Status: Malicious
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | exe | 2025-12-08 16:42:47 | 2025-12-08 16:43:39 | 52 seconds | Show Options | Show Analysis Log | 8.0 |
vnc_port=5902
2025-12-06 09:30:10,719 [root] INFO: Date set to: 20251208T08:32:11, timeout set to: 180 2025-12-08 08:32:11,015 [root] DEBUG: Starting analyzer from: C:\tmplvgo8bly 2025-12-08 08:32:11,015 [root] DEBUG: Storing results at: C:\jYwvXhpEc 2025-12-08 08:32:11,015 [root] DEBUG: Pipe server name: \\.\PIPE\ImvVfmhb 2025-12-08 08:32:11,015 [root] DEBUG: Python path: C:\Python38 2025-12-08 08:32:11,015 [root] INFO: analysis running as an admin 2025-12-08 08:32:11,015 [root] INFO: analysis package specified: "exe" 2025-12-08 08:32:11,015 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-12-08 08:32:11,015 [root] DEBUG: imported analysis package "exe" 2025-12-08 08:32:11,015 [root] DEBUG: initializing analysis package "exe"... 2025-12-08 08:32:11,015 [lib.common.common] INFO: wrapping 2025-12-08 08:32:11,015 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-08 08:32:11,015 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe 2025-12-08 08:32:11,015 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-12-08 08:32:11,015 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-12-08 08:32:11,015 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-12-08 08:32:11,015 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain" 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script" 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks" 2025-12-08 08:32:11,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx" 2025-12-08 08:32:11,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-12-08 08:32:11,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script" 2025-12-08 08:32:11,078 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-12-08 08:32:11,109 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2025-12-08 08:32:11,109 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-12-08 08:32:11,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-12-08 08:32:11,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon" 2025-12-08 08:32:11,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-12-08 08:32:11,125 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage" 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "Browser" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'Browser' from data 2025-12-08 08:32:11,125 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "Curtain" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'Curtain' from data 2025-12-08 08:32:11,125 [root] DEBUG: module Curtain does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"... 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'Disguise' from data 2025-12-08 08:32:11,125 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-12-08 08:32:11,125 [modules.auxiliary.disguise] INFO: Disguising GUID to 92cce67d-fb96-4843-a2ce-37841dadda6a 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data 2025-12-08 08:32:11,125 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"... 2025-12-08 08:32:11,125 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "Evtx" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'Evtx' from data 2025-12-08 08:32:11,125 [root] DEBUG: module Evtx does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"... 2025-12-08 08:32:11,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx 2025-12-08 08:32:11,125 [root] DEBUG: Initialized auxiliary module "Human" 2025-12-08 08:32:11,125 [root] DEBUG: attempting to configure 'Human' from data 2025-12-08 08:32:11,125 [root] DEBUG: module Human does not support data configuration, ignoring 2025-12-08 08:32:11,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-12-08 08:32:11,125 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-12-08 08:32:11,140 [root] DEBUG: Initialized auxiliary module "Pre_script" 2025-12-08 08:32:11,140 [root] DEBUG: attempting to configure 'Pre_script' from data 2025-12-08 08:32:11,140 [root] DEBUG: module Pre_script does not support data configuration, ignoring 2025-12-08 08:32:11,140 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"... 2025-12-08 08:32:11,140 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script 2025-12-08 08:32:11,140 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-12-08 08:32:11,140 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-12-08 08:32:11,140 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-12-08 08:32:11,140 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-12-08 08:32:11,140 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-12-08 08:32:11,140 [root] DEBUG: Initialized auxiliary module "Sysmon" 2025-12-08 08:32:11,140 [root] DEBUG: attempting to configure 'Sysmon' from data 2025-12-08 08:32:11,140 [root] DEBUG: module Sysmon does not support data configuration, ignoring 2025-12-08 08:32:11,140 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"... 2025-12-08 08:32:11,203 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 2025-12-08 08:32:11,234 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques. 2025-12-08 08:32:11,234 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-12-08 08:32:11,234 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-12-08 08:32:11,234 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-12-08 08:32:11,234 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-12-08 08:32:11,249 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 392 2025-12-08 08:32:11,249 [lib.api.process] INFO: Monitor config for <Process 392 lsass.exe>: C:\tmplvgo8bly\dll\392.ini 2025-12-08 08:32:11,249 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-12-08 08:32:11,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:11,249 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 2025-12-08 08:32:11,265 [root] DEBUG: Loader: Injecting process 392 with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:11,281 [root] DEBUG: 392: Python path set to 'C:\Python38'. 2025-12-08 08:32:11,296 [root] INFO: Disabling sleep skipping. 2025-12-08 08:32:11,296 [root] DEBUG: 392: TLS secret dump mode enabled. 2025-12-08 08:32:11,296 [root] DEBUG: 392: Monitor initialised: 32-bit capemon loaded in process 392 at 0x6c9a0000, thread 3116, image base 0x570000, stack from 0xf36000-0xf40000 2025-12-08 08:32:11,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 2025-12-08 08:32:11,312 [root] DEBUG: 392: Commandline: C:\Windows\system32\lsass.exe 2025-12-08 08:32:11,312 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe 2025-12-08 08:32:11,312 [root] DEBUG: 392: Hooked 5 out of 5 functions 2025-12-08 08:32:11,312 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-12-08 08:32:11,312 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:11,312 [lib.api.process] INFO: Injected into 32-bit <Process 392 lsass.exe> 2025-12-08 08:32:11,312 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-12-08 08:32:11,312 [root] DEBUG: Initialized auxiliary module "Usage" 2025-12-08 08:32:11,312 [root] DEBUG: attempting to configure 'Usage' from data 2025-12-08 08:32:11,312 [root] DEBUG: module Usage does not support data configuration, ignoring 2025-12-08 08:32:11,312 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"... 2025-12-08 08:32:11,312 [root] DEBUG: Started auxiliary module modules.auxiliary.usage 2025-12-08 08:32:11,312 [root] DEBUG: Initialized auxiliary module "During_script" 2025-12-08 08:32:11,312 [root] DEBUG: attempting to configure 'During_script' from data 2025-12-08 08:32:11,312 [root] DEBUG: module During_script does not support data configuration, ignoring 2025-12-08 08:32:11,312 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"... 2025-12-08 08:32:11,328 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script 2025-12-08 08:32:11,343 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 2025-12-08 08:32:11,390 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe 2025-12-08 08:32:11,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable 2025-12-08 08:32:11,437 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe 2025-12-08 08:32:11,437 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 2025-12-08 08:32:11,453 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 2025-12-08 08:32:11,484 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe 2025-12-08 08:32:11,484 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 2025-12-08 08:32:11,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 2025-12-08 08:32:11,515 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 2025-12-08 08:32:11,546 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 2025-12-08 08:32:11,546 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f 2025-12-08 08:32:11,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 2025-12-08 08:32:11,578 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f 2025-12-08 08:32:11,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 2025-12-08 08:32:11,593 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f 2025-12-08 08:32:11,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable 2025-12-08 08:32:11,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable 2025-12-08 08:32:11,640 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 2025-12-08 08:32:11,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable 2025-12-08 08:32:11,671 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 2025-12-08 08:32:11,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 2025-12-08 08:32:11,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 2025-12-08 08:32:11,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable 2025-12-08 08:32:11,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 2025-12-08 08:32:11,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 2025-12-08 08:32:11,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 2025-12-08 08:32:11,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable 2025-12-08 08:32:11,796 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 2025-12-08 08:32:11,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 2025-12-08 08:32:11,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 2025-12-08 08:32:11,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 2025-12-08 08:32:11,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 2025-12-08 08:32:11,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable 2025-12-08 08:32:11,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 2025-12-08 08:32:11,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 2025-12-08 08:32:11,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 2025-12-08 08:32:11,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 2025-12-08 08:32:11,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 2025-12-08 08:32:11,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 2025-12-08 08:32:11,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 2025-12-08 08:32:12,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 2025-12-08 08:32:12,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 2025-12-08 08:32:12,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 2025-12-08 08:32:12,046 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable 2025-12-08 08:32:12,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 2025-12-08 08:32:12,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 2025-12-08 08:32:12,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 2025-12-08 08:32:12,109 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 2025-12-08 08:32:12,140 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable 2025-12-08 08:32:12,140 [modules.auxiliary.evtx] DEBUG: Wiping Application 2025-12-08 08:32:12,156 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 2025-12-08 08:32:12,171 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 2025-12-08 08:32:12,187 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 2025-12-08 08:32:12,203 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 2025-12-08 08:32:12,218 [modules.auxiliary.evtx] DEBUG: Wiping Security 2025-12-08 08:32:12,234 [modules.auxiliary.evtx] DEBUG: Wiping Setup 2025-12-08 08:32:12,249 [modules.auxiliary.evtx] DEBUG: Wiping System 2025-12-08 08:32:12,249 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 2025-12-08 08:32:12,265 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 2025-12-08 08:32:16,531 [root] INFO: Restarting WMI Service 2025-12-08 08:32:18,562 [root] DEBUG: package modules.packages.exe does not support configure, ignoring 2025-12-08 08:32:18,562 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages' 2025-12-08 08:32:18,562 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-08 08:32:18,562 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe" with arguments "" with pid 3012 2025-12-08 08:32:18,562 [lib.api.process] INFO: Monitor config for <Process 3012 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3012.ini 2025-12-08 08:32:18,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:18,578 [root] DEBUG: Loader: Injecting process 3012 (thread 3052) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:18,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-08 08:32:18,578 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:18,578 [lib.api.process] INFO: Injected into 32-bit <Process 3012 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:20,578 [lib.api.process] INFO: Successfully resumed <Process 3012 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:20,578 [root] DEBUG: 3012: Python path set to 'C:\Python38'. 2025-12-08 08:32:20,578 [root] INFO: Disabling sleep skipping. 2025-12-08 08:32:20,578 [root] DEBUG: 3012: Dropped file limit defaulting to 100. 