                                                                  • Detection: 2%, ReversingLabs
                                                                  Reputation:low

                                                                  Analysis Process: 1Edyk9e6oL.exe PID: 5528 Parent PID: 5624

                                                                  General

                                                                  Start time:13:51:00
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\Desktop\1Edyk9e6oL.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
                                                                  Imagebase:0x400000
                                                                  File size:5210880 bytes
                                                                  MD5 hash:6A8EBC295DBDE6256299D4236732CBDC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low

                                                                  Analysis Process: 1Edyk9e6oL.tmp PID: 6688 Parent PID: 5528

                                                                  General

                                                                  Start time:13:51:02
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\is-CL8E8.tmp\1Edyk9e6oL.tmp" /SL5="$1003F8,4346840,953344,C:\Users\user\Desktop\1Edyk9e6oL.exe" /VERYSILENT
                                                                  Imagebase:0x400000
                                                                  File size:3284992 bytes
                                                                  MD5 hash:760A37743734493F9932E546677C2EF2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low

                                                                  Analysis Process: restsharp.exe PID: 6728 Parent PID: 6688

                                                                  General

                                                                  Start time:13:51:58
                                                                  Start date:25/11/2021
                                                                  Path:C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\SharpDX Direct3D9Utility\restsharp.exe"
                                                                  Imagebase:0x100000
                                                                  File size:6905344 bytes
                                                                  MD5 hash:A445770520FEDB0462439C43D6D898C6
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000002.554356338.0000000003A58000.00000004.00000040.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000002.554263426.0000000003529000.00000004.00000040.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >