Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
B35@6B.exe

Overview

General Information

Sample Name:B35@6B.exe
Analysis ID:672480
MD5:6753a24ed2a75dbd488c0a1783f03d05
SHA1:70c061619c4ebbbb111923257e76cd3cef5b3618
SHA256:a9b46ddb3ed98e2ca5e71253a69f686e1f618f724821eb98b52b812844117f33
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Drops executable to a common third party application directory
Machine Learning detection for sample
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

  • System is w10x64
  • B35@6B.exe (PID: 1724 cmdline: "C:\Users\user\Desktop\B35@6B.exe" MD5: 6753A24ED2A75DBD488C0A1783F03D05)
    • pot.exe (PID: 3224 cmdline: "C:\Users\user\AppData\Local\Temp\pot.exe" MD5: 6753A24ED2A75DBD488C0A1783F03D05)
      • InstallUtil.exe (PID: 1448 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • Acrobat.exe (PID: 5284 cmdline: "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe" MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Acrobat.exe (PID: 5680 cmdline: "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe" MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.B35@6B.exe.4b4aa42.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.B35@6B.exe.4b4aa42.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.B35@6B.exe.4b4aa42.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30eba:$s10: logins
                • 0x30921:$s11: credential
                • 0x2cec3:$g1: get_Clipboard
                • 0x2ced1:$g2: get_Keyboard
                • 0x2cede:$g3: get_Password
                • 0x2e1e3:$g4: get_CtrlKeyDown
                • 0x2e1f3:$g5: get_ShiftKeyDown
                • 0x2e204:$g6: get_AltKeyDown
                0.2.B35@6B.exe.4be84c2.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.B35@6B.exe.4be84c2.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 73 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: B35@6B.exeVirustotal: Detection: 45%Perma Link
                    Source: B35@6B.exeReversingLabs: Detection: 46%
                    Machine Learning detection for sample
                    Source: B35@6B.exeJoe Sandbox ML: detected
                    Source: 0.2.B35@6B.exe.4be84c2.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs@multimetals.cfd", "Password": "multimetals.cfd", "Host": "asset@multimetals.cfd"}
                    Source: B35@6B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49714 version: TLS 1.2
                    Source: B35@6B.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
                    Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 192.185.37.183 192.185.37.183
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://OKJTye.com
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
                    Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
                    Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
                    Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
                    Source: InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                    Source: InstallUtil.exe, 0000000A.00000003.496726197.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516627598.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
                    Source: InstallUtil.exe, 0000000A.00000003.496726197.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516627598.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                    Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
                    Source: B35@6B.exe, 00000000.00000002.288212710.0000000001425000.00000004.00000020.00020000.00000000.sdmp, pot.exe, 00000001.00000002.429076060.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                    Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/?X
                    Source: InstallUtil.exe, 0000000A.00000003.495446560.0000000006408000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494710435.0000000006408000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.518304119.000000000640B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494492294.0000000006417000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
                    Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496771690.0000000005C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                    Source: InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://multimetals.cfd
                    Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1
                    Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1yP
                    Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/gyP
                    Source: pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobj
                    Source: pot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobjyP
                    Source: pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.d
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                    Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
                    Source: InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                    Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
                    Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                    Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com4
                    Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comB
                    Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comZ
                    Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comes
                    Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comexc
                    Source: B35@6B.exe, 00000000.00000003.243686727.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244376914.000000000C59D000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244356588.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243874994.000000000C598000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243834321.000000000C5A0000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245244855.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244623217.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244576344.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243711214.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244119845.000000000C59B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comic-
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.compor
                    Source: B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comypo
                    Source: InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                    Source: InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496626164.000000000637E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516662324.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495309733.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                    Source: InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                    Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: B35@6B.exe, 00000000.00000003.245908483.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246675183.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245973902.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246009181.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246108229.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: B35@6B.exe, 00000000.00000003.245480056.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245508880.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/Y
                    Source: B35@6B.exe, 00000000.00000003.246772634.000000000C5A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: B35@6B.exe, 00000000.00000003.246719543.000000000C5A9000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246455927.000000000C5A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html/
                    Source: B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers1
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: B35@6B.exe, 00000000.00000003.246704680.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246762025.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246859296.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246675183.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246905589.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersY
                    Source: B35@6B.exe, 00000000.00000003.250184391.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                    Source: B35@6B.exe, 00000000.00000003.247092349.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246961090.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
                    Source: B35@6B.exe, 00000000.00000003.245508880.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                    Source: B35@6B.exe, 00000000.00000003.245793626.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245728656.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
                    Source: B35@6B.exe, 00000000.00000003.286289999.000000000C590000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.286398571.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000002.308273126.000000000C594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: B35@6B.exe, 00000000.00000003.242654377.000000000C5BE000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242690897.000000000C5BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: B35@6B.exe, 00000000.00000003.242545128.000000000C5A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnY
                    Source: B35@6B.exe, 00000000.00000003.243061112.000000000C593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnoY
                    Source: B35@6B.exe, 00000000.00000003.242534194.000000000C5BD000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242654377.000000000C5BE000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242521169.000000000C5BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns-c
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                    Source: InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
                    Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
                    Source: InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
                    Source: InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
                    Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                    Source: InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                    Source: InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                    Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242941104.000000000C5C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: B35@6B.exe, 00000000.00000003.242941104.000000000C5C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com$
                    Source: B35@6B.exe, 00000000.00000003.242965123.000000000C5C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comn
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                    Source: InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.b
                    Source: InstallUtil.exe, 0000000A.00000003.496181995.0000000006351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
                    Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: InstallUtil.exe, 0000000A.00000002.512055045.0000000002948000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511374769.00000000028E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://7lPQxKUhrmku.org
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eca.hinet.net/repository0
                    Source: InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                    Source: InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                    Source: InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                    Source: B35@6B.exe, B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                    Source: B35@6B.exeString found in binary or memory: https://www.google.com3GetManifestResourceStream
                    Source: B35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comT
                    Source: InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                    Source: InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
                    Source: InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                    Source: unknownDNS traffic detected: queries for: www.google.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 142.250.185.132:443 -> 192.168.2.4:49714 version: TLS 1.2
                    Source: B35@6B.exe, 00000000.00000002.287669560.00000000013A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 10.0.InstallUtil.exe.630000.2.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: 10.0.InstallUtil.exe.630000.1.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: 10.0.InstallUtil.exe.630000.4.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: 10.0.InstallUtil.exe.630000.3.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: 10.2.InstallUtil.exe.630000.0.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: 10.0.InstallUtil.exe.630000.0.unpack, u003cPrivateImplementationDetailsu003eu007b94F50758u002d4E55u002d4832u002d9A2Du002dDE217AA15913u007d/u003155CD9E4u002d829Du002d4C0Au002dB7D4u002dD8FF2F7D417F.csLarge array initialization: .cctor: array initializer size 11626
                    Source: B35@6B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_01564110
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156F450
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_01564738
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_015697D8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156B6E9
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156EBE0
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156DFF0
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_01565FF8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_01564E18
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156F442
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156EB4E
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156EB82
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156EBAA
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_0156DFE0
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_03195298
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_031952A8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_03193444
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B0040
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B41E8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B0F20
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B5D68
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067BA818
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3638
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3628
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B5738
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B5731
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3470
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3462
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3210
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B3201
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B0007
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B4139
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B0E29
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B2FB8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B2FA8
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B2C10
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B2C00
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B5D21
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B1DE0
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B1DD1
                    Source: C:\Users\user\Desktop\B35@6B.exeCode function: 0_2_067B0DB3
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_054631FC
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_054652A8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_054652B8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_061817F0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06183430
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06184548
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0618CE48
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06187C38
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06183B88
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0618F880
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_061877A0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06183413
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06187548
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_061862F8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06187190
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0618ECA0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0618BD48
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06187A30
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06182869
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0CED8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0F748
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0C660
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0DBA0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0DBB0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0C940
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE03FE8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0BE68
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0F187
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0F198
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0D7C0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0D7D0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0F738
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0C64F
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0C500
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0C4A9
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE41388
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE45A60
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE419B8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4E958
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE46090
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE457C0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE46EE0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4A640
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4CE58
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE41379
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4F210
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE419A8
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE42908
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE42918
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE457B0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4EF80
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE41748
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4175D
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE46ED0
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE416A4
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE416B9
                    Source: B35@6B.exe, 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs B35@6B.exe
                    Source: B35@6B.exe, 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwKntxILzrfTruqKGkLPcmQ.exe4 vs B35@6B.exe
                    Source: B35@6B.exe, 00000000.00000002.287669560.00000000013A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs B35@6B.exe
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                    Source: B35@6B.exeVirustotal: Detection: 45%
                    Source: B35@6B.exeReversingLabs: Detection: 46%
                    Source: B35@6B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\B35@6B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\B35@6B.exe "C:\Users\user\Desktop\B35@6B.exe"
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe"
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe "C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe"
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Users\user\Desktop\B35@6B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\B35@6B.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B35@6B.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/8@3/2
                    Source: C:\Users\user\Desktop\B35@6B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: B35@6B.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\B35@6B.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
                    Source: 10.0.InstallUtil.exe.630000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.InstallUtil.exe.630000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.InstallUtil.exe.630000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.InstallUtil.exe.630000.1.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.InstallUtil.exe.630000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 10.0.InstallUtil.exe.630000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\B35@6B.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\B35@6B.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: B35@6B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: B35@6B.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
                    Source: Binary string: InstallUtil.pdb source: Acrobat.exe, 0000000E.00000002.468247784.00000000007C2000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe, 00000010.00000000.481629339.0000000000D02000.00000002.00000001.01000000.0000000B.sdmp, Acrobat.exe.10.dr
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE0D5E0 push AB0BE0D0h; iretd
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE04410 pushad ; retf
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4A160 push edi; ret
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE4A16A push edi; ret
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_0BE49FF9 push ebx; retf
                    Source: initial sampleStatic PE information: section name: .text entropy: 6.8368028789554005