2025-12-08 08:32:20,578 [root] DEBUG: 3012: YaraInit: Compiled 41 rule files 2025-12-08 08:32:20,578 [root] DEBUG: 3012: YaraInit: Compiled rules saved to file C:\tmplvgo8bly\data\yara\capemon.yac 2025-12-08 08:32:20,578 [root] DEBUG: 3012: YaraScan: Scanning 0x00400000, size 0x475c02 2025-12-08 08:32:20,593 [root] DEBUG: 3012: Monitor initialised: 32-bit capemon loaded in process 3012 at 0x6c9a0000, thread 3052, image base 0x400000, stack from 0x126000-0x130000 2025-12-08 08:32:20,593 [root] DEBUG: 3012: Commandline: "C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe" 2025-12-08 08:32:20,593 [root] DEBUG: 3012: GetAddressByYara: ModuleBase 0x774E0000 FunctionName LdrpCallInitRoutine 2025-12-08 08:32:20,609 [root] DEBUG: 3012: hook_api: LdrpCallInitRoutine export address 0x77538810 obtained via GetFunctionAddress 2025-12-08 08:32:20,609 [root] DEBUG: 3012: hook_api: Warning - CreateRemoteThreadEx export address 0x764AF98F differs from GetProcAddress -> 0x754EBB18 (KERNELBASE.dll::0xbb18) 2025-12-08 08:32:20,609 [root] DEBUG: 3012: hook_api: Warning - UpdateProcThreadAttribute export address 0x764B020F differs from GetProcAddress -> 0x754F43FB (KERNELBASE.dll::0x143fb) 2025-12-08 08:32:20,609 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2025-12-08 08:32:20,609 [root] DEBUG: 3012: set_hooks: Unable to hook GetCommandLineA 2025-12-08 08:32:20,609 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2025-12-08 08:32:20,609 [root] DEBUG: 3012: set_hooks: Unable to hook GetCommandLineW 2025-12-08 08:32:20,609 [root] DEBUG: 3012: Hooked 611 out of 613 functions 2025-12-08 08:32:20,609 [root] DEBUG: 3012: WoW64 not detected. 2025-12-08 08:32:20,609 [root] INFO: Loaded monitor into process with pid 3012 2025-12-08 08:32:20,625 [root] DEBUG: 3012: caller_dispatch: Added region at 0x00400000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0040B84D, thread 3052). 2025-12-08 08:32:20,625 [root] DEBUG: 3012: YaraScan: Scanning 0x00400000, size 0x475c02 2025-12-08 08:32:20,640 [root] DEBUG: 3012: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00) 2025-12-08 08:32:20,640 [root] DEBUG: 3012: ProtectionHandler: Adding region at 0x001B4C70 to tracked regions. 2025-12-08 08:32:20,640 [root] DEBUG: 3012: api-rate-cap: GetSystemDefaultLangID hook disabled due to rate 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DLL loaded at 0x73AC0000: C:\Windows\system32\msimg32 (0x5000 bytes). 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpPEsInRange: Scanning range 0x00180000 - 0x001EFFFF. 2025-12-08 08:32:21,765 [root] DEBUG: 3012: ScanForDisguisedPE: PE image located at: 0x001EA548 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x001EA548 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 3012) 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpPE: Instantiating PeParser with address: 0x001EA548. 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpPE: Error: Invalid PE file or invalid PE header. 2025-12-08 08:32:21,765 [root] DEBUG: 3012: DumpImageInCurrentProcess: Failed to dump 'raw' PE image from 0x001EA548, dumping memory region. 2025-12-08 08:32:21,765 [lib.common.results] INFO: Uploading file C:\jYwvXhpEc\CAPE\3012_2349927021321081122025 to CAPE\107dfc7d856e6ffec76897096f099e3b4e0e6c2d6f47033509d67a17a7bc044e; Size is 458751; Max size: 100000000 2025-12-08 08:32:21,781 [root] DEBUG: 3012: DumpMemory: Payload successfully created: C:\jYwvXhpEc\CAPE\3012_2349927021321081122025 (size 458751 bytes) 2025-12-08 08:32:21,781 [root] DEBUG: 3012: DumpRegion: Dumped entire allocation from 0x00180000, size 458752 bytes. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: ProcessTrackedRegion: Dumped region at 0x00180000. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: YaraScan: Scanning 0x00180000, size 0x6ffff 2025-12-08 08:32:21,781 [root] DEBUG: 3012: AllocationHandler: Adding allocation to tracked region list: 0x00360000, size: 0x63000. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: AddTrackedRegion: GetEntropy failed. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: AllocationHandler: Processing previous tracked region at: 0x00180000. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: DumpPEsInRange: Scanning range 0x00180000 - 0x001EFFFF. 2025-12-08 08:32:21,781 [root] DEBUG: 3012: ScanForDisguisedPE: No PE image located in range 0x00180000-0x001EFFFF. 2025-12-08 08:32:21,781 [lib.common.results] INFO: Uploading file C:\jYwvXhpEc\CAPE\3012_230793312132081122025 to CAPE\623ce9e6ea84f5767731cc948e8de66fac2570029c32bb257bb437dd12e64ca5; Size is 458751; Max size: 100000000 2025-12-08 08:32:21,796 [root] DEBUG: 3012: DumpMemory: Payload successfully created: C:\jYwvXhpEc\CAPE\3012_230793312132081122025 (size 458751 bytes) 2025-12-08 08:32:21,796 [root] DEBUG: 3012: DumpRegion: Dumped entire allocation from 0x00180000, size 458752 bytes. 2025-12-08 08:32:21,796 [root] DEBUG: 3012: ProcessTrackedRegion: Dumped region at 0x00180000. 2025-12-08 08:32:21,796 [root] DEBUG: 3012: YaraScan: Scanning 0x00180000, size 0x6ffff 2025-12-08 08:32:21,796 [root] DEBUG: 3012: DumpPEsInRange: Scanning range 0x00360000 - 0x003C1FB3. 2025-12-08 08:32:21,796 [root] DEBUG: 3012: ScanForDisguisedPE: PE image located at: 0x003615A0 2025-12-08 08:32:21,796 [root] DEBUG: 3012: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 3012) 2025-12-08 08:32:21,796 [root] DEBUG: 3012: DumpPE: Instantiating PeParser with address: 0x003615A0. 2025-12-08 08:32:21,796 [lib.common.results] INFO: Uploading file C:\jYwvXhpEc\CAPE\3012_2099848021321081122025 to CAPE\917780ccc514b26e57a9ea34b5ffb3379e837850185456fb86a521895205468a; Size is 396288; Max size: 100000000 2025-12-08 08:32:21,812 [root] DEBUG: 3012: DumpPE: PE file at 0x003615A0 dumped successfully - dump size 0x60c00. 2025-12-08 08:32:21,812 [root] DEBUG: 3012: ScanForDisguisedPE: No PE image located in range 0x003625A0-0x003C1FB3. 2025-12-08 08:32:21,812 [lib.common.results] INFO: Uploading file C:\jYwvXhpEc\CAPE\3012_919427621321081122025 to CAPE\5dc1a7d866ddcc2fab51bdb0597cfbcc36d965331b770f34c3151317c477bcdb; Size is 401331; Max size: 100000000 2025-12-08 08:32:21,812 [root] DEBUG: 3012: DumpMemory: Payload successfully created: C:\jYwvXhpEc\CAPE\3012_919427621321081122025 (size 401331 bytes) 2025-12-08 08:32:21,812 [root] DEBUG: 3012: DumpRegion: Dumped entire allocation from 0x00360000, size 405504 bytes. 2025-12-08 08:32:21,812 [root] DEBUG: 3012: ProcessTrackedRegion: Dumped region at 0x00360000. 2025-12-08 08:32:21,812 [root] DEBUG: 3012: YaraScan: Scanning 0x00360000, size 0x61fb3 2025-12-08 08:32:21,828 [root] DEBUG: 3012: DLL loaded at 0x74170000: C:\Windows\system32\uxtheme (0x40000 bytes). 2025-12-08 08:32:21,828 [root] DEBUG: 3012: DLL loaded at 0x73E80000: C:\Windows\system32\dwmapi (0x13000 bytes). 2025-12-08 08:32:21,828 [root] DEBUG: 3012: CreateProcessHandler: Injection info set for new process 3472: C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe, ImageBase: 0x00400000 2025-12-08 08:32:21,828 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,828 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,828 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,828 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,828 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-08 08:32:21,828 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,828 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,828 [root] DEBUG: 3012: DLL loaded at 0x75390000: C:\Windows\system32\apphelp (0x4c000 bytes). 2025-12-08 08:32:21,843 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,843 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,843 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,843 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,843 [root] DEBUG: InjectDllViaIAT: This image has already been patched. 2025-12-08 08:32:21,843 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,843 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,843 [root] DEBUG: 3012: WriteMemoryHandler: Executable binary injected into process 3472 (ImageBase 0x400000) 2025-12-08 08:32:21,843 [root] DEBUG: 3012: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 3012) 2025-12-08 08:32:21,843 [root] DEBUG: 3012: DumpPE: Instantiating PeParser with address: 0x003615A0. 2025-12-08 08:32:21,859 [lib.common.results] INFO: Uploading file C:\jYwvXhpEc\CAPE\3012_1100379021321081122025 to CAPE\917780ccc514b26e57a9ea34b5ffb3379e837850185456fb86a521895205468a; Size is 396288; Max size: 100000000 2025-12-08 08:32:21,875 [root] DEBUG: 3012: DumpPE: PE file at 0x003615A0 dumped successfully - dump size 0x60c00. 2025-12-08 08:32:21,875 [root] DEBUG: 3012: WriteMemoryHandler: Dumped PE image from buffer at 0x3615a0, SizeOfImage 0x67000. 2025-12-08 08:32:21,875 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,875 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,875 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,875 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,875 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,875 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,875 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,875 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,875 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,875 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,875 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,875 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,875 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,875 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,890 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,890 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,890 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,890 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,890 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,890 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,890 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,890 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,890 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,890 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,890 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,890 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,890 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,890 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,906 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,906 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,906 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,906 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,906 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,906 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,906 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,906 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,906 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,906 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,906 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,906 [root] DEBUG: InjectDllViaIAT: Blank import descriptor, aborting IAT patch. 2025-12-08 08:32:21,906 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,906 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,921 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,921 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,921 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,921 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,921 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-08 08:32:21,921 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,921 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,921 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,921 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,921 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,921 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,921 [root] DEBUG: InjectDllViaIAT: This image has already been patched. 2025-12-08 08:32:21,921 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,921 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,921 [root] DEBUG: 3012: WriteMemoryHandler: injection of section of PE image which has already been dumped. 2025-12-08 08:32:21,921 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,937 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,937 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,937 [root] DEBUG: InjectDllViaIAT: This image has already been patched. 2025-12-08 08:32:21,937 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,937 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,937 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,937 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,937 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,937 [root] DEBUG: InjectDllViaIAT: This image has already been patched. 2025-12-08 08:32:21,937 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,937 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,937 [root] DEBUG: 3012: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x000014C0 (process 3472). 2025-12-08 08:32:21,937 [root] INFO: Announced 32-bit process name: e9b7110334eeff9ee59b.exe pid: 3472 2025-12-08 08:32:21,937 [lib.api.process] INFO: Monitor config for <Process 3472 e9b7110334eeff9ee59b.exe>: C:\tmplvgo8bly\dll\3472.ini 2025-12-08 08:32:21,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmplvgo8bly\dll\GKaMkD.dll, loader C:\tmplvgo8bly\bin\EDSCeho.exe 2025-12-08 08:32:21,953 [root] DEBUG: Loader: Injecting process 3472 (thread 3424) with C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,953 [root] DEBUG: InjectDllViaIAT: This image has already been patched. 2025-12-08 08:32:21,953 [root] DEBUG: Successfully injected DLL C:\tmplvgo8bly\dll\GKaMkD.dll. 2025-12-08 08:32:21,953 [lib.api.process] INFO: Injected into 32-bit <Process 3472 e9b7110334eeff9ee59b.exe> 2025-12-08 08:32:21,953 [root] DEBUG: 3012: NtTerminateProcess hook: Attempting to dump process 3012 2025-12-08 08:32:21,953 [root] DEBUG: 3012: DoProcessDump: Skipping process dump as code is identical on disk. 2025-12-08 08:32:21,968 [root] INFO: Process with pid 3012 has terminated 2025-12-08 08:32:21,968 [root] DEBUG: 3472: Python path set to 'C:\Python38'. 2025-12-08 08:32:21,968 [root] DEBUG: 3472: Dropped file limit defaulting to 100. 2025-12-08 08:32:21,968 [root] INFO: Disabling sleep skipping. 2025-12-08 08:32:21,968 [root] DEBUG: 3472: YaraInit: Compiled rules loaded from existing file C:\tmplvgo8bly\data\yara\capemon.yac 2025-12-08 08:32:21,968 [root] DEBUG: 3472: YaraScan: Scanning 0x00400000, size 0x66013 2025-12-08 08:32:21,968 [root] DEBUG: 3472: CAPE_init: Main executable image temporarily remapped for scanning at 0x00310000 2025-12-08 08:32:21,968 [root] DEBUG: 3472: YaraScan: Scanning 0x00310000, size 0x67000 2025-12-08 08:32:21,984 [root] DEBUG: 3472: Monitor initialised: 32-bit capemon loaded in process 3472 at 0x6c9a0000, thread 3424, image base 0x400000, stack from 0x126000-0x130000 2025-12-08 08:32:21,984 [root] DEBUG: 3472: Commandline: "C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe" 2025-12-08 08:32:21,984 [root] DEBUG: 3472: GetAddressByYara: ModuleBase 0x774E0000 FunctionName LdrpCallInitRoutine 2025-12-08 08:32:21,984 [root] DEBUG: 3472: hook_api: LdrpCallInitRoutine export address 0x77538810 obtained via GetFunctionAddress 2025-12-08 08:32:21,984 [root] DEBUG: 3472: hook_api: Warning - CreateRemoteThreadEx export address 0x764AF98F differs from GetProcAddress -> 0x754EBB18 (KERNELBASE.dll::0xbb18) 2025-12-08 08:32:21,984 [root] DEBUG: 3472: hook_api: Warning - UpdateProcThreadAttribute export address 0x764B020F differs from GetProcAddress -> 0x754F43FB (KERNELBASE.dll::0x143fb) 2025-12-08 08:32:21,984 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2025-12-08 08:32:22,000 [root] DEBUG: 3472: set_hooks: Unable to hook GetCommandLineA 2025-12-08 08:32:22,000 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2025-12-08 08:32:22,000 [root] DEBUG: 3472: set_hooks: Unable to hook GetCommandLineW 2025-12-08 08:32:22,000 [root] DEBUG: 3472: Hooked 611 out of 613 functions 2025-12-08 08:32:22,000 [root] DEBUG: 3472: WoW64 not detected. 2025-12-08 08:32:22,000 [root] INFO: Loaded monitor into process with pid 3472 2025-12-08 08:32:22,000 [root] DEBUG: 3472: YaraScan: Scanning 0x00400000, size 0x66013 2025-12-08 08:32:22,000 [root] DEBUG: 3472: YaraScan: Scanning 0x00400000, size 0x66013 2025-12-08 08:32:22,000 [root] DEBUG: 3472: YaraScan: Scanning 0x00400000, size 0x66013 2025-12-08 08:32:22,000 [root] DEBUG: 3472: caller_dispatch: Added region at 0x00400000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x00442DCF, thread 3424). 2025-12-08 08:32:22,015 [root] DEBUG: 3472: YaraScan: Scanning 0x00400000, size 0x66013 2025-12-08 08:32:22,031 [root] DEBUG: 3472: ProcessImageBase: Main module image at 0x00400000 unmodified (entropy change 0.000000e+00) 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x75E10000: C:\Windows\system32\Urlmon (0x14a000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x75790000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x757E0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0 (0x4000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x755C0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0 (0x5000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x75610000: C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0 (0x4000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x75620000: C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0 (0x4000 bytes). 2025-12-08 08:32:22,031 [root] DEBUG: 3472: DLL loaded at 0x74960000: C:\Windows\system32\version (0x9000 bytes). 2025-12-08 08:32:22,046 [root] DEBUG: 3472: DLL loaded at 0x75600000: C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0 (0x3000 bytes). 2025-12-08 08:32:22,046 [root] DEBUG: 3472: DLL loaded at 0x77630000: C:\Windows\system32\normaliz (0x3000 bytes). 2025-12-08 08:32:22,046 [root] DEBUG: 3472: DLL loaded at 0x761B0000: C:\Windows\system32\iertutil (0x232000 bytes). 2025-12-08 08:32:22,062 [root] DEBUG: 3472: DLL loaded at 0x75920000: C:\Windows\system32\WININET (0x1e4000 bytes). 2025-12-08 08:32:22,062 [root] DEBUG: 3472: DLL loaded at 0x757C0000: C:\Windows\system32\USERENV (0x17000 bytes). 2025-12-08 08:32:22,078 [root] DEBUG: 3472: DLL loaded at 0x754D0000: C:\Windows\system32\profapi (0xb000 bytes). 2025-12-08 08:32:22,078 [root] DEBUG: 3472: DLL loaded at 0x74170000: C:\Windows\system32\uxtheme (0x40000 bytes). 2025-12-08 08:32:22,093 [root] DEBUG: 3472: DLL loaded at 0x6FB50000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes). 2025-12-08 08:32:22,109 [root] DEBUG: 3472: DLL loaded at 0x75350000: C:\Windows\system32\Secur32 (0x8000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x766D0000: C:\Windows\system32\SHELL32 (0xc4c000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x72CD0000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x72BF0000: C:\Windows\system32\winhttp (0x58000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x72BA0000: C:\Windows\system32\webio (0x50000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x73640000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x736D0000: C:\Windows\system32\WINNSI (0x7000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x74E90000: C:\Windows\system32\mswsock (0x3c000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x74E80000: C:\Windows\System32\wship6 (0x6000 bytes). 2025-12-08 08:32:22,171 [root] DEBUG: 3472: DLL loaded at 0x75D80000: C:\Windows\system32\OLEAUT32 (0x8f000 bytes). 2025-12-08 08:32:22,187 [root] DEBUG: 3472: DLL loaded at 0x74D50000: C:\Windows\system32\DNSAPI (0x44000 bytes). 2025-12-08 08:32:22,187 [root] DEBUG: 3472: DLL loaded at 0x753E0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x76100000: C:\Windows\system32\CLBCatQ (0x83000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x72B10000: C:\Windows\System32\netprofm (0x5a000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x72C90000: C:\Windows\System32\nlaapi (0x10000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x735C0000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x73540000: C:\Windows\system32\dhcpcsvc (0x12000 bytes). 2025-12-08 08:32:22,203 [root] DEBUG: 3472: DLL loaded at 0x749F0000: C:\Windows\System32\wshtcpip (0x5000 bytes). 2025-12-08 08:32:22,218 [root] DEBUG: 3472: DLL loaded at 0x72500000: C:\Windows\system32\rasadhlp (0x6000 bytes). 2025-12-08 08:32:22,218 [root] DEBUG: 3472: DLL loaded at 0x74ED0000: C:\Windows\system32\CRYPTSP (0x16000 bytes). 2025-12-08 08:32:22,218 [root] DEBUG: 3472: DLL loaded at 0x74C60000: C:\Windows\system32\rsaenh (0x3b000 bytes). 2025-12-08 08:32:22,218 [root] DEBUG: 3472: DLL loaded at 0x75450000: C:\Windows\system32\RpcRtRemote (0xe000 bytes). 2025-12-08 08:32:22,234 [root] DEBUG: 3472: DLL loaded at 0x72C80000: C:\Windows\System32\npmproxy (0x8000 bytes). 2025-12-08 08:32:22,234 [root] DEBUG: 3472: DLL loaded at 0x73600000: C:\Windows\System32\fwpuclnt (0x38000 bytes). 2025-12-08 08:32:22,234 [root] DEBUG: 3472: DLL loaded at 0x743F0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes). 2025-12-08 08:32:33,234 [root] DEBUG: 3472: DLL loaded at 0x72B10000: C:\Windows\System32\netprofm (0x5a000 bytes). 2025-12-08 08:32:33,234 [root] DEBUG: 3472: DLL loaded at 0x72C90000: C:\Windows\System32\nlaapi (0x10000 bytes). 2025-12-08 08:32:33,234 [root] DEBUG: 3472: DLL loaded at 0x72C80000: C:\Windows\System32\npmproxy (0x8000 bytes). 2025-12-08 08:32:43,468 [modules.auxiliary.human] INFO: Found button "close the program", clicking it 2025-12-08 08:32:44,468 [root] INFO: Process with pid 3472 has terminated 2025-12-08 08:32:44,468 [root] DEBUG: 3472: NtTerminateProcess hook: Attempting to dump process 3472 2025-12-08 08:32:44,468 [root] DEBUG: 3472: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x875004 caught at RVA 0x4ae6 in capemon (expected in memory scans), passing to next handler. 2025-12-08 08:32:44,468 [root] DEBUG: 3472: VerifyCodeSection: Exception rebasing image from 0x00400000 to 0x00400000. 2025-12-08 08:32:44,468 [root] DEBUG: 3472: ReverseScanForNonZero: Error - Supplied address inaccessible: 0x00875FFF 2025-12-08 08:32:44,468 [root] DEBUG: 3472: CAPEExceptionFilter: Exception 0xc0000005 accessing 0x2e3840f caught at RVA 0x4c1e in capemon (expected in memory scans), passing to next handler. 2025-12-08 08:32:44,468 [root] DEBUG: 3472: VerifyCodeSection: Exception counting import thunks 2025-12-08 08:32:44,468 [root] DEBUG: 3472: DoProcessDump: Skipping process dump as code is identical on disk. 2025-12-08 08:32:50,578 [root] INFO: Process list is empty, terminating analysis 2025-12-08 08:32:51,578 [root] INFO: Created shutdown mutex 2025-12-08 08:32:52,578 [root] INFO: Shutting down package 2025-12-08 08:32:52,578 [root] INFO: Stopping auxiliary modules 2025-12-08 08:32:52,578 [root] INFO: Stopping auxiliary module: Browser 2025-12-08 08:32:52,578 [root] INFO: Stopping auxiliary module: Curtain 2025-12-08 08:32:52,593 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765153972.59375.curtain.log; Size is 36; Max size: 100000000 2025-12-08 08:32:52,593 [root] INFO: Stopping auxiliary module: End_noisy_tasks 2025-12-08 08:32:52,593 [root] INFO: Stopping auxiliary module: Evtx 2025-12-08 08:32:52,593 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Application.evtx to zip dump 2025-12-08 08:32:52,593 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\HardwareEvents.evtx to zip dump 2025-12-08 08:32:52,593 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Internet Explorer.evtx to zip dump 2025-12-08 08:32:52,593 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Key Management Service.evtx to zip dump 2025-12-08 08:32:52,609 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump 2025-12-08 08:32:52,609 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\OAlerts.evtx to zip dump 2025-12-08 08:32:52,609 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Security.evtx to zip dump 2025-12-08 08:32:52,609 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Setup.evtx to zip dump 2025-12-08 08:32:52,609 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\System.evtx to zip dump 2025-12-08 08:32:52,625 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Windows PowerShell.evtx to zip dump 2025-12-08 08:32:52,687 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host 2025-12-08 08:32:52,687 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 322455; Max size: 100000000 2025-12-08 08:32:52,687 [root] INFO: Stopping auxiliary module: Human 2025-12-08 08:32:55,531 [root] INFO: Stopping auxiliary module: Pre_script 2025-12-08 08:32:55,531 [root] INFO: Stopping auxiliary module: Screenshots 2025-12-08 08:32:56,187 [root] INFO: Stopping auxiliary module: Usage 2025-12-08 08:32:57,343 [root] INFO: Stopping auxiliary module: During_script 2025-12-08 08:32:57,343 [root] INFO: Finishing auxiliary modules 2025-12-08 08:32:57,343 [root] INFO: Shutting down pipe server and dumping dropped files 2025-12-08 08:32:57,343 [root] WARNING: Folder at path "C:\jYwvXhpEc\debugger" does not exist, skipping 2025-12-08 08:32:57,343 [root] WARNING: Folder at path "C:\jYwvXhpEc\tlsdump" does not exist, skipping 2025-12-08 08:32:57,343 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win7-32bit-1 | win7-32bit-1 | KVM | 2025-12-08 16:42:47 | 2025-12-08 16:43:39 | inetsim |
File Details
| File Name |
e9b7110334eeff9ee59b.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 491022 bytes |
| MD5 | 1f48341ff3031b71e213c19d3fafbc46 |
| SHA1 | b03f6332adb7098e73be63f54f5b5c36ed0dd1ee |
| SHA256 | e9b7110334eeff9ee59b644a4cbc8f0bd8e90c5cdb7c6b0c6426cbbd4567176d [VT] [MWDB] [Bazaar] |
| SHA3-384 | f580d1975e485582cdbe754b6440499d2a35bea8f02ba9265649b2a8a00a09ce61c822a1cc05da1e7aa9a10f8d4bfa32 |
| CRC32 | 45ABAA61 |
| TLSH | T1BEA4E021F6B2D472CF9185308439CBA45EBA68320561CA3F3797269D1E70FF1A666337 |
| Ssdeep | 6144:+4qZR5CH1lgLqTwSuKr0mWshFXsn3o/3I/4ZhuPtrd9UkZlkVEbcfPRSBQGAlc7M:3q3lBK6YBs3i3I/KUt7Uk0VnEBQxt |
| PE | File Strings BinGraph Vba2Graph |
f`bX]
Qut||ZU
FileVersions
AAAAAAAAAA=
- unexpected multithread lock error
'9-}^O
*zbx x
\+,`Vw@
V-{<3p
Xopokiyayewiliy payilalajadaruSDusexezibek supimumunodo wijufolapin jivenupinemoc waceveletewe taki nuhicelokogiziSXatahojona rinanudowobof wokurez kukenecarilu wetavozucelozun kexogezo lulavexofuduTMidayovaganixi jujakuki fugedi yukiziguxu moka zuyifiduhoyimo nelacekipozom hada zay
|*hyAX
2Y1n[
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
GetCurrentThreadId
/(hY(
SomeInfo
-b3qg
new[]
Zr'.y
_nextafter
7m~jy
- not enough space for environment
Complete Object Locator'
"*6qRIv
LLLLLLLLLLLLLLLLLLL
LoadLibraryW
AddConsoleAliasW
<=<c<
@PWSS
(vgb~
K(bKy
LLLLLLLL
Q)AAAAAAAAAAAAAAAAAAAA
^}.'t
GetGeoInfoW
#&p-e
"o:U?
>hvD/
HeapCreate
RT!>o
:/:R:
AAAAAAAAAAAA
I{4r$we
b6dJt
j,=5z
r1q&Hp
__ptr64
GetTickCount
`RTTI
=kf{I
/Z@rb
FlsAlloc
&o&ca
WJ_%g
"<aHEN
)J+"C
UaVG-
7@gQ^.6
rM_`R
"/ur/
4;5p5
operator
QIVb$
<]+>}
CIo,+@
"gFvU*w
vJ;Y_
Pq9qu
K[opa0
yh`E.
?8%f.
;'<o<
u#u~.
sz.OCj
As fb
9 :M:h:
;e.]>r
QRKGL6
7jk7/
.Oq|dF
1s.yg
q#IjTM
000r````````
$$$$$$$$$$$$$$$$$
WriteConsoleW
U$bp^
%cYw`
2Q2[2s2
y')K/
5QEMz
2222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
aob%Am
a}}}}}}
!'q{a
InitializeCriticalSectionAndSpinCount
&`sCR
#b}xLJoY>
&cq^&
9H#5zA
!2$KDa
031D1
>If90t
Qi$e$
6&6.6
3E4_4h4
^00ffffrg:I
z?aUY
TlsAlloc
i{+L/
P(`XY
|RZ@BR
R+"2222222
Y5^z*
:+ylm
;.c_(N
Ur,$o
M<sR[<OY
;+?Wb4
.5/HP
)"!%@H
m:k;@
LoadLibraryA
>[e9*P
(VDDg<
SX/[*Q
!8'RJc
t/{v-
v1!7d
E(Yx^
mlltf1=6
R6026
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
It2Fw
10840ED2
Tuesday
N3rrR
{|V*D
0}Cw^$
w,:zFn
<:8Uc
Qh _=
z+"<.
;<<U<~<
3`4g4
GetModuleHandleA
r9KjZ
VV`>w3S3
0y5X>
<h^bi-
MultiByteToWideChar
5qT0Q&8
>=Yt1j
PAnlC
_i??'{
__93y%,
StUy8a
700PP
savezihidimeciwawotajonamusacom
*z1MJt
U"^t5
DUmZ5
az9U>
,@'iz
#`(mX
sMxGG <Y
7s\gg
2a.bH
2j"0d|
7l3nI
XHP"S
e/,m|
9PH%7
9gm0n
GetModuleHandleW
xIj7/>
hRfntl~S
+;UuRZ
1x637
GAIsProcessorFeaturePresent
abcdefghijklmnopqrstuvwxyz
mkojibetijicihu
uAaK9
i)YEH
?~g/"
lmI/A
GH+?k+
*\4PtS
>uiOFY
SetHandleCount
`vector vbase copy constructor iterator'
2222222222222222222222222222222222f
Friday
[.19'cw
!M{KH
-OaDI
Er1^E
lifutunamebucudegevajo
e?: 8
fBvYi
2222222222222222222222_
__clrcall
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
qmMyW-
UBP=$
}Fe;B
"9HJJ
rb6!s
__thiscall
2:3@3O3\3e3
?BR#q*
CreateHardLinkW
2222222222
N]N%U
1*2/2W2|2
?3f,N
/"p?>
ldexp
;t$,v-
jT7Wcp6#
EncodePointer
- not enough space for stdio initialization
EnterCriticalSection
E'j+"
GetFileType
xmZ8f
GetStdHandle
FindResourceExW
-E98\
NeN2L
%9=z?
D3rBh|
i=&dy'w
zI0vJ'>l
OuX_-
g]^^N
F""""""""
cc<e"
7(73797?7D7M7j7p7{7
2222222222222%
j@j ^V
_g6XoA
dsY)}
F[I.G
HHty+
H:L*:
InternationalName
t}</>
*6W/6k
z)`Iy
4AAAAAAAAAAAAAAAAAA=Y
[4Y^y`
cy~|}?T
OYp|Ch&S
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
jdnon}i|
SetFilePointer
peL:
~yuQf
4AAAAAAAAAAAAlvAAAAA49
iZ^@?