                    Persistence and Installation Behavior

                    barindex
                    Drops executable to a common third party application directory
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile written: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AcrobatJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\B35@6B.exeFile opened: C:\Users\user\Desktop\B35@6B.exe\:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeFile opened: C:\Users\user\AppData\Local\Temp\pot.exe\:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe:Zone.Identifier read attributes | delete
                    Moves itself to temp directory
                    Source: c:\users\user\desktop\b35@6b.exeFile moved: C:\Users\user\AppData\Local\Temp\pot.exeJump to behavior
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\B35@6B.exe TID: 5648Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\B35@6B.exe TID: 4084Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\pot.exe TID: 4916Thread sleep time: -14757395258967632s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\pot.exe TID: 4916Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5524Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5872Thread sleep count: 9615 > 30
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe TID: 1900Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe TID: 4612Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\B35@6B.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeWindow / User API: threadDelayed 9824
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 9615
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeCode function: 1_2_06180B50 sgdt fword ptr [eax]
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeThread delayed: delay time: 30000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeThread delayed: delay time: 922337203685477
                    Source: pot.exe, 00000001.00000002.429076060.0000000000D3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                    Source: B35@6B.exe, 00000000.00000002.290634569.00000000031F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcss#SOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.490985919.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.492523884.0000000005C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: pot.exe, 00000001.00000002.432957387.0000000002B78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTraysage@5
                    Source: B35@6B.exeBinary or memory string: ~LKJKHGFSDCB
                    Source: B35@6B.exe, 00000000.00000002.287944502.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.491405202.0000000005C16000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.491256208.0000000005C12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.490985919.0000000005C07000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493562354.0000000005C18000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`#
                    Source: B35@6B.exe, 00000000.00000002.287944502.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\B35@6B.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\B35@6B.exeProcess created: C:\Users\user\AppData\Local\Temp\pot.exe "C:\Users\user\AppData\Local\Temp\pot.exe"
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Users\user\Desktop\B35@6B.exe VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\pot.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\pot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Users\user\Desktop\B35@6B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: B35@6B.exe PID: 1724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pot.exe PID: 3224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b4aa42.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4be84c2.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.44cbe62.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b16152.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b7f322.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.45698e2.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.44cbe62.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.459e1b8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4500742.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4497572.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.45698e2.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b4aa42.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4500742.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4c1cd98.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b7f322.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.459e1b8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4c1cd98.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.0.InstallUtil.exe.630000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4be84c2.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.pot.exe.4497572.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.B35@6B.exe.4b16152.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: B35@6B.exe PID: 1724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pot.exe PID: 3224, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1448, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    Registry Run Keys / Startup Folder                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration2
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Scheduled Transfer3
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
                    Masquerading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                    Process Injection                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Hidden Files and Directories                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 672480 Sample: B35@6B.exe Startdate: 24/07/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 2 other signatures 2->47 7 B35@6B.exe 15 4 2->7         started        12 Acrobat.exe 4 2->12         started        14 Acrobat.exe 3 2->14         started        process3 dnsIp4 35 www.google.com 142.250.185.132, 443, 49713, 49714 GOOGLEUS United States 7->35 29 C:\Users\user\AppData\...\B35@6B.exe.log, ASCII 7->29 dropped 49 Moves itself to temp directory 7->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->51 16 pot.exe 14 3 7->16         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        file5 signatures6 process7 dnsIp8 33 www.google.com 16->33 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->39 24 InstallUtil.exe 2 4 16->24         started        signatures9 process10 dnsIp11 37 multimetals.cfd 192.185.37.183, 49719, 49722, 587 UNIFIEDLAYER-AS-1US United States 24->37 31 C:\Users\user\AppData\Roaming\...\Acrobat.exe, PE32 24->31 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->55 57 Tries to steal Mail credentials (via file / registry access) 24->57 59 5 other signatures 24->59 file12 signatures13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    B35@6B.exe46%VirustotalBrowse
                    B35@6B.exe46%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    B35@6B.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe0%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    10.0.InstallUtil.exe.630000.2.unpack100%AviraHEUR/AGEN.1203035Download File
                    10.0.InstallUtil.exe.630000.1.unpack100%AviraHEUR/AGEN.1203035Download File
                    10.0.InstallUtil.exe.630000.4.unpack100%AviraHEUR/AGEN.1203035Download File
                    10.0.InstallUtil.exe.630000.3.unpack100%AviraHEUR/AGEN.1203035Download File
                    10.2.InstallUtil.exe.630000.0.unpack100%AviraHEUR/AGEN.1203035Download File
                    10.0.InstallUtil.exe.630000.0.unpack100%AviraHEUR/AGEN.1203035Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                    http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                    http://ocsp.suscerte.gob.ve00%URL Reputationsafe
                    http://crl.dhimyotis.com/certignarootca.crl00%URL Reputationsafe
                    http://www.chambersign.org10%URL Reputationsafe
                    http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%URL Reputationsafe
                    http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                    http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
                    http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://policy.camerfirma.com00%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?0%URL Reputationsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://www.carterandcone.comZ0%URL Reputationsafe
                    http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%URL Reputationsafe
                    https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                    http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.globaltrust.info00%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://ac.economia.gob.mx/last.crl0G0%URL Reputationsafe
                    http://crl.oces.trust2408.com/oces.crl00%URL Reputationsafe
                    http://certs.oaticerts.com/repository/OATICA2.crl0%URL Reputationsafe
                    http://certs.oati.net/repository/OATICA2.crt00%URL Reputationsafe
                    http://www.accv.es000%URL Reputationsafe
                    http://OKJTye.com0%Avira URL Cloudsafe
                    http://web.ncdc.gov.sa/crl/nrcaparta1.crl0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.acabogacia.org00%URL Reputationsafe
                    http://www.carterandcone.com40%URL Reputationsafe
                    http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/acrn.crl0)0%URL Reputationsafe
                    http://www.carterandcone.comB0%URL Reputationsafe
                    http://www.rcsc.lt/repository00%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    https://www.google.comT0%Avira URL Cloudsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://www.correo.com.uy/correocert/cps.pdf00%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    https://7lPQxKUhrmku.org0%Avira URL Cloudsafe
                    http://certs.oaticerts.com/repository/OATICA2.crt080%URL Reputationsafe
                    http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
                    http://ns.ado/1yP0%Avira URL Cloudsafe
                    http://www.carterandcone.comexc0%URL Reputationsafe
                    http://www.oaticerts.com/repository.0%URL Reputationsafe
                    http://www.ancert.com/cps00%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    http://ocsp.accv.es00%URL Reputationsafe
                    http://www.echoworx.com/ca/root2/cps.pdf00%URL Reputationsafe
                    http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz030%URL Reputationsafe
                    http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl00%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.agesic.gub.uy/acrn/cps_acrn.pdf00%URL Reputationsafe
                    http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl00%URL Reputationsafe
                    https://www.catcert.net/verarrel050%URL Reputationsafe
                    http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c00%URL Reputationsafe
                    http://www.comsign.co.il/cps00%URL Reputationsafe
                    http://ns.ado/10%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.e-me.lv/repository00%URL Reputationsafe
                    http://www.acabogacia.org/doc00%URL Reputationsafe
                    http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                    http://www.carterandcone.comic-0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    multimetals.cfd
                    		192.185.37.183
                    		truefalse
                      		unknown
                      www.google.com
                      		142.250.185.132
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.certplus.com/CRL/class3.crl0InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496626164.000000000637E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.suscerte.gob.ve0InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.html/B35@6B.exe, 00000000.00000003.246719543.000000000C5A9000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246455927.000000000C5A6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crl.dhimyotis.com/certignarootca.crl0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.chambersign.org1InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://repository.swisssign.com/0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersB35@6B.exe, 00000000.00000003.245908483.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246675183.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245973902.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246009181.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245546404.000000000C5C6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.246108229.000000000C5C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.ssc.lt/root-c/cacrl.crl0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ca.disig.sk/ca/crl/ca_disig.crl0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.suscerte.gob.ve/dpc0InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.disig.sk/ca/crl/ca_disig.crl0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameB35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.como.B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://pki.registradores.org/normativa/index.htm0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://policy.camerfirma.com0InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.anf.es/es/address-direccion.htmlInstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.anf.es/address/)1(0&InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://cps.letsencrypt.org0InstallUtil.exe, 0000000A.00000002.517031388.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516809161.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comZB35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.ssc.lt/root-b/cacrl.crl0InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.certicamara.com/dpc/0ZInstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0GInstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.pki.wellsfargo.com/wsprca.crl0InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://wwww.certigna.fr/autorites/0mInstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwInstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.anf.es/AC/ANFServerCA.crl0InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.globaltrust.info0InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496284015.0000000005B94000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ac.economia.gob.mx/last.crl0GInstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.oces.trust2408.com/oces.crl0InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://eca.hinet.net/repository0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://certs.oaticerts.com/repository/OATICA2.crlInstallUtil.exe, 0000000A.00000003.496726197.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516627598.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://certs.oati.net/repository/OATICA2.crt0InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.accv.es00InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://OKJTye.comInstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://web.ncdc.gov.sa/crl/nrcaparta1.crlInstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.datev.de/zertifikat-policy-int0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/bTheB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.acabogacia.org0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.firmaprofesional.com/cps0InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.carterandcone.com4B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.securetrust.com/SGCA.crl0InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.agesic.gub.uy/acrn/acrn.crl0)InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comBB35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.rcsc.lt/repository0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://fontfabrik.comB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://web.certicamara.com/marco-legal0ZInstallUtil.exe, 0000000A.00000003.495356932.0000000005BCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.comTB35@6B.exe, 00000000.00000002.290388561.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000002.432584864.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.quovadisglobal.com/cps0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/0InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://x1.i.lencr.org/0InstallUtil.exe, 0000000A.00000002.516089255.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511725863.0000000002926000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.517974136.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.512386843.0000000002972000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.correo.com.uy/correocert/cps.pdf0InstallUtil.exe, 0000000A.00000003.494116501.0000000005BFF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496829199.0000000005C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiInstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fonts.comB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://7lPQxKUhrmku.orgInstallUtil.exe, 0000000A.00000002.512055045.0000000002948000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.511374769.00000000028E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://certs.oaticerts.com/repository/OATICA2.crt08InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://cps.chambersign.org/cps/chambersignroot.html0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://ns.ado/1yPpot.exe, 00000001.00000003.311383323.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411228926.000000000BEA8000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.413434243.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.307834538.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314434884.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309793041.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310985083.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.317213060.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308761023.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314204431.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.319967920.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.310639752.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312141601.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.313899652.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.312675654.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314567273.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.314769045.000000000BECB000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.308319804.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.311461105.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.309511461.000000000BECA000.00000004.00000800.00020000.00000000.sdmp, pot.exe, 00000001.00000003.411816052.000000000BEC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.anf.es/AC/RC/ocsp0cInstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.carterandcone.comexcB35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.oaticerts.com/repository.InstallUtil.exe, 0000000A.00000003.495228110.0000000005BD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.ancert.com/cps0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://api.ipify.org%appdataInstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		low
                                                                http://ocsp.accv.es0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.echoworx.com/ca/root2/cps.pdf0InstallUtil.exe, 0000000A.00000003.496083673.0000000006381000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://rca.e-szigno.hu/ocsp0-InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03InstallUtil.exe, 0000000A.00000003.495487980.0000000005BC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://eca.hinet.net/repository/CRL2/CA.crl0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.datev.de/zertifikat-policy-std0InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNB35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cnB35@6B.exe, 00000000.00000003.242654377.000000000C5BE000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000002.308900248.000000000D822000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.242690897.000000000C5BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers/cabarga.htmlB35@6B.exe, 00000000.00000003.246772634.000000000C5A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.agesic.gub.uy/acrn/cps_acrn.pdf0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.catcert.net/verarrel05InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.pki.gva.es/cps0%InstallUtil.exe, 0000000A.00000003.495665837.0000000006355000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.cert.fnmt.es/dpcs/0InstallUtil.exe, 0000000A.00000003.494409848.0000000005C2F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496795773.0000000005C38000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496004090.0000000006387000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.datev.de/zertifikat-policy-bt0InstallUtil.exe, 0000000A.00000003.494788620.0000000005BDE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.516662324.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495309733.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.493994696.0000000005BE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.comsign.co.il/cps0InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://ns.ado/1pot.exe, 00000001.00000003.427221317.000000000BED0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://127.0.0.1:HTTP/1.1InstallUtil.exe, 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  http://www.e-me.lv/repository0InstallUtil.exe, 0000000A.00000003.494550099.00000000063F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.acabogacia.org/doc0InstallUtil.exe, 0000000A.00000003.496161057.000000000637C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.496128218.0000000006375000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495771329.0000000006373000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.495013297.0000000006373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://crl.chambersign.org/chambersroot.crl0InstallUtil.exe, 0000000A.00000003.495723205.000000000636F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000003.494909642.0000000006360000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.carterandcone.comic-B35@6B.exe, 00000000.00000003.243686727.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244376914.000000000C59D000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244356588.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243874994.000000000C598000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243338541.000000000C593000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243479887.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243834321.000000000C5A0000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.245244855.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244623217.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243541779.000000000C595000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244576344.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.243711214.000000000C5A6000.00000004.00000800.00020000.00000000.sdmp, B35@6B.exe, 00000000.00000003.244119845.000000000C59B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  192.185.37.183
                                                                                  		multimetals.cfdUnited States
                                                                                  		46606UNIFIEDLAYER-AS-1USfalse
                                                                                  142.250.185.132
                                                                                  		www.google.comUnited States
                                                                                  		15169GOOGLEUSfalse

                                                                                  General Information

                                                                                  Joe Sandbox Version:35.0.0 Citrine
                                                                                  Analysis ID:672480
                                                                                  Start date and time: 24/07/202217:53:072022-07-24 17:53:07 +02:00
                                                                                  Joe Sandbox Product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 3s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:light
                                                                                  Sample file name:B35@6B.exe
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                  Number of analysed new started processes analysed:18
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • HDC enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@9/8@3/2
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HDC Information:
                                                                                  • Successful, ratio: 0% (good quality ratio 0%)
                                                                                  • Quality average: 0%
                                                                                  • Quality standard deviation: 0%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 90%
                                                                                  • Number of executed functions: 0
                                                                                  • Number of non-executed functions: 0
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Adjust boot time
                                                                                  • Enable AMSI

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                  • TCP Packets have been reduced to 100
                                                                                  • Excluded IPs from analysis (whitelisted): 8.238.189.126, 8.248.143.254, 67.26.83.254, 8.248.145.254, 8.241.126.249
                                                                                  • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  17:54:34API Interceptor1x Sleep call for process: B35@6B.exe modified
                                                                                  17:55:00API Interceptor210x Sleep call for process: pot.exe modified
                                                                                  17:55:44API Interceptor165x Sleep call for process: InstallUtil.exe modified
                                                                                  17:55:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                                                  17:55:57AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Acrobat C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  No context