J:+{mV
X9Zi9M
H
rq,Xs
465H5|6
_logb
b(RfsOs
__cdecl
dum3p
kernel32.dll
$J 31
Type Descriptor'
(r3hg#
td`o.
W'HLLLLLLLLLLLLLLLLLLLLLLLL
Xe9dV
4^[)!
6DU+`W9
?X7/>
B&srm
@Fqv}/@=-
-$;$Aq4
222222222222222222222
FIW;e
Vf~{O^
z^>>>>>
lLPj(
2$2,252K2l2w2
&e[!-.
q &K*R}
`eh vector vbase constructor iterator'
eL.8M
(null)
%k|V\
4^fff>>>>
M4f>B@
A$]BD
r^FJ"
7}}}}}}}}}}}
wCSId
@f3dSE
22222222222222222
TBfgz
- Attempt to use MSIL code from this assembly during native code initialization
ECJK{
R,=xP
pRj)#K
{u{7n
v.8[>
8!8'888
FzD+[{#
v8pF0
::::::::E
clL>8
m \|m0;
l=Ft{
An application has made an attempt to load the C runtime library incorrectly.
3zm1W\
(u`c*
iiQ+m
q:j;#
1#INF
=,=3=8=<=@=a=
.6U9_
n4u\`
Co7DM
4&4X4d4j4p4w4~4
y5RpV
GetCommandLineA
Copyright (C) 2022, somoklos
4q5B6
32.89.0.100
rXoCl
uQYop
Qmj{}`b{
DeleteCriticalSection
f!'WD
lAGwUO
`h`hhh
*t2T2l
obG(P0
<program name unknown>
`udt returning'
uR//&
`placement delete closure'
Q!7rKI
h`Em{Z]
|V1>&Q*
9"iei
GetFileAttributesW
nOw;;s
SetUnhandledExceptionFilter
u@,/L,T
i~-b3
Y.)So
xpxxxx
Gx222222222222222
^hQcX
ykc:?
bVUUS
9@<D<
mt5w0D
~ySU7
VW|[;
5::::::::::J
u<)%8Tg9
UmoJ~
b:i#K
.text
R6032
RtlUnwind
ReadConsoleInputA
}[@/N
D^'Fu
Sdi!$t
qDmNL!%
0`P`M"
mT9%4
GetTempPathA
2MA8~iNc
22222222222222222222222
<O@ed
HeapReAlloc
EG(`iec
WTG*Mt
Copyright
YIN#p#
AAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAA
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
,!S 7
yikubatunikexeyod
l@d}b
qF$49
4/d={?
{z]<U
Mpx}zMS
kQvql
'Rj/f_
P7lD}q
lAog4.e
VirtualAlloc
( 8PX
O8o\|
pLLLL
FreeEnvironmentStringsW
{ar|}
Jq&cj
;-ys*
a6H[i
November
>\MVUX
[fQ4P
1>2D2P2
(zgLM
r\4o$
3gpIy
F?D~/
runtime error
`vbase destructor'
*U|,~
HR,`3
`vector deleting destructor'
%nFgD
povgwaoci.iwe
u;hh-@
jQ@;.
&z[tc
t+WWVPV
LLLLLLLLLLLLLLLLLLLLLLLLL
gSgP?C
`j=@0
LiY][
:::::::
DWNd&=F
`n=./`
$7&Q_D
`dI9\-
b;;;;;;;;;;Xggh
/k*nW
'+PV3
a5haUGy
LLLLLLLLLLLLLLLLLL9
=mH7|
NYPCX|
-XL.+
@0|p_
~~~~~~
3lB<;
SF' T
Fcfby
Xk5Va
October
R6008
#c8E_
8| Gh
nl2vy
ExitProcess
LLLLLLLLLLLLLLLLLLLLLLLLLLLLL
rx@Rsj@
^0ffff>>?g
&lRD"?}6
Uqb=O
R6019
Runtime Error!
oJ]P]
5m *7T
R6016
z'DSi~
pi/}s
UnhandledExceptionFilter
mscoree.dll
I8p1rHJ
Q S@C'#
%X5/q.
L}=s_
HeapAlloc
13:bc
?kp{mIS
>CB+b9C6
(G#ba
YL>'b
aBs6c
H8e&@
1fZyd
Gxce
:C&6q
SING error
VVVVV
R6034
PElrN
Class Hierarchy Descriptor'
2222222
(pg%A!
tk+sS'5
o]{8Pj
Pq0t,[
:V0!;
eGQ+dBk
delete
zP1p.Q
a ;Dr
LLLLLLL1
GetProcessWindowStation
2222222222222
CfOcD
2222222222222222222222222x
x-X03]5
19]"PP
1N1S1Z1_1f1k1
'{[nM%
ProjectsVersion
$SR*G9
q5u.%Y
;Wn?2
PPPPPPPP
x{r>k
FP]ny
GetStringTypeA
%"64R0
eQ72.
I\5_
[sr<)c
!n1?4
>x^FFK"
Y_^[]
CopyFileA
8,9":*:
T=J?tO
I7cxU
`vector destructor iterator'
3]`r6
9nE9o
2222222222222222222
\lxyLQ
!x2nE)
MJuxoz digu gofu razi cukapidinu kikiha zaxilekolanerel zecisepoko sebuzapudod
<iTk7+
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
5J5c5
9+9F9N9V9m9
pMm%N
WIL$-
Ut3<a
@o:s"
gggggggggF
d)EKiK'&cm
(h888
)s+5K2
GetStartupInfoA
O5LLLLLLLLLLLLLLLLLLLLLLLLLLLLk
)^F>T
B3*eF^
9.9I9O9X9_9
^b{Tm
`h````
$.U_$a
@hP-@
y?ohX
tNVSP
Jb{.V/
GetProcAddress
P#s^E
AAAAAAAAAAl
LLLLLLLLLLLLLLLLLL
TlsGetValue
UHer@i|"
1hRQW
- not enough space for thread data
GetLastError
@rvd$>
7<7b7
s.hK#
#&Dy7
0]"G<Y
G.$&^
zi1_4
Fxn=e
VG-L]
2222222222222222222222zc
cn'm=[cL
`vector constructor iterator'
zY'|4_6
cyyyf
04g5b
y~bxd
\/>pD
02080G0M0\0b0p0y0
Sunday
9gxvH
fhcCA
Evn<g/Z
rG.F%mn
- CRT not initialized
GetLocaleInfoA
6?_.|
Sleep
'eRon
2-2C2N2S2^2c2n2s2
fxzvS`
j.>,:$a
OMU`>tz
(pbbbb
0=bL-
5lUW4d
676B6L6e6o6
+sHs"
p{T[l
Saturday
8H{.7
0LLLLLLLLLLLLLLLLLLLc
KXrpv
^d)1!G
__stdcall
9] SS
Lvmia
Dq{~6m
~oo~c@
K}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
6^% F
6X?qY
=*>0>4>8><>
R6028
h9(g!
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
/s,_!
;]CDV
+-EiQ
g}}}}}}}}}}}}}}}}}}}}}}}}}7
GetCurrentProcess
N'_G8t
aDQEm5E
0H10q
`typeof'
- pure virtual function call
{6>3B{
"|#v!8
N:>'V
N[S!V
`eh vector copy constructor iterator'
}Gc~XR
-b Oc]
v$X1m
t"Z1K
kGA1u
BG*E}z
oa6={
7 CBn
xN_CGvJ
((((( H
^yi||y
R)Vhf.
CreateFileA
`P!i<
am @e
"a"E7&I
V-]f~?
HRfTnf
dddd, MMMM dd, yyyy
JW1>X
atan2
iNYW=
>->A>G>
E9~PqF
WWWWV
ferujek ruv dahevabesayoruxenihinuho
;XqDF
ivcYcPZsCX
,(4(E
:/LLLLLL
DV?iS
700WP
z9%;S
0Y(+'
222222222222222222222222222
i'WZv
0q~31
$=aj{w
ddedr
vYx/k
WriteFile
_JhmLNb
u,h`-@
Lhjx!
E+sge
<[44{
SV=nKsoDR
|`)`(
z1`tTmC'
z;9W}
_ZA$5
1IY]>L8+
q~&ui:
F/>wlP
222222222222222
"rT`-
QW4`3
eQdm|?~
IsDebuggerPresent
$-pS:D
'((((
tR5L}
_cabs
YE@%~
"]x~g
"kpaBH<%
Tyyfyf
FlsFree
msBlv
eb',b
`eh vector destructor iterator'
R&A-Zv2U
w>LLLLLLLLLLLLLLLLLLLLL
_9GLk/u
- unable to open console device
9_e6O3OtM`
`omni callsig'
z9P6tS
y8b0+t
Unknown exception
b`V9^
FlsGetValue
o}kfJ
- floating point support not loaded
log10
GetConsoleAliasesW
f_@"Q
xppwpp
qAAAAAAAAAAAAAAAAAA
'GtD~
AE;A:
MVCKj
kQ0%5(@
`dynamic initializer for '
zqqz[
Yuzavobutor lawuze jazipMXasacosupirixuk sifizonedu nixe xoyavahu mavif vumatetudaxifu han komidelarog
4Fefu
=7UTP
u4vSG
?WF(*,
5FT$E}
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
~~Eqk18H
GetFileAttributesExW
0SSSSS
y~,!"
6Ma2M#iG4
R6002
August
UWBHh
GetOEMCP
2_-.Y
o3aJo
gD G0
Sr{|[OO
?BnW&
;;kRv
?CorExitProcess
3)363
h(((( H
qF%*t
_c:&O
`local vftable'
4LLLLLLLLLLLLLLLLLLe
[heMx
1O1U1f1
3I4T4^4o4z4-6>6F6L6Q6W6
<J=V=
XUm+W
>/>6>N>Z>`>l>{>
`vector copy constructor iterator'
=d9B9%*(
PVh8.@
L(O^.{
v<m.T
FM_=#
_hypot
OpenWaitableTimerW
- not enough space for locale information
w9b+p
XfQ<L
cbopon
">X4j
Wah~xMM
t@LVM 3
C"^7P?
]R S".*
April
__restrict
delete[]
5fI9-
FreeEnvironmentStringsA
m6UQV
KERNEL32.DLL
H:kIP%3
VX`-!
!y8T
oN`Fh
ul}IQv
InterlockedDecrement
vQ,V2C
SSSSS
DecodePointer
&x#ym
p7tT*
3P+ZS
CsZ{~IZ
1uqMl
GetSystemDefaultLangID
Uo=2-g
lTKa"
7X8e8
URPQQh
Wu_PF1
J6##C6
^`KE@
G;RHo
LCMapStringW
2=@uP
3$3,343<3D3L3T3\3d3l3t3|3
ee(a:)p3
TzQGI
4`sAH
q0F*R:
tNIt?It0It
ny7V,
Y3[xp
22222222222222222222222222222222222222222&%"
=3F/B
V1111t
`default constructor closure'
Gcj*:
g2n=t
StringFileInform
Q-GI^
HeapFree
nEH(8f
(s`#l
0A@@Ju
0#1(161S1
(t<Bv
MessageBoxA
`local static guard'
]_\.e)z
]x(+|
x+rRT
lb?X7
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!:(}Y
MqGhK
^WWWWW
t$<"u
w[N,xYP>
..d c
{}gbdz
EcUGHy
VirtualFree
ZAAAAAAAAAAAAAAAA
cBg?p
A W1n
R6024
floor
.?AVexception@std@@
X'KBP{.
0d0k.>
IC\F>
87kz$
2222222?
8<8I8U8]8e8q8
53ti~
Kx_Q'
Y__^[
W*cHi
~9$Qx
c_L;8[
:^H;_
[j@j
0@|O8m
Fk[j}
L5-bV
#xZHv
3!3I3b3
SSSSW
k|i$=R
:::::::M
W%0r6Y6
GY*32
rw^o\
`LFF]<
"j22222222222222222x
nd5cX8*
4,404P4l4p4
dL8a5R
GetActiveWindow
.rsrc
lo$_]|\(((((
Vd{IH2
)G4jO>Y
5L,Za
LB|EpD
w6VeC
`virtual displacement map'
[G"<x
B[LG7
GetConsoleCP
;+;0;;;@;^;
VvMdv
:%:,:7:@:V:a:{:
&6#^&
December
vn~'K
YF)eyC>
fuXrHf
Gc<UG
Ws$;]lM
{,k{b=~z<
qJuD{v
hq]oA]
Base Class Descriptor at (
=^w6Ya(
#H,t{
RaiseException
^000ff+gG
*>j,0
dH;Y8J
<oA4C
90d`^
_;L^HiP
1?L_k
___________
UQPXY]Y[
USER32.DLL
)y~ d
SetLastError
3O|v'
:qm=:
`y8roOb
D$Y-:
========
/EC'M,
`eh vector vbase copy constructor iterator'
GetLastActivePopup
!^00000
Base Class Array'
This indicates a bug in your application.