                                                                                  Domains

                                                                                  No context

                                                                                  ASNs

                                                                                  No context

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                  File Type:Microsoft Cabinet archive data, 61712 bytes, 1 file
                                                                                  Category:dropped
                                                                                  Size (bytes):61712
                                                                                  Entropy (8bit):7.995044632446497
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
                                                                                  MD5:589C442FC7A0C70DCA927115A700D41E
                                                                                  SHA1:66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
                                                                                  SHA-256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
                                                                                  SHA-512:1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):326
                                                                                  Entropy (8bit):3.117486686032403
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kKjF+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:rFNkPlE99SNxAhUeE1
                                                                                  MD5:73CB15AC02F056D28244E698853528B5
                                                                                  SHA1:DA327ED34396A489D99AE142804DBD1B555E2C80
                                                                                  SHA-256:502B90D353CEE81025E252ECF95C09DF708EF89661CB2B37ED30A2F2F0B0178F
                                                                                  SHA-512:7964520645C46CF53D4A123702C02F04000245AE2CDAFC0CA8628EC62034DA84A8791B2176F56C71A4FB1E3424CCD8853E5F2147F0198B2249D6980FC43007AD
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:p...... ...........(|...(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Acrobat.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):950
                                                                                  Entropy (8bit):5.350971482944737
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                                                                                  MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                                                                                  SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                                                                                  SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                                                                                  SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B35@6B.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\B35@6B.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1301
                                                                                  Entropy (8bit):5.345637324625647
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MIHKov2HKXwYHKhQnoPtHoxHhAHKzvr3
                                                                                  MD5:90DA70F21E67A8A3197C9F454FA9CB57
                                                                                  SHA1:FC0B4A2B0F54E399477E168EEAFE962E6589DF91
                                                                                  SHA-256:FEA95A3982BE3C224FDDFCE307C75459525FDFE66B5A7E6D83625FF51542F54E
                                                                                  SHA-512:8563365117151AC0F90DFF6352D766F9A06E7AFCE2A2D949EC2A59DFA7078615BBCE59E6B081F351D45F8BB50793129509810EAF97F8D42ECD4F3B21AB3938C0
                                                                                  Malicious:true
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pot.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\pot.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1301
                                                                                  Entropy (8bit):5.345637324625647
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4KE4VE4j:MIHKov2HKXwYHKhQnoPtHoxHhAHKzvr3
                                                                                  MD5:90DA70F21E67A8A3197C9F454FA9CB57
                                                                                  SHA1:FC0B4A2B0F54E399477E168EEAFE962E6589DF91
                                                                                  SHA-256:FEA95A3982BE3C224FDDFCE307C75459525FDFE66B5A7E6D83625FF51542F54E
                                                                                  SHA-512:8563365117151AC0F90DFF6352D766F9A06E7AFCE2A2D949EC2A59DFA7078615BBCE59E6B081F351D45F8BB50793129509810EAF97F8D42ECD4F3B21AB3938C0
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

                                                                                  C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):41064
                                                                                  Entropy (8bit):6.164873449128079
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                                                  \Device\ConDrv

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):2017
                                                                                  Entropy (8bit):4.663189584482275
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                                                                  MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                                                                  SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                                                                  SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                                                                  SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                                                                  Malicious:false
                                                                                  Preview:Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):6.8232068623635715
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  File name:B35@6B.exe
                                                                                  File size:600576
                                                                                  MD5:6753a24ed2a75dbd488c0a1783f03d05
                                                                                  SHA1:70c061619c4ebbbb111923257e76cd3cef5b3618
                                                                                  SHA256:a9b46ddb3ed98e2ca5e71253a69f686e1f618f724821eb98b52b812844117f33
                                                                                  SHA512:f7ffb706831a980a4fb1a631de7a7e594de3b95f490b869291439c828ed77afce69f168ac5e23b105fca5709d6f07b662a080cdce49dd81fd3db0b938465d588
                                                                                  SSDEEP:12288:+HND4jk8+eBJ3VhdcZelUbQ/y9vwItbzdEaBy61I38b:+HND4jk8+eBJ3VYZelIv5bpEF61I
                                                                                  TLSH:E6D4E03A3F91A41CC13D07B1047A6AC1A372918A3755CB1EA4C7E3EADF5172BBF22059
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8].............................<... ...@....@.. ....................................`................................

                                                                                  File Icon

                                                                                  Icon Hash:00828e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x493cde
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x5D380A89 [Wed Jul 24 07:36:41 2019 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x93c840x57.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x602.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x91ce40x91e00False0.6697645538774636data6.8368028789554005IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x940000x6020x800False0.3466796875data3.6045008467063555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x960000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_VERSION0x940a00x378data
                                                                                  RT_MANIFEST0x944180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jul 24, 2022 17:54:10.792373896 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:10.792428970 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:10.792521000 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:10.821880102 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:10.821922064 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:10.885759115 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:10.885905027 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:10.891100883 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:10.891132116 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:10.891422033 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:10.941837072 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.212323904 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.252496004 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.281989098 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.282044888 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.282099962 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.282139063 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.282298088 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.282332897 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.282744884 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.283169031 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.283185005 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.283938885 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.284045935 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.284060001 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.285134077 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.285332918 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.285353899 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.286458969 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.286546946 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.286560059 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.301203966 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.301325083 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.301342010 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.301662922 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.301738977 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.301750898 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.303106070 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.303184986 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.303198099 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.304275990 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.304352045 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.304364920 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.305352926 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.305433989 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.305448055 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.306571007 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.306663036 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.306675911 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.307769060 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.307847977 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.307862997 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.308959007 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.309036970 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.309050083 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.310189962 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.310261965 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.310275078 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.311444044 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.311512947 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.311526060 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.312607050 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.312688112 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.312700033 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.314085960 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.314157009 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.314173937 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.315335989 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.315409899 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.315423012 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.315548897 CEST44349713142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:11.315604925 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:11.318387985 CEST49713443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.329665899 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.329739094 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.329819918 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.404717922 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.404779911 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.459418058 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.459551096 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.464680910 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.464715004 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.465203047 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.506261110 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.955151081 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:33.996494055 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038065910 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038162947 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038243055 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038311958 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038331032 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:34.038389921 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.038414955 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:34.038973093 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.039124012 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:34.039141893 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.040553093 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.040607929 CEST44349714142.250.185.132192.168.2.4
                                                                                  Jul 24, 2022 17:54:34.040648937 CEST49714443192.168.2.4142.250.185.132
                                                                                  Jul 24, 2022 17:54:34.040672064 CEST44349714142.250.185.132192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jul 24, 2022 17:54:10.740134954 CEST5377553192.168.2.48.8.8.8
                                                                                  Jul 24, 2022 17:54:10.762516975 CEST53537758.8.8.8192.168.2.4
                                                                                  Jul 24, 2022 17:54:33.290987968 CEST5480053192.168.2.48.8.8.8
                                                                                  Jul 24, 2022 17:54:33.309811115 CEST53548008.8.8.8192.168.2.4
                                                                                  Jul 24, 2022 17:56:05.546564102 CEST6050653192.168.2.48.8.8.8
                                                                                  Jul 24, 2022 17:56:05.718669891 CEST53605068.8.8.8192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Jul 24, 2022 17:54:10.740134954 CEST192.168.2.48.8.8.80xaedcStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                  Jul 24, 2022 17:54:33.290987968 CEST192.168.2.48.8.8.80x979bStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                  Jul 24, 2022 17:56:05.546564102 CEST192.168.2.48.8.8.80xebf9Standard query (0)multimetals.cfdA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Jul 24, 2022 17:54:10.762516975 CEST8.8.8.8192.168.2.40xaedcNo error (0)www.google.com142.250.185.132A (IP address)IN (0x0001)
                                                                                  Jul 24, 2022 17:54:33.309811115 CEST8.8.8.8192.168.2.40x979bNo error (0)www.google.com142.250.185.132A (IP address)IN (0x0001)
                                                                                  Jul 24, 2022 17:56:05.718669891 CEST8.8.8.8192.168.2.40xebf9No error (0)multimetals.cfd192.185.37.183A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.google.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.449713142.250.185.132443C:\Users\user\Desktop\B35@6B.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-07-24 15:54:11 UTC0OUTGET / HTTP/1.1
                                                                                  Host: www.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2022-07-24 15:54:11 UTC0INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Jul 2022 15:54:11 GMT
                                                                                  Expires: -1
                                                                                  Cache-Control: private, max-age=0
                                                                                  Content-Type: text/html; charset=ISO-8859-1
                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                  Server: gws
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  Set-Cookie: AEC=AakniGMek99NlxaowW24W4xNN_U526psYorP_WCPyGsImtSoN_tuEFPvtA; expires=Fri, 20-Jan-2023 15:54:11 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                  Set-Cookie: __Secure-ENID=6.SE=lteViqBfFG3rP25uCPTAaJ6QTqimm-nQyRZxXX_2wjWEVpJZxCQ7CMvIZIDwP9gjSMwCGD9hAYHc8Uc9bZ_e2LuSkNVTYT0l4NyfAC0QifQkrt_bwmr3KeDJVpB7BYkOWSp8Fw2-HSxgOaSSjFVSM0FmB30Jw9s5L0mFXhnpwbk; expires=Thu, 24-Aug-2023 08:12:29 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                  Set-Cookie: CONSENT=PENDING+864; expires=Tue, 23-Jul-2024 15:54:11 GMT; path=/; domain=.google.com; Secure
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                  Accept-Ranges: none
                                                                                  Vary: Accept-Encoding
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  2022-07-24 15:54:11 UTC1INData Raw: 35 36 33 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74
                                                                                  Data Ascii: 5635<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta cont
                                                                                  2022-07-24 15:54:11 UTC1INData Raw: 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4d 67 44 4b 30 2d 49 37 4d 36 79 4b 68 59 64 6c 4e 42 47 32 7a 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 49 32 76 64 59 75 37 4d 44 59 6d 58 39 75 38 50 30 76 47 62 34 41 51 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 36 38 37 33 2c 36 30 35 38 2c 32 30 37 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34 36 2c 35 2c 31 33
                                                                                  Data Ascii: ent="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="MgDK0-I7M6yKhYdlNBG2zA">(function(){window.google={kEI:'I2vdYu7MDYmX9u8P0vGb4AQ',kEXPI:'0,1302536,56873,6058,207,4804,2316,383,246,5,13
                                                                                  2022-07-24 15:54:11 UTC2INData Raw: 39 2c 31 33 38 30 35 39 32 2c 31 32 38 36 35 27 2c 6b 42 4c 3a 27 5a 7a 62 4d 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c 68 7d 66 75 6e 63 74 69 6f 6e 20 6d 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 6e 75 6c 6c 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74
                                                                                  Data Ascii: 9,1380592,12865',kBL:'ZzbM'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||h}function m(a){for(var b=null;a&&(!a.getAtt
                                                                                  2022-07-24 15:54:11 UTC3INData Raw: 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 22 31 22 3d 3d 3d 63
                                                                                  Data Ascii: .loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a="1"===c
                                                                                  2022-07-24 15:54:11 UTC5INData Raw: 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 3b 74 6f 70 3a 2d 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 74 65 78 74 2d 61 6c
                                                                                  Data Ascii: idth:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:hidden;text-al
                                                                                  2022-07-24 15:54:11 UTC6INData Raw: 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 74 6f 7b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62
                                                                                  Data Ascii: argin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*display:inline}.gbto{box-shadow:0 2px 4px rgb
                                                                                  2022-07-24 15:54:11 UTC7INData Raw: 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 64 64 34 62 33 39 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 34 73 2c 23 67 62 69 34 73 31 7b 66 6f 6e 74 2d
                                                                                  Data Ascii: 4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-color:#dd4b39!important}#gbi4s,#gbi4s1{font-
                                                                                  2022-07-24 15:54:11 UTC8INData Raw: 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 62 6c
                                                                                  Data Ascii: bnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:none !important}.gbmt,.gbmt:visited{display:bl
                                                                                  2022-07-24 15:54:11 UTC10INData Raw: 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 23 67 62 6d 70 73 7b 2a 7a 6f 6f 6d 3a 31 7d 23 67 62 64 34 20 2e 67 62 70 63 2c 23 67 62 6d 70 61 73 20 2e 67 62 6d 74 7b
                                                                                  Data Ascii: x 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolute}#gbmps{*zoom:1}#gbd4 .gbpc,#gbmpas .gbmt{
                                                                                  2022-07-24 15:54:11 UTC11INData Raw: 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d 2e 67 62 6d 70 69 61 77 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a
                                                                                  Data Ascii: te-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}.gbmpiaw{display:inline-block;padding-right:
                                                                                  2022-07-24 15:54:11 UTC12INData Raw: 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c
                                                                                  Data Ascii: b-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,
                                                                                  2022-07-24 15:54:11 UTC14INData Raw: 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 7d 2e 67 62 71 66 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 2d 77
                                                                                  Data Ascii: ge:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae8)}.gbqfb:active{background-color:inherit;-w
                                                                                  2022-07-24 15:54:11 UTC15INData Raw: 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 62 66 62 66 62 29
                                                                                  Data Ascii: -image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#fbfbfb)
                                                                                  2022-07-24 15:54:11 UTC16INData Raw: 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 0a 23 67 62 6d 70 61 73 7b 6d 61 78 2d 68 65 69 67 68 74 3a 32 32 30 70
                                                                                  Data Ascii: .1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}#gbmpas{max-height:220p
                                                                                  2022-07-24 15:54:11 UTC17INData Raw: 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66 74 20 74 6f 70 2c 66 72 6f 6d 28 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 29 2c 74 6f 28 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29
                                                                                  Data Ascii: gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,left top,from(rgba(0,0,0,.2)),to(rgba(0,0,0,0))
                                                                                  2022-07-24 15:54:11 UTC19INData Raw: 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61
                                                                                  Data Ascii: 1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;height:30px}.lsbb{display:block}#WqQANb a{displa
                                                                                  2022-07-24 15:54:11 UTC20INData Raw: 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 65 5d 2c 62 2b 3d 22 26 63 61 64 3d 22 2b 63 28 65 3f 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 64 29 62 2b 3d 22 26 22 2c 62 2b 3d 63 28 74 29 2c 62 2b 3d 22 3d 22 2c 62 2b 3d 63 28 64 5b 74 5d 29 3b 62 3d 62 2b 22 26 65 6d 73 67 3d 22 2b 63 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 62 3d 62 2b 22 26 6a 73 73 74 3d 22 2b 63 28 61 2e 73 74 61 63 6b 7c 7c 22 4e 2f 41 22 29 3b 31 32 32 38 38 3c 3d 62 2e 6c 65 6e 67 74 68 26 26 28 62 3d 62 2e 73 75 62 73 74 72 28 30 2c 31 32 32 38 38 29 29 3b
                                                                                  Data Ascii: t.documentElement.outerHTML.split("\n")[e],b+="&cad="+c(e?e.substring(0,300):"No script found.")));for(var t in d)b+="&",b+=c(t),b+="=",b+=c(d[t]);b=b+"&emsg="+c(a.name+": "+a.message);b=b+"&jsst="+c(a.stack||"N/A");12288<=b.length&&(b=b.substr(0,12288));
                                                                                  2022-07-24 15:54:11 UTC21INData Raw: 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6d 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72 20 72 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 2c 68 61 3d 66 75 6e
                                                                                  Data Ascii: is,arguments),m=c.apply(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var r=window.gbar.i.i;var t=function(){},ha=fun
                                                                                  2022-07-24 15:54:11 UTC22INData Raw: 65 37 0d 0a 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 63 5b 31 5d 2e 6c 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 0d 0a
                                                                                  Data Ascii: e7&&c[0]!=a;++b);!c||c[1].l||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];