GetUserObjectInformationA
u8SS3
{#gb&
zc%C1
`vcall'
6ep5c
TLOSS error
hBT+O6
h=gYH
|*SSQVj
exp10
(r}3M
7q9D_eb
<EW,=
7;%!K
?2222222222
*Rd4(
/Jlhu
+-R1M
KERNEL32.dll
V`uPX
DOMAIN error
SunMonTueWedThuFriSat
?phgR
n7{^0
~UHPY
zk?o,
aK4/aH
m<2xf
KHTR}
January
WWWWQ
}S$^J
GetConsoleMode
z^>f>
YYYYYYYY
3*3X3f3
SXufam per vuropicodatu vufukudon suwap sezay helukuselaw luxixarebenimok huwawehoto;Pofudomuw papisofu yet goyi fom vabaxuvorawis vevavusugohak
up5,'wG
d6kg>
InterlockedIncrement
}}}}}
/`FAk"
r}>[}p
{^08F
N&M4z
U?22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
VerLanguageNameA
*am-k
}}}}}}}}}
0"1*1t1{1
G-r['!i
rI,&e41b
d>Q(/
0Pnm8
j'Wp[
rw;9e
CsV#r
|1/x0
GetCPInfo
\"Sd+
hgg*}}}}}}}}}}}}}}}}}}}}}}}}}}}
A|oL#
'PcHb
jh&;-
75.0.48.6
:::::::::::::::::::::::::::::::::::::::::::::::::7
{Vzo#
HP>ov=
3Ybm}
1id?7
`local static thread guard'
6&6/6:6B6I6Q6X6m6u6
7$797@7F7\7w7
`managed vector constructor iterator'
X 9}
QueryPerformanceCounter
m!&rQ
TlsFree
;pUth$
=}F|K
kq$,.
K2c,r
Yde)N
`vector vbase constructor iterator'
CnQg5
+t HHt
I0V0o0
XN#!`a
A"\Qe
op_0^OC
`LxK?
ZZZZZ
~Ql"&
505P5p5
a:::::
wayugenolijelulayemibor harodutilipagifiwekawovonufu layisewadaciro zejocecide
GlobalAlloc
,VDK~
4[,P7
]3fat
oEjw`
6SlH[YY
LLLLLLLLLLLLLLLLLLLL
lstrlenA
T0[s<
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
50595C5Q5
{_/}h
wNa\7
,d[9A
d`KP1.[B
Db8g1U
^1^BZ}
WM)4hhn
a0f0k0p0
J/H 8
vS1m5
J4AAAAAAAAAAAAAAAAAA4
JG%'`
>">)>0>7>?>G>O>[>d>i>o>y>
K+Kf}
LLLLLLLLLLLLLLLLLLLLL
zG%ie
E%$BE%
n-vH'
z4QCa
\\wcI
#PaMX
Program:
}}}}}}}}}}}}}}}}}}}}}}}
esC[%'
WriteConsoleA
?}Ms?b
te.tcR
<HeYD"
;=;J;X;
e+000
&Pa~h
`}y5|
7XHTnQ
?=?Y?|?
%"iR@]DA0
Richu
>>>>>
X.Ppy
4dFP1G
JoB`!Ht
TerminateProcess
a@vGZ
%FPwS
SetStdHandle
AFX_DIALOG_LAYOUT
M~3Gj
?$?,?2?A?L?R?X?p?v?
Vb?g[
?/\CZ
5G{o2
S"KQX
G3HUG
4futIQ%*
Ho'mc
o"T1N
WriteProfileSectionA
7"7&7*7.72767:7@7K7c7
7!7X7
KxMV&
EMPtZ
l7z:[
89<E<x<
kF7II
(MV7t
{)uq9)=b
!\"dP,
7gULLLLLLLLLLLLLLLLLLLLLLLLLL
8zG@V
6,6R6m6t6}6
*vLLLLLLLLLLLLLLLLLLL
>$>(>,>0>4>8><>@>
}}}}}}}aa
LCMapStringA
teh@p@
.)7~F
o1-?^iC
X|Jmj.
H`wnb
U9T`pC
<QM~~@6
- unexpected heap error
:[7S9
E@{ujAw
6}lQD
GetEnvironmentStrings
,Q.%G
d!Oi!
K5F\=t
@.reloc
LocalAlloc
=$=,=4=<=D=L=T=\=d=l=t=|=
@A_'().7
Microsoft Visual C++ Runtime Library
, <Xw
- not enough space for arguments
Phi/&
4&404V4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
n#:YJa
L+o9n
0%3)3-3135393=3A3F3L3f3u3
ISX#B'
__fastcall
[FX-Yy*[
XgGST
`string'
NFGh=
YF/I`=
3N{~pE
NYo1w+
i.u@+
`6@hL
=;=G=n={=
|>U6*r
222222222222222222T"
~"s2\
s_SnLLLLLLLLLLLLLLLLLLLh3
3)3Y3
HHtXHHt
Yim{yGP
/}=BAAAAAAAAAAAA=
'tlBg
~?t5k
dS*A'
z{AF|
z,xR7
)G`Cr
.#bYor5%FWd
L7bZi
GetSystemTimeAsFileTime
xdJ~\1K
=Zo|\D`
tR|S'<
ZCiwen fehipuselu sitoniropetu jasatamakineta kivixahe muharotayitek jovihujuzed lumuzajapokWijubuxifez wadeneyove bezimacujozi wevukatutiraw tale malafuzomuzuc xulibejigimuci tutawimo fomopivuyekoba`Set tifovase rolelosasucamo yoyebuhip yede lohabekayehave nesezezec faf yikihogulexode xelivetus.Kan fehogas dotomurul neterodida dokox lelucoj
"AJ59>
h&)]2
ZjA-<N
`uxvs
6a~Vy
MM/dd/yy
lR&1j"s)
- unable to initialize heap
W<BVoT
FlushFileBuffers
P3(g;
}VVq^G
R6031
zg'ox
9e#%Z
}0e?R
xY)-}4n
_vqEt
"GZ @
T\-cvh
Q-A*m
oBfX4
y!(=W
}~fffz~fj}
8(989H9X9h9
+m|O:
lAAAAAAAAAAAAlv
374=4
OpenJobObjectA
r8.=]7Z
`scalar deleting destructor'
|wbE{PW
hr4=H
<)<N<b<t<{<
QTmt!
3zR<J
<9=g=m=x=
2222222222222222
GetModuleFileNameA
^SSSSS
March
WWWWW
~UIR8~=
"cX3*
GetACP
iLq=Y
XN"ia
t%HHt
xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
%k|*>1
R6027
tq_ar
`local vftable constructor closure'
CONOUT$
QEJ~@;
ZAAAAAAAAAAAAAAA
<>[)I&
X& WW
j"^SSSSS
L$lr\
.eh_frame
u9Km Li
_VVVVV
ReadFile
lvtX'
3"3;3O3U3^3q3
rZH7l
|3Wz<ji
oCD=FM
nqV+d
2S{nH
7}}}}}}}}}a
S :%V/{9
LoNs9
LZ|'gz
#wUTX
/J.;6
LLLLLLLLLLLLLLLLLLL-A
Ia.xe
JiY>~?
qd"Y0gM
n+mhNL?
CU}bRxY
GetCurrentProcessId
JVd~d@
,3v>q
}}}}}}}}}}
`eh vector constructor iterator'
222222
bad allocation
C<!(J
2EDgy
4.5R5\?
GetVolumePathNameA
Nf@$^
24)SR
["'vq
999?9H9O9j92;j;
"0S3j1
Monday
il4ih
8JUw3q
v~~0~0000fff>>>g\
^=Q8n
2d ;PAV=
nz>64
(xuvB
&w JK
LLLLLLLLLLLLLLLLLLLLLL[<
~,WPV
#,W2*
X!3yb
-A]X?
/zrQ0
!2w~a
WH%#5
HH:mm:ss
PhD/@
<!<(<,<0<4<8<<<@<D<
)Xax8
('8PW
5,IusL
9%:Q:y:
PH<('
Please contact the application's support team for more information.
JanFebMarAprMayJunJulAugSepOctNovDec
ivUJth
>##i5
;p1_DN
z%DRkP
frexp
Iq<:l
nu~\}
,b9`5
222222222%
FJ'pS
{b)|=
LLLLLLLLLLLLLLLL
)^mYB
(O)3}k
>ddddd
}}}}}a
- not enough space for lowio initialization
This application has requested the Runtime to terminate it in an unusual way.
9]$SS
AAAAAAAAAAA
"D)>(
%")%o
HRizavokupuca pupib fala zuyotozodejuw hisa cuziros lofanub ritevotayibewDTepinewateja gocey fiwopenixi sazorot kuwibeki tiheli gutanawogogeteeZoruzoja neho pahanohawifayi toyo leh duniyiyicaram misonofavi tikipurahavevup zemeto xepidogodilagid
V (lc
(<pA@4
k>U(V w
LVDM.EA
?8?M?s?
x222222222{"
L01`#
XrjMnH
msimg32.dll
TP2'K
KRF%H
|%GZ2
R6030
h:ZEG
</=S?
yge)X
I7U/~V>V
P^72*
R6033
4`o46
EO_;Er
Db{K9
+^xR[
sE7$K
r0U55K
BEH}]B}ZM(
SVWUj
PVh /@
Gb%6]
iu~!j6
2.bqS
LLLLLLLLLLLLLLLLLLLLLLLLLLLL
FlsSetValue
]K"?#
LeaveCriticalSection
4F3v r
#mude
z?;r>e
3*4J4X4]4
February
GetConsoleOutputCP
CreateMutexA
VKC=V@kV$
MAr6L,\.
*us>6
C:\cire47\cobigagocutuj\wemovoyeha\wobitu\wuvare\xata.pdb
3 3@3`3
Wednesday
O_Dr!
AAAAAAAAAAAAAAA
|n-5%
+V4,C
oM+XA
@/|)g3
%nICV
SetComputerNameW
222222Z
IsValidCodePage
<n/e}
`F+'U
BK.UX
W`5CF
Thursday
September
V[zeu
-v-=As=N
t"SS9]
FZ3!^^
muyuzavujupasumayuguginibicufaw lhu xajuxa
`.data
__pascal
8=9]9b9R:[:g:
22222222222222
xoPS0j
1#QNAN
VS_VERSION_INFO
4^ff>f>f
FiqV&
w%!q%
OR0@l
!El({
d|!oK
cccccccZ
XCVj |
`vbtable'
9<v.N
- Attempt to initialize the CRT more than once.
;{Wrm
lsW|2
`copy constructor closure'
4:sCK
;X<^<
Translations
WaitNamedPipeA
LLLLLLLLLLLLLLLLLLJ
`LLLLLLLLLLLLLLLLLLL
@:~/6lW
8)caF
>1)}`+
2222{"
ERkOW
kHDw
51>%CP
-+ON+
ZaV>~>
<+t(<-t$:
`xER!
.?AVtype_info@@
(b******
FindNextFileA
P*[4s
=f=q=
1#IND
x222222222222222222222222222222f
2D&ng
c4s]n
ojx_n
tx5*3
Zf8!V
),pe;
]*kXqk
(SqBa
R6018
Hd`x2
R6025
oT~9.
4\= ~
::::::::
5QD#:
Q!*ZxHg4
#QI&1
t,<K3
a.NSX
`placement delete[] closure'
'((((((((((((((('
_|z~~
tqJtE
CR+4P
TlsSetValue
o7/pf
h&)h
7;;+<
_{DzR9
__unaligned
PPPPP
GetStringTypeW
qL[@sl
GetConsoleAliasExesLengthW
J|=fR
Mc2222222Z_MNna
CloseHandle
2J9D:
-;dn"
0"1E1y1
`{F$>
-Dq#-)\
DCX *
i_Z~~
-sd~8VJ4d
5LtjH7
__based(
< tK<
%3j@:
K!/bM
+:fpXXA
EmQ^@
VrjYk
_~R/!
;%;);/;3;L;d;
YD-:k7
KfsVVVVVVVVVVVVVVs
GetThreadContext
2F.t}
L2:(.
txw}F
'hq8F7
AAAAAAAAAAAAAAm
v55]8
`dynamic atexit destructor for '
p>p;i
G(rzH
P"1_c~
FkxzgLD
?=E/AP
%#C#L;
686X6x6
a&k)m=
\2x4ss
l0E/om
gggggggg
hWB'2
/=AAAAAAAAAAAAAAAAAA=
222222222
LP'5*
;m4'3U
(bCf<
::::::Tx9
43Zod
we@rX
y?k1L
dIK>Ya
V>l0[
`managed vector copy constructor iterator'
RotSC
wIVSP
bVI*FGv
- not enough space for _onexit/atexit table
|| &a
2222222222222222222222
35H<A
&acDl9
Z%7=L
(((((
Ot,GT
:mt*`
QSWVj
-%%&ZN
9*PqL
#2'2+2/23272;2?2C2G2K2O2y4
R6017
-64OS
u#;J3
S_M`V
2@2F2x2
KERNEL32
r,kj1
7W8d:v:
(dd[0
qKS(%
~k3EV7
p)<C7
sI1!X
/E<1.A
WideCharToMultiByte
W,j-Y
HeapSize
noferiluhahapemexumehiyosagisicohexoku
+4um"q
r+]^|Wor
wYB+p_
Onw f)
G#K*A
{[o6a2
/gXb,#Y
gNNNNN((
P^msT#;}
:xDUN
2\2m2
YQPVh
rP7vT
a^:Ri
R6009
`managed vector destructor iterator'
1#SNAN
Kc}7V
gu}}}}}}}}}}}}}}}}}}}}}}
VzEx:%
Piwocati reboy polo himuriz-Miyopitepaburo wiru raku piguyizetofec luzesicTozaxabifab xovopowunupupet tosu rif jezonejidisarax nunex xezuputo relecesejes periwitawo nocobuzoDXehugepofi wafakozidiv diparijusifo zamili sobawoluyu vujomicohogohi
(sN;U.
*hX-@
4BW!U
GetEnvironmentStringsW
cf>/z
l>k]0
`vftable'
"a-%J
$6LLLLLLLLLLLLLLLLLLLLLLLLL
!This program cannot be run in DOS mode.