                                                                                  2022-07-24 15:54:11 UTC22INData Raw: 36 38 39 64 0d 0a 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69 22 2c 6c 61 29 3b 70 28 22 62 6e 63 22 2c 77 29 3b 70 28 22 71 47 43 22 2c 74 61 29 3b 70 28 22 71 6d 22 2c 42 29 3b 70 28 22 71 64 22 2c 78 29 3b 70 28 22 6c 62 22 2c 44 29 3b 70 28 22 6d 63 66 22 2c 70 61 29 3b 70 28 22 62 63 66 22 2c 6f 61 29 3b 70 28 22 61 71 22 2c 41 29 3b 70 28 22 6d 64 64 22 2c 22 22 29 3b 0a 70 28 22 68 61 73 22 2c 71 61 29 3b 70 28 22 74 72 68 22 2c 76 61 29 3b 70 28 22 74 65 76 22 2c 73 61 29 3b 69 66 28 68 2e 61 28 22 6d 3b 2f 5f 2f 73 63 73 2f 61 62 63 2d 73 74 61 74 69 63 2f 5f 2f 6a 73 2f 6b 3d 67 61 70 69 2e 67 61 70 69 2e 65 6e 2e 74 39 7a 37 56 50 73 45 4d 46 67 2e 4f 2f 64 3d 31 2f 72
                                                                                  Data Ascii: 689dtry{ua(a)}catch(f){}}};p("mdc",v);p("mdi",la);p("bnc",w);p("qGC",ta);p("qm",B);p("qd",x);p("lb",D);p("mcf",pa);p("bcf",oa);p("aq",A);p("mdd","");p("has",qa);p("trh",va);p("tev",sa);if(h.a("m;/_/scs/abc-static/_/js/k=gapi.gapi.en.t9z7VPsEMFg.O/d=1/r
                                                                                  2022-07-24 15:54:11 UTC24INData Raw: 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 2c 22 26 6a 65 78 70 69 64 3d 22 2c 64 28 22 32 38 38 33 34 22 29 2c 22 26 73 72 63 70 67 3d 22 2c 64 28 22 70 72 6f 70 3d 31 22 29 2c 22 26 6a 73 72 3d 22 2c 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 46 61 29 2c 22 26 6f 67 65 76 3d 22 2c 64 28 22 49 32 76 64 59 76 44 74 44 71 47 68 37 5f 55 50 30 34 65 39 57 41 22 29 2c 22 26 6f 67 66 3d 22 2c 67 2e 62 76 2e 66 2c 22 26 6f 67 72 70 3d 22 2c 64 28 22 22 29 2c 22 26 6f 67 76 3d 22 2c 64 28 22 34 36 31 35 31 31 30 38 39 2e 30 22 29 2c 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 37 30 36 2e 30 5f 70
                                                                                  Data Ascii: www.google.com/gen_204?atyp=i&zx=",(new Date).getTime(),"&jexpid=",d("28834"),"&srcpg=",d("prop=1"),"&jsr=",Math.round(1/Fa),"&ogev=",d("I2vdYvDtDqGh7_UP04e9WA"),"&ogf=",g.bv.f,"&ogrp=",d(""),"&ogv=",d("461511089.0"),"&oggv="+d("es_plusone_gc_20220706.0_p
                                                                                  2022-07-24 15:54:11 UTC25INData Raw: 41 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 32 59 6d 4e 78 6b 6f 64 75 52 48 6c 4d 6f 79 4a 7a 6a 6e 75 58 48 68 78 5a 6f 41 22 5d 3b 4b 61 26 26 61 2e 70 75 73 68 28 22 3f 68 6f 73 74 3d 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 26 62 75 73 74 3d 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 6c 46 6e 78 6e 77 6b 54 79 4a 55 2e 44 55 22 29 3b 61 3d 61 2e 6a 6f 69 6e 28 22 22 29 3b 72 61 28 61 29 7d 3b 70 28 22 63 61 22 2c 4a 29 3b 70 28 22 63 72 22 2c 4b 29 3b 70 28 22 63 63 22 2c 48 29 3b 68 2e 6b 3d 4a 3b 68 2e 6c 3d 4b 3b 68 2e 6d 3d 48 3b 68 2e 6e 3d 4d 61 3b 68 2e 70 3d 4f 61 3b 68 2e 71 3d 4e 61 3b 76 61 72 20 50 61 3d 5b 22 67 62 5f 37 31 22 2c 22 67 62 5f 31 35 35 22 5d 2c 51 61 3b 66 75 6e 63 74
                                                                                  Data Ascii: A.O","/rt=j/m=",a,"/rs=","AA2YrTv2YmNxkoduRHlMoyJzjnuXHhxZoA"];Ka&&a.push("?host=www.gstatic.com&bust=og.og2.en_US.lFnxnwkTyJU.DU");a=a.join("");ra(a)};p("ca",J);p("cr",K);p("cc",H);h.k=J;h.l=K;h.m=H;h.n=Ma;h.p=Oa;h.q=Na;var Pa=["gb_71","gb_155"],Qa;funct
                                                                                  2022-07-24 15:54:11 UTC26INData Raw: 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 6e 29 3b 6c 26 26 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 4b 28 6c 2e 70 61 72 65 6e 74 4e 6f 64 65 2c 22 67 62 74 6f 22 29 7d 7d 7d 24 61 28 66 29 26 26 61 62 28 66 29 3b 4f 3d 64 3b 4a 28 6b 2c 22 67 62 74 6f 22 29 7d 7d 7d 7d 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 74 67 28 61 2c 62 2c 21 30 29 7d 29 3b 62 62 28 61 29 7d 63 61 74 63 68 28 71 29 7b 72 28 71 2c 22 73 62 22 2c 22 74 67 22 29 7d 7d 2c 64 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 63 6c 6f 73 65 28 61 29 7d 29 7d 2c 65 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 66 75 6e 63 74 69 6f 6e
                                                                                  Data Ascii: owner");if(n.length){var l=document.getElementById(n);l&&l.parentNode&&K(l.parentNode,"gbto")}}}$a(f)&&ab(f);O=d;J(k,"gbto")}}}}B(function(){g.tg(a,b,!0)});bb(a)}catch(q){r(q,"sb","tg")}},db=function(a){B(function(){g.close(a)})},eb=function(a){B(function
                                                                                  2022-07-24 15:54:11 UTC28INData Raw: 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63 68 28 45 62 29 7b 72 28 45 62 2c 22 73 62 22 2c 22 61 6c 22 29 7d 7d 2c 66 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 66 6f 72 28 76 61 72 20 63 3d 62 2e 6c 65 6e 67 74 68 2c 0a 64 3d 30 3b 64 3c 63 3b 64 2b 2b 29 69 66 28 48 28 61 2c 62 5b 64 5d 29 29 72 65 74 75 72 6e 21 30 3b 72 65 74 75 72 6e 21 31 7d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 62 28 61 2c 62 2c 63 29 7d 2c 69 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 62 28 61 2c 22 67 62 65 22 2c 62 29 7d 2c 6a 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 70 63 6d 26 26 67 2e 70 63 6d 28 29 7d 29
                                                                                  Data Ascii: er&&g.addHover(a)}else k.appendChild(m)}}catch(Eb){r(Eb,"sb","al")}},fb=function(a,b){for(var c=b.length,d=0;d<c;d++)if(H(a,b[d]))return!0;return!1},hb=function(a,b,c){gb(a,b,c)},ib=function(a,b){gb(a,"gbe",b)},jb=function(){B(function(){g.pcm&&g.pcm()})
                                                                                  2022-07-24 15:54:11 UTC29INData Raw: 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67 22 29 29 72 65 74 75 72 6e 20 63 7d 2c 50 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 71 62 26 26 77 69 6e 64 6f 77 2e 63 6c 65 61 72 54 69 6d 65 6f 75 74 28 71 62 29 7d 2c 75 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 69 6e 6e 65 72 22 2b 61 3b 61 3d 22 6f 66 66 73 65 74 22 2b 61 3b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 5b 62 5d 3f 77 69 6e 64 6f 77 5b 62 5d 3a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 26 26 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3f 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 5b 61 5d 3a 30 7d
                                                                                  Data Ascii: var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg"))return c},P=function(){qb&&window.clearTimeout(qb)},ub=function(a){var b="inner"+a;a="offset"+a;return window[b]?window[b]:document.documentElement&&document.documentElement[a]?document.documentElement[a]:0}
                                                                                  2022-07-24 15:54:11 UTC30INData Raw: 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 43 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54 3d 22 22 3b 69 66 28 68 2e 61 28 22 31 22 29 26 26 68 2e 61 28 22 31 22 29 29 7b 76 61 72 20 44 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 43 62 28 66 75 6e 63 74 69 6f 6e 28 29 7b 41 28 22 70 77 22 2c 61 29 3b 44 28 22 70 77 22 29 7d 29 7d 3b 70 28 22 6c 50 57 22 2c 44 62 29 3b 77 2e 70 75 73 68 28 5b 22 70 77 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 70 77 6d 5f 34 35 66 37 33 65 34 64 66 30 37 61 30 65 33 38 38 62 30 66 61 31 66 33 64 33 30 65 37 32 38 30 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 46 62 3d 5b 5d 2c 47 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 46
                                                                                  Data Ascii: lGC",Cb);h.a("1")&&p("lPWF",Cb)};window.__PVT="";if(h.a("1")&&h.a("1")){var Db=function(a){Cb(function(){A("pw",a);D("pw")})};p("lPW",Db);w.push(["pw",{url:"//ssl.gstatic.com/gb/js/abc/pwm_45f73e4df07a0e388b0fa1f3d30e7280.js"}]);var Fb=[],Gb=function(a){F
                                                                                  2022-07-24 15:54:11 UTC31INData Raw: 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6d 2c 22 26 6f 67 66 3d 22 2c 6c 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f 67 73 72 3d 22 2c 63 2c 22 26 6f 67 76 3d 22 2c 45 2c 55 2c 22 26 6f 67 64 3d 22 2c 49 2c 22 26 6f 67 6c 3d 22 2c 56 2c 22 26 6f 67 63 3d 22 2c 57 2c 22 26 6f 67 75 73 3d 22 2c 79 5d 3b 69 66 28 62 29 7b 22 6f 67 77 22 69 6e 20 62 26 26 28 61 2e 70 75 73 68 28 22 26 6f 67 77
                                                                                  Data Ascii: r y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",m,"&ogf=",l,"&ogp=",q,"&ogrp=",n,"&ogsr=",c,"&ogv=",E,U,"&ogd=",I,"&ogl=",V,"&ogc=",W,"&ogus=",y];if(b){"ogw"in b&&(a.push("&ogw
                                                                                  2022-07-24 15:54:11 UTC33INData Raw: 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 5a 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70 61 3a 68 2e 61 28 22 22 29 2c 0a 70 70 6d 3a 22 47 6f 6f 67 6c 65 2b 20 70 61 67 65 22 7d 3b 76 2e 70 72 66 3d 61 63 7d 3b 76 61 72 20 53 2c 62 63 2c 54 2c 63 63 2c 58 3d 30 2c 64 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 2e 69 6e 64 65 78 4f 66 29 72 65 74 75 72 6e 20 61 2e 69 6e 64 65 78 4f 66 28 62 2c 63 29 3b 69 66 28 41 72 72 61 79 2e 69 6e 64 65 78 4f
                                                                                  Data Ascii: tent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Zb,ppl:h.a(""),ppa:h.a(""),ppm:"Google+ page"};v.prf=ac};var S,bc,T,cc,X=0,dc=function(a,b,c){if(a.indexOf)return a.indexOf(b,c);if(Array.indexO
                                                                                  2022-07-24 15:54:11 UTC34INData Raw: 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 6a 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28 62 3d 22 6f 67 2d 75 70 2d 22 2b 62 29 2c 6b 63 28 29 3f 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 62 2c 63 29 3a 6c 63 28 61 29 26 26 28 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 62 2c 63 29 2c 61 2e 73 61 76 65 28 61 2e 69 64 29 29 29 7d 63 61 74 63 68 28 66 29 7b 66 2e 63 6f 64 65 21 3d 44 4f 4d 45 78 63 65 70 74 69 6f 6e 2e 51 55 4f 54 41 5f 45 58 43 45 45 44 45 44 5f 45 52 52 26 26 72 28 66 2c 22 75 70 22 2c 22 73 70 64 22 29 7d 7d 2c 6e 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 74 72 79
                                                                                  Data Ascii: r&&"undefined"!=typeof a.load},mc=function(a,b,c,d){try{jc(document)||(d||(b="og-up-"+b),kc()?e.localStorage.setItem(b,c):lc(a)&&(a.setAttribute(b,c),a.save(a.id)))}catch(f){f.code!=DOMException.QUOTA_EXCEEDED_ERR&&r(f,"up","spd")}},nc=function(a,b,c){try
                                                                                  2022-07-24 15:54:11 UTC35INData Raw: 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d 3c 6b 2e 6c 65 6e 67 74 68 26 26 73 65 74 54 69 6d 65 6f 75 74 28 61 2c 30 29 7d 66 75 6e 63 74 69 6f 6e 20 62 28 29 7b 30 3c 66 2d 2d 3f 73 65 74 54 69 6d 65 6f 75 74 28 62 2c 30 29 3a 61 28 29 7d 76 61 72 20 63 3d 68 2e 61 28 22 31 22 29 2c 64 3d 68 2e 61 28 22 22 29 2c 66 3d 33 2c 6b 3d 77 2c 6d 3d 30 2c 6e 3d 77 69 6e 64 6f 77 2e 67 62 61 72 4f 6e 52 65 61 64 79 3b 69 66 28 6e 29 74 72 79 7b 6e 28 29 7d 63 61 74 63 68 28 6c 29 7b 72 28 6c 2c 22 6d 6c 22 2c 22 6f 72 22 29 7d 64 3f 70 28 22 6c 64 62 22 2c 61 29 3a 63 3f 63 61 28 77 69 6e 64 6f 77 2c 22 6c 6f 61 64 22 2c 62 29 3a 62 28 29 7d 70 28 22 72 64 6c 22 2c 72 63 29
                                                                                  Data Ascii: l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m<k.length&&setTimeout(a,0)}function b(){0<f--?setTimeout(b,0):a()}var c=h.a("1"),d=h.a(""),f=3,k=w,m=0,n=window.gbarOnReady;if(n)try{n()}catch(l){r(l,"ml","or")}d?p("ldb",a):c?ca(window,"load",b):b()}p("rdl",rc)
                                                                                  2022-07-24 15:54:11 UTC36INData Raw: 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 67 29 2c 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 22 2b 61 29 3b 62 26 26 66 2e 6c 28 62 2c 68 2e 74 65 73 74 28 62 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 3b 63 26 26 66 2e 6b 28 63 2c 68 2e 74 65 73 74 28 63 2e 63 6c 61 73 73 4e 61 6d 65 29 3f 22 67 62 6d 30 6c 22 3a 22 67 62 7a 30 6c 22 29 7d 63 61 74 63 68 28 6c 29 7b 64 28 6c 2c 22 73 6a 22 2c 22 73 73 70 22 29 7d 67 3d 61 7d 2c 6d 3d 65 2e 71 73 2c 6e 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 61 2e 68 72 65 66 3b 76 61 72 20 63 3d 77
                                                                                  Data Ascii: k=function(a){try{var b=document.getElementById("gb_"+g),c=document.getElementById("gb_"+a);b&&f.l(b,h.test(b.className)?"gbm0l":"gbz0l");c&&f.k(c,h.test(c.className)?"gbm0l":"gbz0l")}catch(l){d(l,"sj","ssp")}g=a},m=e.qs,n=function(a){var b=a.href;var c=w
                                                                                  2022-07-24 15:54:11 UTC38INData Raw: 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 77 69 6e 64 6f 77 2e 67 62 61 72 2e 72 64 6c 28 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f
                                                                                  Data Ascii: ype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/window.gbar.rdl();}catch(e){window.gbar&&gbar.lo
                                                                                  2022-07-24 15:54:11 UTC39INData Raw: 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 38 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 50 6c 61 79 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 33 36 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 3f 67 6c 3d 47 42 26 74 61 62 3d 77 31 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 59 6f 75 54 75 62 65 3c 2f 73 70
                                                                                  Data Ascii: bzt id=gb_78 href="https://play.google.com/?hl=en&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="https://www.youtube.com/?gl=GB&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</sp
                                                                                  2022-07-24 15:54:11 UTC40INData Raw: 43 61 6c 65 6e 64 61 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 35 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 6e 73 6c 61 74 65 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 54 22 3e 54 72 61 6e 73 6c 61 74 65 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 31 30 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 6f 6f 6b 73 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 70 22 3e 42 6f 6f 6b 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d
                                                                                  Data Ascii: Calendar</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.co.uk/?hl=en&tab=wT">Translate</a></li><li class=gbmtc><a class=gbmt id=gb_10 href="https://books.google.co.uk/?hl=en&tab=wp">Books</a></li><li class=gbmtc><a class=gbm
                                                                                  2022-07-24 15:54:11 UTC42INData Raw: 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63 6c 61 73 73 3d 67 62 74 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 74 61 72 67 65 74 3d 5f 74 6f 70 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 63 63 6f 75 6e 74 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 53 65 72 76 69 63 65 4c 6f 67 69 6e 3f 68 6c 3d 65 6e 26 70 61 73 73 69 76 65 3d 74 72 75 65 26 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 26 65 63 3d 47 41 5a 41 41 51 22 20 6f 6e 63 6c 69 63 6b 3d 22 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 39 2c 7b 6c 3a 27 69 27 7d 29 22 20 69 64 3d 67 62 5f 37 30 20 63 6c 61 73 73 3d 67 62 67 74 3e 3c 73 70 61 6e 20 63
                                                                                  Data Ascii: Options</h2><span class=gbtcb></span><ol class=gbtc><li class=gbt><a target=_top href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com/&ec=GAZAAQ" onclick="gbar.logger.il(9,{l:'i'})" id=gb_70 class=gbgt><span c
                                                                                  2022-07-24 15:54:11 UTC43INData Raw: 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 77 68 69 74 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 63 6f 6c 6f 72 5f 32 37 32 78 39 32 64 70 2e 70 6e 67 22 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 38 70 78 20 30 20 31 34 70 78 22 20 77 69 64 74 68 3d 22 32 37 32 22 20 69 64 3d 22 68 70 6c 6f 67 6f 22 3e 3c 62 72 3e 3c 62 72 3e 3c 2f 64 69 76 3e 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 73 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 66 22 3e 3c 74 61 62 6c 65 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67
                                                                                  Data Ascii: id="lga"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing
                                                                                  2022-07-24 15:54:11 UTC44INData Raw: 69 4b 30 65 38 41 41 41 41 41 59 74 31 35 4d 77 52 71 54 56 57 59 51 4c 5a 36 37 34 73 63 4b 33 6e 2d 39 37 59 73 7a 4b 69 58 22 20 6e 61 6d 65 3d 22 69 66 6c 73 69 67 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 74 64 20 63 6c 61 73 73 3d 22 66 6c 20 73 62 6c 63 22 20 61 6c 69 67 6e 3d 22 6c 65 66 74 22 20 6e 6f 77 72 61 70 3d 22 22 20 77 69 64 74 68 3d 22 32 35 25 22 3e 3c 61 20 68 72 65 66 3d 22 2f 61 64 76 61 6e 63 65 64 5f 73 65 61 72 63 68 3f 68 6c 3d 65 6e 2d 47 42 26 61 6d 70 3b 61 75 74 68 75 73 65 72 3d 30 22 3e 41 64 76 61 6e 63 65 64 20 73 65 61 72 63 68 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 69 6e 70 75 74 20 69 64 3d 22 67 62 76 22 20 6e 61 6d 65 3d
                                                                                  Data Ascii: iK0e8AAAAAYt15MwRqTVWYQLZ674scK3n-97YszKiX" name="iflsig" type="hidden"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=en-GB&amp;authuser=0">Advanced search</a></td></tr></table><input id="gbv" name=
                                                                                  2022-07-24 15:54:11 UTC45INData Raw: 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30 37 35 37 61 22 3e 26 63 6f 70 79 3b 20 32 30 32 32 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 70 72 69 76 61 63 79 2f 22 3e 50 72 69 76 61 63 79 3c 2f 61 3e 20 2d 20 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 3c 2f 61 3e 3c 2f 70 3e 3c 2f 73 70 61 6e 3e 3c 2f 63 65 6e 74 65 72 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4d 67 44 4b 30 2d 49 37 4d 36 79 4b 68 59 64 6c 4e 42 47 32 7a 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 63 64 6f 3d 7b 68 65 69 67 68 74 3a
                                                                                  Data Ascii: div></div><p style="font-size:8pt;color:#70757a">&copy; 2022 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="MgDK0-I7M6yKhYdlNBG2zA">(function(){window.google.cdo={height:
                                                                                  2022-07-24 15:54:11 UTC47INData Raw: 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70 65 26 26 28 63 3d 63 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 63 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 63 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 67 29 7b 62 3d 6e 75 6c 6c 3b 76 61 72 20 6b 3d 64 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 6b 26 26 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 7b 74 72 79 7b 62 3d 6b 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 67 6f 6f 67 23 68 74 6d 6c 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 3a 65 2c 63 72 65 61 74 65 53 63 72 69 70 74 55 52 4c 3a 65 7d 29 7d 63 61 74 63 68 28 71 29 7b 64 2e 63 6f 6e 73 6f 6c 65 26 26 64
                                                                                  Data Ascii: IPT";"application/xhtml+xml"===b.contentType&&(c=c.toLowerCase());c=b.createElement(c);if(void 0===g){b=null;var k=d.trustedTypes;if(k&&k.createPolicy){try{b=k.createPolicy("goog#html",{createHTML:e,createScript:e,createScriptURL:e})}catch(q){d.console&&d
                                                                                  2022-07-24 15:54:11 UTC48INData Raw: 68 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 44 69 64 20 79 6f 75 20 6d 65 61 6e 3a 5c 78 32 32 2c 5c 78 32 32 6c 63 6b 79 5c 78 32 32 3a 5c 78 32 32 49 5c 5c 75 30 30 32 36 23 33 39 3b 6d 20 46 65 65 6c 69 6e 67 20 4c 75 63 6b 79 5c 78 32 32 2c 5c 78 32 32 6c 6d 6c 5c 78 32 32 3a 5c 78 32 32 4c 65 61 72 6e 20 6d 6f 72 65 5c 78 32 32 2c 5c 78 32 32 6f 73 6b 74 5c 78 32 32 3a 5c 78 32 32 49 6e 70 75 74 20 74 6f 6f 6c 73 5c 78 32 32 2c 5c 78 32 32 70 73 72 63 5c 78 32 32 3a 5c 78 32 32 54 68 69 73 20 73 65 61 72 63 68 20 77 61 73 20 72 65 6d 6f 76 65 64 20 66 72 6f 6d 20 79 6f 75 72 20 5c 5c 75 30 30 33 43 61 20 68 72 65 66 5c 78 33 64 5c 5c 5c 78 32 32 2f 68 69 73 74 6f 72 79 5c 5c 5c 78 32 32 5c 5c 75 30 30 33 45 57 65 62 20 48 69 73
                                                                                  Data Ascii: h\x22,\x22dym\x22:\x22Did you mean:\x22,\x22lcky\x22:\x22I\\u0026#39;m Feeling Lucky\x22,\x22lml\x22:\x22Learn more\x22,\x22oskt\x22:\x22Input tools\x22,\x22psrc\x22:\x22This search was removed from your \\u003Ca href\x3d\\\x22/history\\\x22\\u003EWeb His
                                                                                  2022-07-24 15:54:11 UTC49INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.449714142.250.185.132443C:\Users\user\Desktop\B35@6B.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-07-24 15:54:33 UTC49OUTGET / HTTP/1.1
                                                                                  Host: www.google.com
                                                                                  Connection: Keep-Alive
                                                                                  2022-07-24 15:54:34 UTC49INHTTP/1.1 200 OK
                                                                                  Date: Sun, 24 Jul 2022 15:54:33 GMT
                                                                                  Expires: -1
                                                                                  Cache-Control: private, max-age=0
                                                                                  Content-Type: text/html; charset=ISO-8859-1
                                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                  Server: gws
                                                                                  X-XSS-Protection: 0
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  Set-Cookie: AEC=AakniGPy_B-J3ibkif6wYtRKD7j355ubJj89mlpY_Dtl1IsLpphUKyNPmrw; expires=Fri, 20-Jan-2023 15:54:34 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                  Set-Cookie: __Secure-ENID=6.SE=R9j0hhYDGTeqtLlByfY3tFkmRp-xSrS59qyeJEQ6oQcyllEYn1fPBsapAXsxRUVt4l8U0naUeTP1r9GQuniN2gxUSiMjOawiwXb-V_H4J5EgM2P0RpBGhBrDXHYRlWE_1GtHS807cJqjSxrM97AOiKJzzh25bqx7wVCB_Al34SY; expires=Thu, 24-Aug-2023 08:12:51 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                  Set-Cookie: CONSENT=PENDING+372; expires=Tue, 23-Jul-2024 15:54:33 GMT; path=/; domain=.google.com; Secure
                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                  Accept-Ranges: none
                                                                                  Vary: Accept-Encoding
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  2022-07-24 15:54:34 UTC50INData Raw: 35 35 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e
                                                                                  Data Ascii: 559d<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta con
                                                                                  2022-07-24 15:54:34 UTC50INData Raw: 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 5f 38 57 44 4d 36 76 77 44 74 33 56 5a 31 34 73 48 31 58 48 4c 51 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 4f 57 76 64 59 73 79 67 4f 37 36 38 78 63 38 50 67 76 32 58 30 41 51 27 2c 6b 45 58 50 49 3a 27 30 2c 31 33 30 32 35 33 36 2c 35 36 38 37 33 2c 31 37 31 30 2c 34 33 34 38 2c 32 30 37 2c 34 38 30 34 2c 32 33 31 36 2c 33 38 33 2c 32 34
                                                                                  Data Ascii: tent="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="_8WDM6vwDt3VZ14sH1XHLQ">(function(){window.google={kEI:'OWvdYsygO768xc8Pgv2X0AQ',kEXPI:'0,1302536,56873,1710,4348,207,4804,2316,383,24
                                                                                  2022-07-24 15:54:34 UTC51INData Raw: 32 2c 31 39 36 34 2c 32 39 33 35 2c 31 35 39 2c 31 33 35 38 2c 31 32 32 32 30 2c 33 34 30 36 2c 35 34 34 34 2c 31 34 38 33 2c 32 34 35 2c 31 33 38 30 35 39 33 2c 31 32 38 36 35 27 2c 6b 42 4c 3a 27 5a 7a 62 4d 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6c 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 72 65 74 75 72 6e 20 62 7c 7c
                                                                                  Data Ascii: 2,1964,2935,159,1358,12220,3406,5444,1483,245,1380593,12865',kBL:'ZzbM'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];function l(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||
                                                                                  2022-07-24 15:54:34 UTC53INData Raw: 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d
                                                                                  Data Ascii: ion(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.lx=function(){};}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=
                                                                                  2022-07-24 15:54:34 UTC54INData Raw: 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67 62 74 63 62 7b 6c 65 66 74 3a 30 7d 2e 67 62 78 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 78 6f 7b 6f 70 61 63 69 74 79 3a 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e
                                                                                  Data Ascii: ve}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-in
                                                                                  2022-07-24 15:54:34 UTC55INData Raw: 2e 67 62 6d 63 2c 2e 67 62 6d 63 63 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 32 3b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 67 62 74 7b 2a 64
                                                                                  Data Ascii: .gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27px;padding:0;vertical-align:top}.gbt{*d
                                                                                  2022-07-24 15:54:34 UTC56INData Raw: 63 75 73 2c 2e 67 62 67 74 2d 68 76 72 2c 2e 67 62 67 74 3a 66 6f 63 75 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 63 34 63 34 63 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 30 32 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 70 64 6a 73 20 2e 67 62 74 6f 20 2e 67 62 6d 7b 6d 69 6e 2d 77 69 64 74 68 3a 39 39 25 7d 2e 67 62 7a 30 6c 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d
                                                                                  Data Ascii: cus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat-x;outline:none;text-decoration:none !important}.gbpdjs .gbto .gbm{min-width:99%}.gbz0l .gbtb2{border-top-
                                                                                  2022-07-24 15:54:34 UTC58INData Raw: 3a 2d 36 70 78 20 2d 32 32 70 78 7d 2e 67 62 6e 20 2e 67 62 6d 74 2c 2e 67 62 6e 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 2c 2e 67 62 6e 64 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 64 64 38 65 32 37 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 66 20 2e 67 62 6d 74 2c 2e 67 62 66 20 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 39 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 6d 74 2c 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 74 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 33 36 63 20 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f
                                                                                  Data Ascii: :-6px -22px}.gbn .gbmt,.gbn .gbmt:visited,.gbnd .gbmt,.gbnd .gbmt:visited{color:#dd8e27 !important}.gbf .gbmt,.gbf .gbmt:visited{color:#900 !important}.gbmt,.gbml1,.gbmlb,.gbmt:visited,.gbml1:visited,.gbmlb:visited{color:#36c !important;text-decoration:no
                                                                                  2022-07-24 15:54:34 UTC59INData Raw: 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 32 70 78 20 34 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 32 29 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 7d 23 67 62 64 34 20 2e 67 62 6d 68 7b 6d 61 72 67 69 6e 3a 30 7d 2e 67 62 6d 74 63 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 47 42 4d 43 43 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 2c 23 47 42 4d 50 41 4c 3a 6c 61 73 74 2d 63 68 69 6c 64 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 27 5c 30 41 5c 30 41 27 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75
                                                                                  Data Ascii: ow:0 2px 4px rgba(0,0,0,.12);box-shadow:0 2px 4px rgba(0,0,0,.12);position:relative;z-index:1}#gbd4 .gbmh{margin:0}.gbmtc{padding:0;margin:0;line-height:27px}.GBMCC:last-child:after,#GBMPAL:last-child:after{content:'\0A\0A';white-space:pre;position:absolu
                                                                                  2022-07-24 15:54:34 UTC60INData Raw: 72 69 66 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 20 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 7d 2e 67 62 6d 70 61 6c 61 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 67 62 6d 70 61 6c 62 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 67 62 6d 70 61 73 62 20 2e 67 62 70 73 7b 63 6f 6c 6f 72 3a 23 30 30 30 7d 23 67 62 6d 70 61 6c 20 2e 67 62 71 66 62 62 7b 6d 61 72 67 69 6e 3a 30 20 32 30 70 78 7d 2e 67 62 70 30 20 2e 67 62 70 73 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 61 2e 67 62 69 62 61 7b 6d 61 72 67 69 6e 3a 38 70 78 20 32 30 70 78 20 31 30 70 78 7d
                                                                                  Data Ascii: rif;line-height:27px;padding:10px 20px 0;white-space:nowrap}.gbmpala{padding-left:0;text-align:left}.gbmpalb{padding-right:0;text-align:right}#gbmpasb .gbps{color:#000}#gbmpal .gbqfbb{margin:0 20px}.gbp0 .gbps{*display:inline}a.gbiba{margin:8px 20px 10px}
                                                                                  2022-07-24 15:54:34 UTC61INData Raw: 20 30 20 30 20 31 70 78 20 23 66 66 66 2c 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 7d 2e 67 62 71 66 62 2d 6e 6f 2d 66 6f 63 75 73 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 37 39 65 64 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 2d 68 76 72 2c 2e 67 62 71 66 62 61 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62
                                                                                  Data Ascii: 0 0 1px #fff,0 1px 1px rgba(0,0,0,.1)}.gbqfb-no-focus:focus{border:1px solid #3079ed;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.gbqfb-hvr,.gbqfba-hvr,.gbqfbb-hvr{-webkit-box-shadow:0 1px 1px rgba(0,0,0,.1);-moz-box-shadow:0 1px 1px rgb
                                                                                  2022-07-24 15:54:34 UTC63INData Raw: 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 33 35 37 61 65
                                                                                  Data Ascii: gradient(top,#4d90fe,#357ae8);background-image:-moz-linear-gradient(top,#4d90fe,#357ae8);background-image:-ms-linear-gradient(top,#4d90fe,#357ae8);background-image:-o-linear-gradient(top,#4d90fe,#357ae8);background-image:linear-gradient(top,#4d90fe,#357ae
                                                                                  2022-07-24 15:54:34 UTC64INData Raw: 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 38 66 38 66 38 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 38 66 38 66 38 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 31 66 31 66 31 27 29 7d 2e 67 62 71 66 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72
                                                                                  Data Ascii: ear-gradient(top,#f8f8f8,#f1f1f1);background-image:linear-gradient(top,#f8f8f8,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f8f8f8',EndColorStr='#f1f1f1')}.gbqfbb{background-color:#fff;background-image:-webkit-gradient(linear
                                                                                  2022-07-24 15:54:34 UTC65INData Raw: 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 63 6f 6c 6f 72 3a 23 32 32 32 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 71 66 62 61 3a 61 63 74 69 76 65 2c 2e 67 62 71 66 62 62 3a 61 63 74 69 76 65 7b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 31 70 78
                                                                                  Data Ascii: ,0,.1);-moz-box-shadow:0 1px 1px rgba(0,0,0,.1);box-shadow:0 1px 1px rgba(0,0,0,.1);color:#222 !important}.gbqfba:active,.gbqfbb:active{-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px
                                                                                  2022-07-24 15:54:34 UTC67INData Raw: 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 74 6f 70 3a 30 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 7b 2d 77 65 62 6b 69 74 2d 6d 61 73 6b 2d 62 6f 78 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 72 69 67 68 74 20 74 6f 70 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 30 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 2e 35 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 38 29 29 2c 63 6f 6c 6f 72 2d 73 74 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 6c 65 66
                                                                                  Data Ascii: eb;border-color:rgba(0,0,0,.3);top:0}.gbsb .gbsbb{-webkit-mask-box-image:-webkit-gradient(linear,left top,right top,color-stop(0,rgba(0,0,0,.1)),color-stop(.5,rgba(0,0,0,.8)),color-stop(1,rgba(0,0,0,.1)));background:-webkit-gradient(linear,left bottom,lef
                                                                                  2022-07-24 15:54:34 UTC68INData Raw: 74 69 76 65 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 35 35 38 64 36 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 34 62 31 31 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 38 66 39 66 61 3b 62 6f 72 64 65 72 3a 73 6f 6c 69 64 20 31 70 78 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 64 61 64 63 65 30 20 23 37 30 37 35 37 61 20 23 37 30 37 35 37 61 20 23 64 61 64 63 65 30 3b 68 65 69 67
                                                                                  Data Ascii: tive{text-decoration:underline}.fl a{color:#1558d6}a:visited{color:#4b11a8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f8f9fa;border:solid 1px;border-color:#dadce0 #70757a #70757a #dadce0;heig
                                                                                  2022-07-24 15:54:34 UTC69INData Raw: 63 28 6c 29 2c 65 26 26 6c 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 26 26 28 65 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6f 75 74 65 72 48 54 4d 4c 2e 73 70 6c 69 74 28 22 5c 6e 22 29 5b 65 5d 2c 62 2b 3d 22 26 63 61 64 3d 22 2b 63 28 65 3f 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 33 30 30 29 3a 22 4e 6f 20 73 63 72 69 70 74 20 66 6f 75 6e 64 2e 22 29 29 29 3b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 64 29 62 2b 3d 22 26 22 2c 62 2b 3d 63 28 74 29 2c 62 2b 3d 22 3d 22 2c 62 2b 3d 63 28 64 5b 74 5d 29 3b 62 3d 62 2b 22 26 65 6d 73 67 3d 22 2b 63 28 61 2e 6e 61 6d 65 2b 22 3a 20 22 2b 61 2e 6d 65 73 73 61 67 65 29 3b 62 3d 62 2b 22 26 6a 73 73 74 3d 22 2b 63 28 61 2e 73 74 61 63 6b 7c 7c 22 4e
                                                                                  Data Ascii: c(l),e&&l===window.location.href&&(e=document.documentElement.outerHTML.split("\n")[e],b+="&cad="+c(e?e.substring(0,300):"No script found.")));for(var t in d)b+="&",b+=c(t),b+="=",b+=c(d[t]);b=b+"&emsg="+c(a.name+": "+a.message);b=b+"&jsst="+c(a.stack||"N
                                                                                  2022-07-24 15:54:34 UTC70INData Raw: 7b 76 61 72 20 66 3d 61 5b 64 5d 3b 61 5b 64 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6b 3d 66 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 2c 6d 3d 63 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 76 6f 69 64 20 30 3d 3d 6b 3f 6d 3a 76 6f 69 64 20 30 3d 3d 6d 3f 6b 3a 6d 26 26 6b 7d 7d 7d 76 61 72 20 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 2e 62 76 2e 6d 3d 3d 61 7d 7d 2c 65 61 3d 64 61 28 31 29 2c 66 61 3d 64 61 28 32 29 3b 70 28 22 73 62 22 2c 65 61 29 3b 70 28 22 6b 6e 22 2c 66 61 29 3b 68 2e 61 3d 5f 74 76 76 3b 68 2e 62 3d 5f 74 76 66 3b 68 2e 63 3d 5f 74 76 6e 3b 68 2e 69 3d 61 61 3b 76 61 72
                                                                                  Data Ascii: {var f=a[d];a[d]=function(){var k=f.apply(this,arguments),m=c.apply(this,arguments);return void 0==k?m:void 0==m?k:m&&k}}}var da=function(a){return function(){return g.bv.m==a}},ea=da(1),fa=da(2);p("sb",ea);p("kn",fa);h.a=_tvv;h.b=_tvf;h.c=_tvn;h.i=aa;var
                                                                                  2022-07-24 15:54:34 UTC71INData Raw: 64 39 0d 0a 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 44 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 28 63 3d 77 5b 62 5d 29 26 26 63 5b 30 5d 21 3d 61 3b 2b 2b 62 29 3b 21 63 7c 7c 63 5b 31 0d 0a
                                                                                  Data Ascii: d9b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},D=function(a){for(var b=0,c;(c=w[b])&&c[0]!=a;++b);!c||c[1
                                                                                  2022-07-24 15:54:34 UTC71INData Raw: 36 39 37 31 0d 0a 5d 2e 6c 7c 7c 63 5b 31 5d 2e 73 7c 7c 28 63 5b 31 5d 2e 73 3d 21 30 2c 73 61 28 32 2c 61 29 2c 63 5b 31 5d 2e 75 72 6c 26 26 72 61 28 63 5b 31 5d 2e 75 72 6c 2c 61 29 2c 63 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 63 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 41 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c 2c 76 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 75 61 3d 61 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 75 61 29 7b 61 3d 7b 74 3a 61 2c 62 3a 62 7d 3b 69 66 28 63 29 66 6f 72 28 76 61 72 20 64 20 69 6e 20 63 29 61 5b 64 5d 3d 63 5b 64 5d 3b 74 72 79 7b 75 61 28 61 29 7d 63 61 74 63 68 28 66 29 7b 7d 7d 7d 3b 70 28 22 6d 64 63 22 2c 76 29 3b 70 28 22 6d 64 69
                                                                                  Data Ascii: 6971].l||c[1].s||(c[1].s=!0,sa(2,a),c[1].url&&ra(c[1].url,a),c[1].libs&&C&&C(c[1].libs))},ta=function(a){A("gc",a)},ua=null,va=function(a){ua=a},sa=function(a,b,c){if(ua){a={t:a,b:b};if(c)for(var d in c)a[d]=c[d];try{ua(a)}catch(f){}}};p("mdc",v);p("mdi
                                                                                  2022-07-24 15:54:34 UTC73INData Raw: 6c 3a 22 65 6e 22 7d 3b 76 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29 3b 70 28 22 61 67 6c 22 2c 44 61 29 3b 68 2e 6f 3d 78 61 7d 3b 76 61 72 20 46 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 30 30 31 29 2c 47 61 3d 30 3b 0a 66 75 6e 63 74 69 6f 6e 20 5f 6d 6c 54 6f 6b 65 6e 28 61 2c 62 29 7b 74 72 79 7b 69 66 28 31 3e 47 61 29 7b 47 61 2b 2b 3b 76 61 72 20 63 3d 61 3b 62 3d 62 7c 7c 7b 7d 3b 76 61 72 20 64 3d 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 2c 66 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 28 6e 65 77 20 44 61 74 65 29 2e
                                                                                  Data Ascii: l:"en"};v.gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba);p("agl",Da);h.o=xa};var Fa=h.b("0.1",.001),Ga=0;function _mlToken(a,b){try{if(1>Ga){Ga++;var c=a;b=b||{};var d=encodeURIComponent,f=["//www.google.com/gen_204?atyp=i&zx=",(new Date).
                                                                                  2022-07-24 15:54:34 UTC74INData Raw: 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4b 28 61 2c 62 29 3a 4a 28 61 2c 62 29 7d 2c 4e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 2c 4f 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 0a 5b 4c 61 3f 22 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 2c 22 2f 6f 67 2f 5f 2f 6a 73 2f 64 3d 31 2f 6b 3d 22 2c 22 6f 67 2e 6f 67 32 2e 65 6e 5f 55 53 2e 68 79 6a 56 6d 61 75 61 37 79 41 2e 4f 22 2c 22 2f 72 74 3d 6a 2f 6d 3d 22 2c 61 2c 22 2f 72 73 3d 22 2c 22 41 41 32 59 72 54 76 32 59 6d 4e 78 6b 6f 64 75 52 48 6c
                                                                                  Data Ascii: (a,b){H(a,b)?K(a,b):J(a,b)},Na=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}},Oa=function(a){a=[La?"":"https://www.gstatic.com","/og/_/js/d=1/k=","og.og2.en_US.hyjVmaua7yA.O","/rt=j/m=",a,"/rs=","AA2YrTv2YmNxkoduRHl