>b][/)
A8Juq,
%s %f %c
rd?0&
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x00400000 | 0x00004dc9 | 0x0007916b | 0x0007916b | 5.0 | C:\cire47\cobigagocutuj\wemovoyeha\wobitu\wuvare\xata.pdb | 2021-11-10 16:32:53 | 803fde251b2a69721fa12bfe881971ea |  |
44f3c23e70659a6038b20a97a65b0a03 | 1ebc4b3ab3b23f896de2d55a4efdf473 | 8c8efccc8c8c8cc8 |
Version Infos
| FileVersions | 32.89.0.100 |
|---|---|
| InternationalName | povgwaoci.iwe |
| Copyright | Copyright (C) 2022, somoklos |
| ProjectsVersion | 75.0.48.6 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00011f40 | 0x00012000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.69 |
| .data | 0x00012400 | 0x00013000 | 0x0044ba3c | 0x0004ba00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.54 |
| .rsrc | 0x0005de00 | 0x0045f000 | 0x00015ad0 | 0x00015c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.54 |
| .reloc | 0x00073a00 | 0x00475000 | 0x0000435c | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 1.77 |
Overlay
| Offset | 0x00077e00 |
| Size | 0x0000000e |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| AFX_DIALOG_LAYOUT | 0x00473b78 | 0x00000002 | LANG_TSWANA | SUBLANG_DEFAULT | 1.00 | None |
| AFX_DIALOG_LAYOUT | 0x00473b68 | 0x0000000e | LANG_TSWANA | SUBLANG_DEFAULT | 3.18 | None |
| AFX_DIALOG_LAYOUT | 0x00473b58 | 0x0000000e | LANG_TSWANA | SUBLANG_DEFAULT | 3.18 | None |
| RT_CURSOR | 0x00473b80 | 0x00000130 | LANG_TSWANA | SUBLANG_DEFAULT | 2.66 | None |
| RT_CURSOR | 0x00473cb0 | 0x000000b0 | LANG_TSWANA | SUBLANG_DEFAULT | 2.20 | None |
| RT_ICON | 0x0045f7c0 | 0x00000ea8 | LANG_TSWANA | SUBLANG_DEFAULT | 4.19 | None |
| RT_ICON | 0x00460668 | 0x000008a8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.03 | None |
| RT_ICON | 0x00460f10 | 0x000025a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.51 | None |
| RT_ICON | 0x004634b8 | 0x000010a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.47 | None |
| RT_ICON | 0x00464560 | 0x00000468 | LANG_TSWANA | SUBLANG_DEFAULT | 6.30 | None |
| RT_ICON | 0x00464a18 | 0x000006c8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.31 | None |
| RT_ICON | 0x004650e0 | 0x000025a8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.58 | None |
| RT_ICON | 0x00467688 | 0x00000468 | LANG_TSWANA | SUBLANG_DEFAULT | 5.95 | None |
| RT_ICON | 0x00467b20 | 0x00000ea8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.57 | None |
| RT_ICON | 0x004689c8 | 0x000008a8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.51 | None |
| RT_ICON | 0x00469270 | 0x00000568 | LANG_TSWANA | SUBLANG_DEFAULT | 6.01 | None |
| RT_ICON | 0x004697d8 | 0x000025a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.15 | None |
| RT_ICON | 0x0046bd80 | 0x000010a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.32 | None |
| RT_ICON | 0x0046ce28 | 0x00000988 | LANG_TSWANA | SUBLANG_DEFAULT | 6.31 | None |
| RT_ICON | 0x0046d7b0 | 0x00000468 | LANG_TSWANA | SUBLANG_DEFAULT | 5.65 | None |
| RT_ICON | 0x0046dc80 | 0x00000ea8 | LANG_TSWANA | SUBLANG_DEFAULT | 5.68 | None |
| RT_ICON | 0x0046eb28 | 0x000008a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.18 | None |
| RT_ICON | 0x0046f3d0 | 0x000006c8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.05 | None |
| RT_ICON | 0x0046fa98 | 0x00000568 | LANG_TSWANA | SUBLANG_DEFAULT | 5.95 | None |
| RT_ICON | 0x00470000 | 0x000025a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.04 | None |
| RT_ICON | 0x004725a8 | 0x000010a8 | LANG_TSWANA | SUBLANG_DEFAULT | 6.61 | None |
| RT_ICON | 0x00473650 | 0x00000468 | LANG_TSWANA | SUBLANG_DEFAULT | 6.85 | None |
| RT_STRING | 0x00473f78 | 0x000004a8 | LANG_TSWANA | SUBLANG_DEFAULT | 3.22 | None |
| RT_STRING | 0x00474420 | 0x000006ae | LANG_TSWANA | SUBLANG_DEFAULT | 3.27 | None |
| RT_ACCELERATOR | 0x00473b20 | 0x00000038 | LANG_TSWANA | SUBLANG_DEFAULT | 3.02 | None |
| RT_GROUP_CURSOR | 0x00473d60 | 0x00000022 | LANG_TSWANA | SUBLANG_DEFAULT | 2.33 | None |
| RT_GROUP_ICON | 0x004649c8 | 0x0000004c | LANG_TSWANA | SUBLANG_DEFAULT | 2.63 | None |
| RT_GROUP_ICON | 0x00473ab8 | 0x00000068 | LANG_TSWANA | SUBLANG_DEFAULT | 2.91 | None |
| RT_GROUP_ICON | 0x00467af0 | 0x00000030 | LANG_TSWANA | SUBLANG_DEFAULT | 2.75 | None |
| RT_GROUP_ICON | 0x0046dc18 | 0x00000068 | LANG_TSWANA | SUBLANG_DEFAULT | 2.90 | None |
| RT_VERSION | 0x00473d88 | 0x000001ec | LANG_TSWANA | SUBLANG_DEFAULT | 3.40 | None |
Imports
| Defense Evasion | Discovery | Command and Control | Execution | Privilege Escalation |
|
|
|
|
|---|
Usage
Processing ( 2.21 seconds )
- 1.619 CAPE
- 0.562 Heatmap
- 0.016 BehaviorAnalysis
- 0.006 NetworkAnalysis
- 0.003 AnalysisInfo
Signatures ( 0.02 seconds )
- 0.003 ransomware_files
- 0.002 antianalysis_detectfile
- 0.002 antiav_detectreg
- 0.002 ransomware_extensions
- 0.001 network_dyndns
- 0.001 antianalysis_detectreg
- 0.001 antiav_detectfile
- 0.001 antivm_vbox_files
- 0.001 browser_security
- 0.001 infostealer_bitcoin
- 0.001 infostealer_ftp
- 0.001 infostealer_im
- 0.001 infostealer_mail
- 0.001 poullight_files
- 0.001 masquerade_process_name
- 0.001 territorial_disputes_sigs
- 0.001 ursnif_behavior
Reporting ( 0.05 seconds )
- 0.044 ReportHTML
- 0.002 LiteReport
- 0.002 MITRE_TTPS
- 0.001 JsonDump
Signatures
Attempts to connect to a dead IP:Port (1 unique times)
IP: 172.61.0.2:80
The PE file contains a PDB path
pdbpath: C:\cire47\cobigagocutuj\wemovoyeha\wobitu\wuvare\xata.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
At least one process apparently crashed during execution
Possible date expiration check, exits too soon after checking local time
process: e9b7110334eeff9ee59b.exe, PID 3012
Makes WinAPI calls related to user discovery
Resolved address: wpad - {''}
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/GetMessageExtraInfo
DynamicLoader: kernel32.dll/WinExec
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/SetThreadContext
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtWriteVirtualMemory
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: Urlmon.dll/URLDownloadToFileA
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/NotifyIpInterfaceChange
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoInitializeEx
DynamicLoader: IPHLPAPI.DLL/NotifyUnicastIpAddressChange
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/EventWrite
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoCreateInstance
DynamicLoader: IPHLPAPI.DLL/GetAdaptersAddresses
DynamicLoader: dhcpcsvc.DLL/DhcpRequestParams
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: Urlmon.dll/CoInternetCreateSecurityManager
DynamicLoader: Urlmon.dll/CoInternetCreateZoneManager
DynamicLoader: WS2_32.dll/GetAddrInfoExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/StringFromIID
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/CreateActCtxW
DynamicLoader: kernel32.dll/ActivateActCtx
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/DeactivateActCtx
DynamicLoader: WS2_32.dll/getaddrinfo
DynamicLoader: WS2_32.dll/getnameinfo
DynamicLoader: WS2_32.dll/freeaddrinfo
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSASocketA
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/ObjectStublessClient10
DynamicLoader: OLEAUT32.dll/DllGetClassObject
DynamicLoader: OLEAUT32.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: api-ms-win-downlevel-advapi32-l1-1-0.dll/RegEnumKeyExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/WSAGetOverlappedResult
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockExclusive
DynamicLoader: kernel32.dll/ReleaseSRWLockExclusive
DynamicLoader: kernel32.dll/AcquireSRWLockShared
DynamicLoader: kernel32.dll/ReleaseSRWLockShared
Resumed a thread in another process
thread_resumed: Process e9b7110334eeff9ee59b.exe with process ID 3012 resumed a thread in another process with the process ID 3472
A process created a hidden window
process: e9b7110334eeff9ee59b.exe -> C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe
Looks up the external IP address
domain: api.ipify.org
Checks for presence of debugger via IsDebuggerPresent
Creates RWX memory
Created a process from a suspicious location
file: C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe
command: "C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe"
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 3012 triggered the Yara rule 'shellcode_stack_strings' with data '['{ C6 45 90 73 C6 45 91 61 C6 45 92 6F C6 45 93 64 C6 45 94 6B C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 91 61 C6 45 92 6F C6 45 93 64 C6 45 94 6B C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 92 6F C6 45 93 64 C6 45 94 6B C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 93 64 C6 45 94 6B C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 94 6B C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 95 66 C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 96 6E C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 97 6F C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 98 73 C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 99 61 C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 9A 39 C6 45 9B 75 C6 45 9C 69 C6 45 9D 6E C6 45 9E 00 }', '{ C6 45 A4 6D C6 45 A5 66 C6 45 A6 6F C6 45 A7 61 C6 45 A8 73 C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 A5 66 C6 45 A6 6F C6 45 A7 61 C6 45 A8 73 C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 A6 6F C6 45 A7 61 C6 45 A8 73 C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 A7 61 C6 45 A8 73 C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 A8 73 C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 A9 6B C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 AA 64 C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 AB 66 C6 45 AC 6E C6 45 AD 6F C6 45 AE 61 C6 45 AF 00 }', '{ C6 45 F0 61 C6 45 F1 70 C6 45 F2 66 C6 45 F3 48 C6 45 F4 51 C6 45 F5 00 }', '{ C6 45 F1 70 C6 45 F2 66 C6 45 F3 48 C6 45 F4 51 C6 45 F5 00 }', '{ C6 45 E4 57 C6 45 E5 69 C6 45 E6 6E C6 45 E7 45 C6 45 E8 78 C6 45 E9 65 C6 45 EA 63 C6 45 EB 00 }', '{ C6 45 E5 69 C6 45 E6 6E C6 45 E7 45 C6 45 E8 78 C6 45 E9 65 C6 45 EA 63 C6 45 EB 00 }', '{ C6 45 E6 6E C6 45 E7 45 C6 45 E8 78 C6 45 E9 65 C6 45 EA 63 C6 45 EB 00 }', '{ C6 45 E7 45 C6 45 E8 78 C6 45 E9 65 C6 45 EA 63 C6 45 EB 00 }', '{ C6 45 B0 57 C6 45 B1 72 C6 45 B2 69 C6 45 B3 74 C6 45 B4 65 C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 B1 72 C6 45 B2 69 C6 45 B3 74 C6 45 B4 65 C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 B2 69 C6 45 B3 74 C6 45 B4 65 C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 B3 74 C6 45 B4 65 C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 B4 65 C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 B5 46 C6 45 B6 69 C6 45 B7 6C C6 45 B8 65 C6 45 B9 00 }', '{ C6 45 BC 47 C6 45 BD 65 C6 45 BE 74 C6 45 BF 4D C6 45 C0 6F C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 BD 65 C6 45 BE 74 C6 45 BF 4D C6 45 C0 6F C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 BE 74 C6 45 BF 4D C6 45 C0 6F C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 BF 4D C6 45 C0 6F C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C0 6F C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C1 64 C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C2 75 C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C3 6C C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C4 65 C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C5 46 C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C6 69 C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C7 6C C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C8 65 C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 C9 4E C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 CA 61 C6 45 CB 6D C6 45 CC 65 C6 45 CD 41 C6 45 CE 00 }', '{ C6 45 EC 47 C6 45 ED 65 C6 45 EE 74 C6 45 EF 4D C6 45 F0 65 C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 ED 65 C6 45 EE 74 C6 45 EF 4D C6 45 F0 65 C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 EE 74 C6 45 EF 4D C6 45 F0 65 C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 EF 4D C6 45 F0 65 C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 F0 65 C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 F1 73 C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 F2 73 C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 F3 61 C6 45 F4 67 C6 45 F5 65 C6 45 F6 41 C6 45 F7 00 }', '{ C6 45 D0 47 C6 45 D1 65 C6 45 D2 74 C6 45 D3 46 C6 45 D4 69 C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D1 65 C6 45 D2 74 C6 45 D3 46 C6 45 D4 69 C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D2 74 C6 45 D3 46 C6 45 D4 69 C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D3 46 C6 45 D4 69 C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D4 69 C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D5 6C C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D6 65 C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D7 41 C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D8 74 C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 D9 74 C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 DA 72 C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 DB 69 C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 DC 62 C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 DD 75 C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 45 DE 74 C6 45 DF 65 C6 45 E0 73 C6 45 E1 41 C6 45 E2 00 }', '{ C6 85 D8 FE FF FF 75 C6 85 D9 FE FF FF 73 C6 85 DA FE FF FF 65 C6 85 DB FE FF FF 72 C6 85 DC FE FF FF 33 C6 85 DD FE FF FF 32 C6 85 DE FE FF FF 00 }', '{ C6 85 D9 FE FF FF 73 C6 85 DA FE FF FF 65 C6 85 DB FE FF FF 72 C6 85 DC FE FF FF 33 C6 85 DD FE FF FF 32 C6 85 DE FE FF FF 00 }', '{ C6 85 DA FE FF FF 65 C6 85 DB FE FF FF 72 C6 85 DC FE FF FF 33 C6 85 DD FE FF FF 32 C6 85 DE FE FF FF 00 }', '{ C6 85 E0 FE FF FF 4D C6 85 E1 FE FF FF 