                                                                                  2022-07-24 15:54:34 UTC75INData Raw: 74 65 28 22 61 72 69 61 2d 6f 77 6e 73 22 29 3b 69 66 28 64 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 66 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 64 29 3b 69 66 28 66 29 7b 76 61 72 20 6b 3d 62 2e 70 61 72 65 6e 74 4e 6f 64 65 3b 69 66 28 4f 3d 3d 64 29 4f 3d 76 6f 69 64 20 30 2c 0a 4b 28 6b 2c 22 67 62 74 6f 22 29 3b 65 6c 73 65 7b 69 66 28 4f 29 7b 76 61 72 20 6d 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4f 29 3b 69 66 28 6d 26 26 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 29 7b 76 61 72 20 6e 3d 6d 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 61 72 69 61 2d 6f 77 6e 65 72 22 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 6c 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e
                                                                                  Data Ascii: te("aria-owns");if(d.length){var f=document.getElementById(d);if(f){var k=b.parentNode;if(O==d)O=void 0,K(k,"gbto");else{if(O){var m=document.getElementById(O);if(m&&m.getAttribute){var n=m.getAttribute("aria-owner");if(n.length){var l=document.getElemen
                                                                                  2022-07-24 15:54:34 UTC77INData Raw: 29 7c 7c 28 6c 3d 64 29 7d 62 72 65 61 6b 7d 30 3c 64 26 26 64 2b 31 3c 6e 26 26 64 2b 2b 7d 69 66 28 30 3c 3d 6c 29 7b 76 61 72 20 79 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6c 69 22 29 2c 7a 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 79 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 63 22 3b 7a 2e 63 6c 61 73 73 4e 61 6d 65 3d 22 67 62 6d 74 20 67 62 6d 68 22 3b 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 7a 29 3b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 79 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 6c 5d 29 7d 67 2e 61 64 64 48 6f 76 65 72 26 26 67 2e 61 64 64 48 6f 76 65 72 28 61 29 7d 65 6c 73 65 20 6b 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 29 7d 7d 63 61 74 63
                                                                                  Data Ascii: )||(l=d)}break}0<d&&d+1<n&&d++}if(0<=l){var y=document.createElement("li"),z=document.createElement("div");y.className="gbmtc";z.className="gbmt gbmh";y.appendChild(z);k.insertBefore(y,k.childNodes[l])}g.addHover&&g.addHover(a)}else k.appendChild(m)}}catc
                                                                                  2022-07-24 15:54:34 UTC78INData Raw: 3b 63 3d 30 3b 66 6f 72 28 76 61 72 20 66 3b 66 3d 62 5b 63 5d 3b 63 2b 2b 29 7b 76 61 72 20 6b 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 3b 0a 6b 2e 69 6e 6e 65 72 48 54 4d 4c 3d 66 3b 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6b 29 7d 7d 65 6c 73 65 20 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 62 3b 51 28 61 2c 21 30 29 7d 7d 7d 2c 51 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 28 62 3d 76 6f 69 64 20 30 21 3d 3d 62 3f 62 3a 21 30 29 3f 4a 28 61 2c 22 67 62 6d 73 67 6f 22 29 3a 4b 28 61 2c 22 67 62 6d 73 67 6f 22 29 7d 2c 24 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 30 2c 63 3b 63 3d 61 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 62 5d 3b 62 2b 2b 29 69 66 28 48 28 63 2c 22 67 62 6d 73 67
                                                                                  Data Ascii: ;c=0;for(var f;f=b[c];c++){var k=document.createElement("div");k.innerHTML=f;d.appendChild(k)}}else d.innerHTML=b;Q(a,!0)}}},Q=function(a,b){(b=void 0!==b?b:!0)?J(a,"gbmsgo"):K(a,"gbmsgo")},$a=function(a){for(var b=0,c;c=a.childNodes[b];b++)if(H(c,"gbmsg
                                                                                  2022-07-24 15:54:34 UTC79INData Raw: 6c 69 62 73 3a 22 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6c 69 65 6e 74 3a 67 61 70 69 2e 69 66 72 61 6d 65 73 22 7d 5d 29 3b 76 61 72 20 42 62 3d 7b 76 65 72 73 69 6f 6e 3a 22 67 63 69 5f 39 31 66 33 30 37 35 35 64 36 61 36 62 37 38 37 64 63 63 32 61 34 30 36 32 65 36 65 39 38 32 34 2e 6a 73 22 2c 69 6e 64 65 78 3a 22 22 2c 6c 61 6e 67 3a 22 65 6e 22 7d 3b 76 2e 67 63 3d 42 62 3b 76 61 72 20 43 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 61 70 69 73 26 26 77 69 6e 64 6f 77 2e 69 66 72 61 6d 65 73 3f 61 26 26 61 28 29 3a 28 61 26 26 74 61 28 61 29 2c 44 28 22 67 63 22 29 29 7d 3b 70 28 22 6c 47 43 22 2c 43 62 29 3b 68 2e 61 28 22 31 22 29 26 26 70 28 22 6c 50 57 46 22 2c 43 62 29 7d 3b 77 69 6e 64 6f 77 2e 5f 5f 50 56 54
                                                                                  Data Ascii: libs:"googleapis.client:gapi.iframes"}]);var Bb={version:"gci_91f30755d6a6b787dcc2a4062e6e9824.js",index:"",lang:"en"};v.gc=Bb;var Cb=function(a){window.googleapis&&window.iframes?a&&a():(a&&ta(a),D("gc"))};p("lGC",Cb);h.a("1")&&p("lPWF",Cb)};window.__PVT
                                                                                  2022-07-24 15:54:34 UTC80INData Raw: 77 20 44 61 74 65 29 2e 67 65 74 54 69 6d 65 28 29 3b 6b 3d 64 28 22 32 38 38 33 34 22 29 3b 6d 3d 64 28 22 4f 57 76 64 59 71 62 4c 50 4a 69 52 78 63 38 50 77 72 61 75 69 41 73 22 29 3b 76 61 72 20 6c 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 45 3d 64 28 22 34 36 31 35 31 31 30 38 39 2e 30 22 29 2c 55 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 36 30 37 2e 31 5f 70 30 22 29 2c 49 3d 64 28 22 63 6f 6d 22 29 2c 56 3d 64 28 22 65 6e 22 29 2c 57 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22
                                                                                  Data Ascii: w Date).getTime();k=d("28834");m=d("OWvdYqbLPJiRxc8PwrauiAs");var l=g.bv.f,q=d("1");n=d(n);c=Math.round(1/c);var E=d("461511089.0"),U="&oggv="+d("es_plusone_gc_20220607.1_p0"),I=d("com"),V=d("en"),W=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a(""
                                                                                  2022-07-24 15:54:34 UTC82INData Raw: 65 72 3d 73 32 34 22 7d 2c 0a 24 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 42 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 56 62 29 3b 70 28 22 73 70 70 22 2c 58 62 29 3b 70 28 22 73 70 73 22 2c 57 62 29 3b 70 28 22 73 70 64 22 2c 24 62 29 3b 70 28 22 70 61 61 22 2c 54 62 29 3b 70 28 22 70 72 6d 22 2c 55 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 55 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 61 63 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61
                                                                                  Data Ascii: er=s24"},$b=function(){B(function(){g.spd()})};p("spn",Vb);p("spp",Xb);p("sps",Wb);p("spd",$b);p("paa",Tb);p("prm",Ub);mb("gbd4",Ub);if(h.a("")){var ac={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a
                                                                                  2022-07-24 15:54:34 UTC83INData Raw: 76 61 72 20 62 3d 21 31 3b 74 72 79 7b 62 3d 61 2e 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 6b 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 6c 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 6d 63 3d 66 75 6e 63 74 69 6f 6e 28 61
                                                                                  Data Ascii: var b=!1;try{b=a.cookie&&a.cookie.match("PREF")}catch(c){}return!b},kc=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},lc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},mc=function(a
                                                                                  2022-07-24 15:54:34 UTC84INData Raw: 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 72 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6c 3b 28 6c 3d 6b 5b 6d 2b 2b 5d 29 26 26 22 6d 22 21 3d 6c 5b 30 5d 26 26 21 6c 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6c 26 26 28 73 61 28 32 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 75 72 6c 26 26 72 61 28 6c 5b 31 5d 2e 75 72 6c 2c 6c 5b 30 5d 29 2c 6c 5b 31 5d 2e 6c 69 62 73 26 26 43 26 26 43 28 6c 5b 31 5d 2e 6c 69 62 73 29 29 3b 6d
                                                                                  Data Ascii: ");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function rc(){function a(){for(var l;(l=k[m++])&&"m"!=l[0]&&!l[1].auto;);l&&(sa(2,l[0]),l[1].url&&ra(l[1].url,l[0]),l[1].libs&&C&&C(l[1].libs));m
                                                                                  2022-07-24 15:54:34 UTC85INData Raw: 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76 61 72 20 67 3d 66 2e 63 28 22 31 22 2c 30 29 2c 68 3d 2f 5c 62 67 62 6d 74 5c 62 2f 2c 6b 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42
                                                                                  Data Ascii: l(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;var g=f.c("1",0),h=/\bgbmt\b/,k=function(a){try{var b=document.getElementB
                                                                                  2022-07-24 15:54:34 UTC87INData Raw: 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f 72 28 76 61 72 20 6c 3b 68 2e 6c 65 6e 67 74 68 26 26 28 6c 3d 68 2e 73 68 69 66 74 28 29 29 3b 29 68 2e 6c 65 6e 67 74 68 7c 7c 76 6f 69 64 20 30 3d 3d 3d 67 3f 6b 3d 6b 5b 6c 5d 26 26 6b 5b 6c 5d 21 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 5b 6c 5d 3f 6b 5b 6c 5d 3a 6b 5b 6c 5d 3d 7b 7d 3a 6b 5b 6c 5d 3d 67 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77
                                                                                  Data Ascii: "),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.execScript||k.execScript("var "+h[0]);for(var l;h.length&&(l=h.shift());)h.length||void 0===g?k=k[l]&&k[l]!==Object.prototype[l]?k[l]:k[l]={}:k[l]=g;}catch(e){window
                                                                                  2022-07-24 15:54:34 UTC88INData Raw: 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 49 6d 61 67 65 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 6d 61 70 73 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 6c 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 4d 61 70 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 37 38 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f
                                                                                  Data Ascii: <span class=gbts>Images</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="https://maps.google.co.uk/maps?hl=en&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/
                                                                                  2022-07-24 15:54:34 UTC89INData Raw: 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 7a 74 6d 3e 3c 64 69 76 20 69 64 3d 67 62 6d 6d 62 20 63 6c 61 73 73 3d 22 67 62 6d 63 20 67 62 73 62 20 67 62 73 62 69 73 22 3e 3c 6f 6c 20 69 64 3d 67 62 6d 6d 20 63 6c 61 73 73 3d 22 67 62 6d 63 63 20 67 62 73 62 69 63 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 34 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 61 6c 65 6e 64 61 72 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 63 61 6c 65 6e 64 61 72 3f 74 61 62 3d 77 63 22 3e 43 61 6c 65 6e 64 61 72 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67
                                                                                  Data Ascii: );</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Calendar</a></li><li class=gbmtc><a class=g
                                                                                  2022-07-24 15:54:34 UTC91INData Raw: 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 6c 6f 67 67 65 72 2e 69 6c 28 31 2c 7b 74 3a 36 36 7d 29 3b 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 74 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 73 62 62 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 67 3e 3c 68 32 20 63 6c 61 73 73 3d 67 62 78 78 3e 41 63 63 6f 75 6e 74 20 4f 70 74 69 6f 6e 73 3c 2f 68 32 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 63 62 3e 3c 2f 73 70 61 6e 3e 3c 6f 6c 20 63
                                                                                  Data Ascii: ').addEventListener('click', function clickHandler() { gbar.logger.il(1,{t:66});; });</script></li></ol><div class=gbsbt></div><div class=gbsbb></div></div></div></li></ol></div><div id=gbg><h2 class=gbxx>Account Options</h2><span class=gbtcb></span><ol c
                                                                                  2022-07-24 15:54:34 UTC92INData Raw: 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 33 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 69 64 3d 67 62 78 34 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 5f 38 57 44 4d 36 76 77 44 74 33 56 5a 31 34 73 48 31 58 48 4c 51 27 3e 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 65 6c 70 26 26 67 62 61 72 2e 65 6c 70 28 29 3c 2f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 63 65 6e 74 65 72 3e 3c 62 72 20 63 6c 65 61 72 3d 22 61 6c 6c 22 20 69 64 3d 22 6c 67 70 64 22 3e 3c 64 69 76 20 69 64 3d 22 6c 67 61 22 3e 3c 69 6d 67 20 61 6c 74 3d 22 47 6f 6f 67 6c 65 22 20 68 65 69 67 68 74 3d 22 39 32 22 20 73 72 63 3d
                                                                                  Data Ascii: li></ol></div></div></li></ol></div></div><div id=gbx3></div><div id=gbx4></div><script nonce='_8WDM6vwDt3VZ14sH1XHLQ'>window.gbar&&gbar.elp&&gbar.elp()</script></div></div><center><br clear="all" id="lgpd"><div id="lga"><img alt="Google" height="92" src=
                                                                                  2022-07-24 15:54:34 UTC93INData Raw: 64 31 27 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 69 64 29 2e 6f 6e 63 6c 69 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e 71 2e 76 61 6c 75 65 29 7b 74 68 69 73 2e 63 68 65 63 6b 65 64 20 3d 20 31 3b 69 66 20 28 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 29 74 68 69 73 2e 66 6f 72 6d 2e 69 66 6c 73 69 67 2e 64 69 73 61 62 6c 65 64 20 3d 20 66 61 6c 73 65 3b 7d 0a 65 6c 73 65 20 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 27 2f 64 6f 6f 64 6c 65 73 2f 27 3b 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 41 4a 69 4b 30 65 38 41 41 41 41 41 59 74 31 35 53 54 4e 31 6f 76 50 4a 61 52 4a 48 74 69 32 55 73 4a 69 42 65 53 49 42 62 37 6c 6d 22
                                                                                  Data Ascii: d1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;}else top.location='/doodles/';};})();</script><input value="AJiK0e8AAAAAYt15STN1ovPJaRJHti2UsJiBeSIBb7lm"
                                                                                  2022-07-24 15:54:34 UTC94INData Raw: 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2e 68 74 6d 6c 22 3e 41 62 6f 75 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70 72 65 66 64 6f 6d 3d 47 42 26 61 6d 70 3b 70 72 65 76 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 26 61 6d 70 3b 73 69 67 3d 4b 5f 44 79 36 66 7a 61 66 61 59 4d 6c 6e 76 70 52 44 5a 50 61 55 70 55 6f 44 46 76 38 25 33 44 22 3e 47 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 70 74 3b 63 6f 6c 6f 72 3a 23 37 30
                                                                                  Data Ascii: Solutions</a><a href="/intl/en/about.html">About Google</a><a href="https://www.google.com/setprefdomain?prefdom=GB&amp;prev=https://www.google.co.uk/&amp;sig=K_Dy6fzafaYMlnvpRDZPaUpUoDFv8%3D">Google.co.uk</a></div></div><p style="font-size:8pt;color:#70
                                                                                  2022-07-24 15:54:34 UTC96INData Raw: 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 76 61 72 20 61 3d 75 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 28 61 29 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 7d 3b 67 6f 6f 67 6c 65 2e 62 78 7c 7c 67 6f 6f 67 6c 65 2e 6c 78 28 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 70 28 61 29 7b 67 6f 6f 67 6c 65 2e 74 69 6d 65 72 73 26 26 67 6f 6f 67 6c 65 2e 74 69 6d 65 72 73 2e 6c 6f 61 64 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 26 26 67 6f 6f 67 6c 65 2e 74 69 63 6b 28 22 6c 6f 61 64 22 2c 22 78 6a 73 6c 73 22 29 3b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 3b 76 61 72 20 63 3d 22 53 43 52 49 50 54 22 3b 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 22 3d 3d 3d 62 2e 63 6f 6e 74 65 6e 74 54 79 70
                                                                                  Data Ascii: };function n(){var a=u;google.lx=function(){p(a);google.lx=function(){}};google.bx||google.lx()}function p(a){google.timers&&google.timers.load&&google.tick&&google.tick("load","xjsls");var b=document;var c="SCRIPT";"application/xhtml+xml"===b.contentTyp
                                                                                  2022-07-24 15:54:34 UTC97INData Raw: 6d 2d 68 70 5c 78 32 32 2c 5c 78 32 32 64 68 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 68 71 74 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 73 5c 78 32 32 3a 5c 78 32 32 5c 78 32 32 2c 5c 78 32 32 66 66 71 6c 5c 78 32 32 3a 5c 78 32 32 65 6e 5c 78 32 32 2c 5c 78 32 32 66 6c 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 68 6f 73 74 5c 78 32 32 3a 5c 78 32 32 67 6f 6f 67 6c 65 2e 63 6f 6d 5c 78 32 32 2c 5c 78 32 32 69 73 62 68 5c 78 32 32 3a 32 38 2c 5c 78 32 32 6a 73 6f 6e 70 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 6d 73 67 73 5c 78 32 32 3a 7b 5c 78 32 32 63 69 62 6c 5c 78 32 32 3a 5c 78 32 32 43 6c 65 61 72 20 53 65 61 72 63 68 5c 78 32 32 2c 5c 78 32 32 64 79 6d 5c 78 32 32 3a 5c 78 32 32 44 69 64 20 79 6f 75 20 6d 65 61 6e 3a 5c 78 32 32 2c 5c 78 32
                                                                                  Data Ascii: m-hp\x22,\x22dh\x22:true,\x22dhqt\x22:true,\x22ds\x22:\x22\x22,\x22ffql\x22:\x22en\x22,\x22fl\x22:true,\x22host\x22:\x22google.com\x22,\x22isbh\x22:28,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Clear Search\x22,\x22dym\x22:\x22Did you mean:\x22,\x2
                                                                                  2022-07-24 15:54:34 UTC98INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  SMTP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                  Jul 24, 2022 17:56:06.231204033 CEST58749719192.185.37.183192.168.2.4220-gator4044.hostgator.com ESMTP Exim 4.95 #2 Sun, 24 Jul 2022 10:56:06 -0500
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Jul 24, 2022 17:56:06.231595993 CEST49719587192.168.2.4192.185.37.183EHLO 878411
                                                                                  Jul 24, 2022 17:56:06.400350094 CEST58749719192.185.37.183192.168.2.4250-gator4044.hostgator.com Hello 878411 [84.17.52.55]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPE_CONNECT
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Jul 24, 2022 17:56:06.400914907 CEST49719587192.168.2.4192.185.37.183STARTTLS
                                                                                  Jul 24, 2022 17:56:06.569955111 CEST58749719192.185.37.183192.168.2.4220 TLS go ahead
                                                                                  Jul 24, 2022 17:56:15.382637024 CEST58749722192.185.37.183192.168.2.4220-gator4044.hostgator.com ESMTP Exim 4.95 #2 Sun, 24 Jul 2022 10:56:15 -0500
                                                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                                                  220 and/or bulk e-mail.
                                                                                  Jul 24, 2022 17:56:15.382828951 CEST49722587192.168.2.4192.185.37.183EHLO 878411
                                                                                  Jul 24, 2022 17:56:15.554317951 CEST58749722192.185.37.183192.168.2.4250-gator4044.hostgator.com Hello 878411 [84.17.52.55]
                                                                                  250-SIZE 52428800
                                                                                  250-8BITMIME
                                                                                  250-PIPELINING
                                                                                  250-PIPE_CONNECT
                                                                                  250-AUTH PLAIN LOGIN
                                                                                  250-STARTTLS
                                                                                  250 HELP
                                                                                  Jul 24, 2022 17:56:15.554552078 CEST49722587192.168.2.4192.185.37.183STARTTLS
                                                                                  Jul 24, 2022 17:56:15.724662066 CEST58749722192.185.37.183192.168.2.4220 TLS go ahead

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:17:54:09
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Users\user\Desktop\B35@6B.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\B35@6B.exe"
                                                                                  Imagebase:0xf10000
                                                                                  File size:600576 bytes
                                                                                  MD5 hash:6753A24ED2A75DBD488C0A1783F03D05
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.303282970.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.304264302.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:17:54:31
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Users\user\AppData\Local\Temp\pot.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\pot.exe"
                                                                                  Imagebase:0xf10000
                                                                                  File size:600576 bytes
                                                                                  MD5 hash:6753A24ED2A75DBD488C0A1783F03D05
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.455643526.0000000004462000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.454626461.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.457363000.0000000004569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:17:55:35
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                  Imagebase:0x260000
                                                                                  File size:41064 bytes
                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420464455.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420090127.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.500496206.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.420800374.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.419618627.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.506967470.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:17:55:57
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                                                                                  Imagebase:0x7c0000
                                                                                  File size:41064 bytes
                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Antivirus matches:
                                                                                  • Detection: 0%, Metadefender, Browse
                                                                                  • Detection: 0%, ReversingLabs
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:17:55:57
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:17:56:05
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Acrobat\Acrobat.exe"
                                                                                  Imagebase:0xd00000
                                                                                  File size:41064 bytes
                                                                                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:17:56:05
                                                                                  Start date:24/07/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  No disassembly