65 C6 85 E2 FE FF FF 73 C6 85 E3 FE FF FF 73 C6 85 E4 FE FF FF 61 C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E1 FE FF FF 65 C6 85 E2 FE FF FF 73 C6 85 E3 FE FF FF 73 C6 85 E4 FE FF FF 61 C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E2 FE FF FF 73 C6 85 E3 FE FF FF 73 C6 85 E4 FE FF FF 61 C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E3 FE FF FF 73 C6 85 E4 FE FF FF 61 C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E4 FE FF FF 61 C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E5 FE FF FF 67 C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E6 FE FF FF 65 C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 E7 FE FF FF 42 C6 85 E8 FE FF FF 6F C6 85 E9 FE FF FF 78 C6 85 EA FE FF FF 41 C6 85 EB FE FF FF 00 }', '{ C6 85 98 FE FF FF 47 C6 85 99 FE FF FF 65 C6 85 9A FE FF FF 74 C6 85 9B FE FF FF 4D C6 85 9C FE FF FF 65 C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 99 FE FF FF 65 C6 85 9A FE FF FF 74 C6 85 9B FE FF FF 4D C6 85 9C FE FF FF 65 C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9A FE FF FF 74 C6 85 9B FE FF FF 4D C6 85 9C FE FF FF 65 C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9B FE FF FF 4D C6 85 9C FE FF FF 65 C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9C FE FF FF 65 C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9D FE FF FF 73 C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9E FE FF FF 73 C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 9F FE FF FF 61 C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A0 FE FF FF 67 C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A1 FE FF FF 65 C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A2 FE FF FF 45 C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A3 FE FF FF 78 C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A4 FE FF FF 74 C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A5 FE FF FF 72 C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A6 FE FF FF 61 C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 A7 FE FF FF 49 C6 85 A8 FE FF FF 6E C6 85 A9 FE FF FF 66 C6 85 AA FE FF FF 6F C6 85 AB FE FF FF 00 }', '{ C6 85 EC FE FF FF 6B C6 85 ED FE FF FF 65 C6 85 EE FE FF FF 72 C6 85 EF FE FF FF 6E C6 85 F0 FE FF FF 65 C6 85 F1 FE FF FF 6C C6 85 F2 FE FF FF 33 C6 85 F3 FE FF FF 32 C6 85 F4 FE FF FF 00 }', '{ C6 85 ED FE FF FF 65 C6 85 EE FE FF FF 72 C6 85 EF FE FF FF 6E C6 85 F0 FE FF FF 65 C6 85 F1 FE FF FF 6C C6 85 F2 FE FF FF 33 C6 85 F3 FE FF FF 32 C6 85 F4 FE FF FF 00 }', '{ C6 85 EE FE FF FF 72 C6 85 EF FE FF FF 6E C6 85 F0 FE FF FF 65 C6 85 F1 FE FF FF 6C C6 85 F2 FE FF FF 33 C6 85 F3 FE FF FF 32 C6 85 F4 FE FF FF 00 }', '{ C6 85 EF FE FF FF 6E C6 85 F0 FE FF FF 65 C6 85 F1 FE FF FF 6C C6 85 F2 FE FF FF 33 C6 85 F3 FE FF FF 32 C6 85 F4 FE FF FF 00 }', '{ C6 85 F0 FE FF FF 65 C6 85 F1 FE FF FF 6C C6 85 F2 FE FF FF 33 C6 85 F3 FE FF FF 32 C6 85 F4 FE FF FF 00 }', '{ C6 85 64 FD FF FF 43 C6 85 65 FD FF FF 72 C6 85 66 FD FF FF 65 C6 85 67 FD FF FF 61 C6 85 68 FD FF FF 74 C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 65 FD FF FF 72 C6 85 66 FD FF FF 65 C6 85 67 FD FF FF 61 C6 85 68 FD FF FF 74 C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 66 FD FF FF 65 C6 85 67 FD FF FF 61 C6 85 68 FD FF FF 74 C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 67 FD FF FF 61 C6 85 68 FD FF FF 74 C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 68 FD FF FF 74 C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 69 FD FF FF 65 C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 6A FD FF FF 46 C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 6B FD FF FF 69 C6 85 6C FD FF FF 6C C6 85 6D FD FF FF 65 C6 85 6E FD FF FF 41 C6 85 6F FD FF FF 00 }', '{ C6 85 50 FE FF FF 43 C6 85 51 FE FF FF 6C C6 85 52 FE FF FF 6F C6 85 53 FE FF FF 73 C6 85 54 FE FF FF 65 C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 51 FE FF FF 6C C6 85 52 FE FF FF 6F C6 85 53 FE FF FF 73 C6 85 54 FE FF FF 65 C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 52 FE FF FF 6F C6 85 53 FE FF FF 73 C6 85 54 FE FF FF 65 C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 53 FE FF FF 73 C6 85 54 FE FF FF 65 C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 54 FE FF FF 65 C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 55 FE FF FF 48 C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 56 FE FF FF 61 C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 57 FE FF FF 6E C6 85 58 FE FF FF 64 C6 85 59 FE FF FF 6C C6 85 5A FE FF FF 65 C6 85 5B FE FF FF 00 }', '{ C6 85 80 FD FF FF 43 C6 85 81 FD FF FF 72 C6 85 82 FD FF FF 65 C6 85 83 FD FF FF 61 C6 85 84 FD FF FF 74 C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 81 FD FF FF 72 C6 85 82 FD FF FF 65 C6 85 83 FD FF FF 61 C6 85 84 FD FF FF 74 C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 82 FD FF FF 65 C6 85 83 FD FF FF 61 C6 85 84 FD FF FF 74 C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 83 FD FF FF 61 C6 85 84 FD FF FF 74 C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 84 FD FF FF 74 C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 85 FD FF FF 65 C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 86 FD FF FF 50 C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 87 FD FF FF 72 C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 88 FD FF FF 6F C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 89 FD FF FF 63 C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 8A FD FF FF 65 C6 85 8B FD FF FF 73 C6 85 8C FD FF FF 73 C6 85 8D FD FF FF 41 C6 85 8E FD FF FF 00 }', '{ C6 85 0C FF FF FF 47 C6 85 0D FF FF FF 65 C6 85 0E FF FF FF 74 C6 85 0F FF FF FF 54 C6 85 10 FF FF FF 68 C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 0D FF FF FF 65 C6 85 0E FF FF FF 74 C6 85 0F FF FF FF 54 C6 85 10 FF FF FF 68 C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 0E FF FF FF 74 C6 85 0F FF FF FF 54 C6 85 10 FF FF FF 68 C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 0F FF FF FF 54 C6 85 10 FF FF FF 68 C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 10 FF FF FF 68 C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 11 FF FF FF 72 C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 12 FF FF FF 65 C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 13 FF FF FF 61 C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 14 FF FF FF 64 C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 15 FF FF FF 43 C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 16 FF FF FF 6F C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 17 FF FF FF 6E C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 18 FF FF FF 74 C6 85 19 FF FF FF 65 C6 85 1A FF FF FF 78 C6 85 1B FF FF FF 74 C6 85 1C FF FF FF 00 }', '{ C6 85 5C FE FF FF 56 C6 85 5D FE FF FF 69 C6 85 5E FE FF FF 72 C6 85 5F FE FF FF 74 C6 85 60 FE FF FF 75 C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 5D FE FF FF 69 C6 85 5E FE FF FF 72 C6 85 5F FE FF FF 74 C6 85 60 FE FF FF 75 C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 5E FE FF FF 72 C6 85 5F FE FF FF 74 C6 85 60 FE FF FF 75 C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 5F FE FF FF 74 C6 85 60 FE FF FF 75 C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 60 FE FF FF 75 C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 61 FE FF FF 61 C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 62 FE FF FF 6C C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 63 FE FF FF 41 C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 64 FE FF FF 6C C6 85 65 FE FF FF 6C C6 85 66 FE FF FF 6F C6 85 67 FE FF FF 63 C6 85 68 FE FF FF 00 }', '{ C6 85 40 FE FF FF 56 C6 85 41 FE FF FF 69 C6 85 42 FE FF FF 72 C6 85 43 FE FF FF 74 C6 85 44 FE FF FF 75 C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 41 FE FF FF 69 C6 85 42 FE FF FF 72 C6 85 43 FE FF FF 74 C6 85 44 FE FF FF 75 C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 42 FE FF FF 72 C6 85 43 FE FF FF 74 C6 85 44 FE FF FF 75 C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 43 FE FF FF 74 C6 85 44 FE FF FF 75 C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 44 FE FF FF 75 C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 45 FE FF FF 61 C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 46 FE FF FF 6C C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 47 FE FF FF 41 C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 48 FE FF FF 6C C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 49 FE FF FF 6C C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 4A FE FF FF 6F C6 85 4B FE FF FF 63 C6 85 4C FE FF FF 45 C6 85 4D FE FF FF 78 C6 85 4E FE FF FF 00 }', '{ C6 85 6C FE FF FF 56 C6 85 6D FE FF FF 69 C6 85 6E FE FF FF 72 C6 85 6F FE FF FF 74 C6 85 70 FE FF FF 75 C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 6D FE FF FF 69 C6 85 6E FE FF FF 72 C6 85 6F FE FF FF 74 C6 85 70 FE FF FF 75 C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 6E FE FF FF 72 C6 85 6F FE FF FF 74 C6 85 70 FE FF FF 75 C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 6F FE FF FF 74 C6 85 70 FE FF FF 75 C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 70 FE FF FF 75 C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 71 FE FF FF 61 C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 72 FE FF FF 6C C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 73 FE FF FF 46 C6 85 74 FE FF FF 72 C6 85 75 FE FF FF 65 C6 85 76 FE FF FF 65 C6 85 77 FE FF FF 00 }', '{ C6 85 F8 FE FF FF 52 C6 85 F9 FE FF FF 65 C6 85 FA FE FF FF 61 C6 85 FB FE FF FF 64 C6 85 FC FE FF FF 50 C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 F9 FE FF FF 65 C6 85 FA FE FF FF 61 C6 85 FB FE FF FF 64 C6 85 FC FE FF FF 50 C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FA FE FF FF 61 C6 85 FB FE FF FF 64 C6 85 FC FE FF FF 50 C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FB FE FF FF 64 C6 85 FC FE FF FF 50 C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FC FE FF FF 50 C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FD FE FF FF 72 C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FE FE FF FF 6F C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 FF FE FF FF 63 C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 00 FF FF FF 65 C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 01 FF FF FF 73 C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 02 FF FF FF 73 C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 03 FF FF FF 4D C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 04 FF FF FF 65 C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 05 FF FF FF 6D C6 85 06 FF FF FF 6F C6 85 07 FF FF FF 72 C6 85 08 FF FF FF 79 C6 85 09 FF FF FF 00 }', '{ C6 85 90 FD FF FF 57 C6 85 91 FD FF FF 72 C6 85 92 FD FF FF 69 C6 85 93 FD FF FF 74 C6 85 94 FD FF FF 65 C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 91 FD FF FF 72 C6 85 92 FD FF FF 69 C6 85 93 FD FF FF 74 C6 85 94 FD FF FF 65 C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 92 FD FF FF 69 C6 85 93 FD FF FF 74 C6 85 94 FD FF FF 65 C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 93 FD FF FF 74 C6 85 94 FD FF FF 65 C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 94 FD FF FF 65 C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 95 FD FF FF 50 C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 96 FD FF FF 72 C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 97 FD FF FF 6F C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 98 FD FF FF 63 C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 99 FD FF FF 65 C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 9A FD FF FF 73 C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 9B FD FF FF 73 C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 9C FD FF FF 4D C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 9D FD FF FF 65 C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 9E FD FF FF 6D C6 85 9F FD FF FF 6F C6 85 A0 FD FF FF 72 C6 85 A1 FD FF FF 79 C6 85 A2 FD FF FF 00 }', '{ C6 85 0B FE FF FF 6E C6 85 0C FE FF FF 74 C6 85 0D FE FF FF 65 C6 85 0E FE FF FF 78 C6 85 0F FE FF FF 74 C6 85 10 FE FF FF 00 }', '{ C6 85 0C FE FF FF 74 C6 85 0D FE FF FF 65 C6 85 0E FE FF FF 78 C6 85 0F FE FF FF 74 C6 85 10 FE FF FF 00 }', '{ C6 85 A4 FD FF FF 52 C6 85 A5 FD FF FF 65 C6 85 A6 FD FF FF 73 C6 85 A7 FD FF FF 75 C6 85 A8 FD FF FF 6D C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 A5 FD FF FF 65 C6 85 A6 FD FF FF 73 C6 85 A7 FD FF FF 75 C6 85 A8 FD FF FF 6D C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 A6 FD FF FF 73 C6 85 A7 FD FF FF 75 C6 85 A8 FD FF FF 6D C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 A7 FD FF FF 75 C6 85 A8 FD FF FF 6D C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 A8 FD FF FF 6D C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 A9 FD FF FF 65 C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 AA FD FF FF 54 C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 AB FD FF FF 68 C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 AC FD FF FF 72 C6 85 AD FD FF FF 65 C6 85 AE FD FF FF 61 C6 85 AF FD FF FF 64 C6 85 B0 FD FF FF 00 }', '{ C6 85 AC FE FF FF 57 C6 85 AD FE FF FF 61 C6 85 AE FE FF FF 69 C6 85 AF FE FF FF 74 C6 85 B0 FE FF FF 46 C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 AD FE FF FF 61 C6 85 AE FE FF FF 69 C6 85 AF FE FF FF 74 C6 85 B0 FE FF FF 46 C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 AE FE FF FF 69 C6 85 AF FE FF FF 74 C6 85 B0 FE FF FF 46 C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 AF FE FF FF 74 C6 85 B0 FE FF FF 46 C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B0 FE FF FF 46 C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B1 FE FF FF 6F C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B2 FE FF FF 72 C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B3 FE FF FF 53 C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B4 FE FF FF 69 C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B5 FE FF FF 6E C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B6 FE FF FF 67 C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B7 FE FF FF 6C C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B8 FE FF FF 65 C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 B9 FE FF FF 4F C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 BA FE FF FF 62 C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 BB FE FF FF 6A C6 85 BC FE FF FF 65 C6 85 BD FE FF FF 63 C6 85 BE FE FF FF 74 C6 85 BF FE FF FF 00 }', '{ C6 85 14 FE FF FF 47 C6 85 15 FE FF FF 65 C6 85 16 FE FF FF 74 C6 85 17 FE FF FF 43 C6 85 18 FE FF FF 6F C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 15 FE FF FF 65 C6 85 16 FE FF FF 74 C6 85 17 FE FF FF 43 C6 85 18 FE FF FF 6F C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 16 FE FF FF 74 C6 85 17 FE FF FF 43 C6 85 18 FE FF FF 6F C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 17 FE FF FF 43 C6 85 18 FE FF FF 6F C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 18 FE FF FF 6F C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 19 FE FF FF 6D C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1A FE FF FF 6D C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1B FE FF FF 61 C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1C FE FF FF 6E C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1D FE FF FF 64 C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1E FE FF FF 4C C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 1F FE FF FF 69 C6 85 20 FE FF FF 6E C6 85 21 FE FF FF 65 C6 85 22 FE FF FF 41 C6 85 23 FE FF FF 00 }', '{ C6 85 24 FE FF FF 6E C6 85 25 FE FF FF 74 C6 85 26 FE FF FF 64 C6 85 27 FE FF FF 6C C6 85 28 FE FF FF 6C C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 25 FE FF FF 74 C6 85 26 FE FF FF 64 C6 85 27 FE FF FF 6C C6 85 28 FE FF FF 6C C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 26 FE FF FF 64 C6 85 27 FE FF FF 6C C6 85 28 FE FF FF 6C C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 27 FE FF FF 6C C6 85 28 FE FF FF 6C C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 28 FE FF FF 6C C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 29 FE FF FF 2E C6 85 2A FE FF FF 64 C6 85 2B FE FF FF 6C C6 85 2C FE FF FF 6C C6 85 2D FE FF FF 00 }', '{ C6 85 C0 FE FF FF 4E C6 85 C1 FE FF FF 74 C6 85 C2 FE FF FF 55 C6 85 C3 FE FF FF 6E C6 85 C4 FE FF FF 6D C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C1 FE FF FF 74 C6 85 C2 FE FF FF 55 C6 85 C3 FE FF FF 6E C6 85 C4 FE FF FF 6D C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C2 FE FF FF 55 C6 85 C3 FE FF FF 6E C6 85 C4 FE FF FF 6D C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C3 FE FF FF 6E C6 85 C4 FE FF FF 6D C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C4 FE FF FF 6D C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C5 FE FF FF 61 C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C6 FE FF FF 70 C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C7 FE FF FF 56 C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C8 FE FF FF 69 C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C9 FE FF FF 65 C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CA FE FF FF 77 C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CB FE FF FF 4F C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CC FE FF FF 66 C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CD FE FF FF 53 C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CE FE FF FF 65 C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 CF FE FF FF 63 C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 D0 FE FF FF 74 C6 85 D1 FE FF FF 69 C6 85 D2 FE FF FF 6F C6 85 D3 FE FF FF 6E C6 85 D4 FE FF FF 00 }', '{ C6 85 C4 FD FF FF 4E C6 85 C5 FD FF FF 74 C6 85 C6 FD FF FF 57 C6 85 C7 FD FF FF 72 C6 85 C8 FD FF FF 69 C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 C5 FD FF FF 74 C6 85 C6 FD FF FF 57 C6 85 C7 FD FF FF 72 C6 85 C8 FD FF FF 69 C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 C6 FD FF FF 57 C6 85 C7 FD FF FF 72 C6 85 C8 FD FF FF 69 C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 C7 FD FF FF 72 C6 85 C8 FD FF FF 69 C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 C8 FD FF FF 69 C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 C9 FD FF FF 74 C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CA FD FF FF 65 C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CB FD FF FF 56 C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CC FD FF FF 69 C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CD FD FF FF 72 C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CE FD FF FF 74 C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 CF FD FF FF 75 C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 D0 FD FF FF 61 C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 D1 FD FF FF 6C C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 D2 FD FF FF 4D C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 D3 FD FF FF 65 C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 D4 FD FF FF 6D C6 85 D5 FD FF FF 6F C6 85 D6 FD FF FF 72 C6 85 D7 FD FF FF 79 C6 85 D8 FD FF FF 00 }', '{ C6 85 DC FD FF FF 52 C6 85 DD FD FF FF 65 C6 85 DE FD FF FF 67 C6 85 DF FD FF FF 69 C6 85 E0 FD FF FF 73 C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 DD FD FF FF 65 C6 85 DE FD FF FF 67 C6 85 DF FD FF FF 69 C6 85 E0 FD FF FF 73 C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 DE FD FF FF 67 C6 85 DF FD FF FF 69 C6 85 E0 FD FF FF 73 C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 DF FD FF FF 69 C6 85 E0 FD FF FF 73 C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E0 FD FF FF 73 C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E1 FD FF FF 74 C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E2 FD FF FF 65 C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E3 FD FF FF 72 C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E4 FD FF FF 43 C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E5 FD FF FF 6C C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E6 FD FF FF 61 C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E7 FD FF FF 73 C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 E8 FD FF FF 73 C6 85 E9 FD FF FF 45 C6 85 EA FD FF FF 78 C6 85 EB FD FF FF 41 C6 85 EC FD FF FF 00 }', '{ C6 85 70 FD FF FF 43 C6 85 71 FD FF FF 72 C6 85 72 FD FF FF 65 C6 85 73 FD FF FF 61 C6 85 74 FD FF FF 74 C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 71 FD FF FF 72 C6 85 72 FD FF FF 65 C6 85 73 FD FF FF 61 C6 85 74 FD FF FF 74 C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 72 FD FF FF 65 C6 85 73 FD FF FF 61 C6 85 74 FD FF FF 74 C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 73 FD FF FF 61 C6 85 74 FD FF FF 74 C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 74 FD FF FF 74 C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 75 FD FF FF 65 C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 76 FD FF FF 57 C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 77 FD FF FF 69 C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 78 FD FF FF 6E C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 79 FD FF FF 64 C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 7A FD FF FF 6F C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 7B FD FF FF 77 C6 85 7C FD FF FF 45 C6 85 7D FD FF FF 78 C6 85 7E FD FF FF 41 C6 85 7F FD FF FF 00 }', '{ C6 85 30 FE FF FF 50 C6 85 31 FE FF FF 6F C6 85 32 FE FF FF 73 C6 85 33 FE FF FF 74 C6 85 34 FE FF FF 4D C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 31 FE FF FF 6F C6 85 32 FE FF FF 73 C6 85 33 FE FF FF 74 C6 85 34 FE FF FF 4D C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 32 FE FF FF 73 C6 85 33 FE FF FF 74 C6 85 34 FE FF FF 4D C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 33 FE FF FF 74 C6 85 34 FE FF FF 4D C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 34 FE FF FF 4D C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 35 FE FF FF 65 C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 36 FE FF FF 73 C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 37 FE FF FF 73 C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 38 FE FF FF 61 C6 85 39 FE FF FF 67 C6 85 3A FE FF FF 65 C6 85 3B FE FF FF 41 C6 85 3C FE FF FF 00 }', '{ C6 85 B4 FD FF FF 44 C6 85 B5 FD FF FF 65 C6 85 B6 FD FF FF 66 C6 85 B7 FD FF FF 57 C6 85 B8 FD FF FF 69 C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 B5 FD FF FF 65 C6 85 B6 FD FF FF 66 C6 85 B7 FD FF FF 57 C6 85 B8 FD FF FF 69 C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 B6 FD FF FF 66 C6 85 B7 FD FF FF 57 C6 85 B8 FD FF FF 69 C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 B7 FD FF FF 57 C6 85 B8 FD FF FF 69 C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 B8 FD FF FF 69 C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 B9 FD FF FF 6E C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 BA FD FF FF 64 C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 BB FD FF FF 6F C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 BC FD FF FF 77 C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 BD FD FF FF 50 C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 BE FD FF FF 72 C6 85 BF FD FF FF 6F C6 85 C0 FD FF FF 63 C6 85 C1 FD FF FF 41 C6 85 C2 FD FF FF 00 }', '{ C6 85 F0 FD FF FF 47 C6 85 F1 FD FF FF 65 C6 85 F2 FD FF FF 74 C6 85 F3 FD FF FF 53 C6 85 F4 FD FF FF 74 C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F1 FD FF FF 65 C6 85 F2 FD FF FF 74 C6 85 F3 FD FF FF 53 C6 85 F4 FD FF FF 74 C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F2 FD FF FF 74 C6 85 F3 FD FF FF 53 C6 85 F4 FD FF FF 74 C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F3 FD FF FF 53 C6 85 F4 FD FF FF 74 C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F4 FD FF FF 74 C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F5 FD FF FF 61 C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F6 FD FF FF 72 C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F7 FD FF FF 74 C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F8 FD FF FF 75 C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 F9 FD FF FF 70 C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 FA FD FF FF 49 C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 FB FD FF FF 6E C6 85 FC FD FF FF 66 C6 85 FD FD FF FF 6F C6 85 FE FD FF FF 41 C6 85 FF FD FF FF 00 }', '{ C6 85 78 FE FF FF 56 C6 85 79 FE FF FF 69 C6 85 7A FE FF FF 72 C6 85 7B FE FF FF 74 C6 85 7C FE FF FF 75 C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 79 FE FF FF 69 C6 85 7A FE FF FF 72 C6 85 7B FE FF FF 74 C6 85 7C FE FF FF 75 C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7A FE FF FF 72 C6 85 7B FE FF FF 74 C6 85 7C FE FF FF 75 C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7B FE FF FF 74 C6 85 7C FE FF FF 75 C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7C FE FF FF 75 C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7D FE FF FF 61 C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7E FE FF FF 6C C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 7F FE FF FF 50 C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 80 FE FF FF 72 C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 81 FE FF FF 6F C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 82 FE FF FF 74 C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 83 FE FF FF 65 C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 84 FE FF FF 63 C6 85 85 FE FF FF 74 C6 85 86 FE FF FF 45 C6 85 87 FE FF FF 78 C6 85 88 FE FF FF 00 }', '{ C6 85 8C FE FF FF 45 C6 85 8D FE FF FF 78 C6 85 8E FE FF FF 69 C6 85 8F FE FF FF 74 C6 85 90 FE FF FF 50 C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 8D FE FF FF 78 C6 85 8E FE FF FF 69 C6 85 8F FE FF FF 74 C6 85 90 FE FF FF 50 C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 8E FE FF FF 69 C6 85 8F FE FF FF 74 C6 85 90 FE FF FF 50 C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 8F FE FF FF 74 C6 85 90 FE FF FF 50 C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 90 FE FF FF 50 C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 91 FE FF FF 72 C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 92 FE FF FF 6F C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }', '{ C6 85 93 FE FF FF 63 C6 85 94 FE FF FF 65 C6 85 95 FE FF FF 73 C6 85 96 FE FF FF 73 C6 85 97 FE FF FF 00 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Executed a process and injected code into it, probably while unpacking
injection: e9b7110334eeff9ee59b.exe(3012) -> e9b7110334eeff9ee59b.exe(3472)
Screenshots
Session Playback
No playback available.
Hosts
No hosts contacted.
Summary
C:\Users\user\AppData\Local\Temp\apfHQ
C:\ProgramData
\Device\KsecDD
C:\Windows\System32\wininet.dll
C:\Windows\System32\en-US\wshtcpip.dll.mui
C:\Windows\System32\en-US\wship6.dll.mui
C:\Windows\System32\en-US\wshqos.dll.mui
C:\ProgramData\backup.txt
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\ProgramData
\Device\KsecDD
C:\Windows\System32\wininet.dll
C:\Windows\System32\en-US\wshtcpip.dll.mui
C:\Windows\System32\en-US\wship6.dll.mui
C:\Windows\System32\en-US\wshqos.dll.mui
C:\ProgramData\backup.txt
C:\Windows\System32\en-US\KERNELBASE.dll.mui
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDetectedUrl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadNetworkName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDetectedUrl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadNetworkName
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDecision
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadNetworkName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0142869F-3C91-4532-B21C-FA3FB67E7E37}_{5082518F-199F-471A-A7DB-EF9850F5E9AB}\WpadDetectedUrl
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.VirtualProtect
kernel32.dll.GlobalAlloc
kernel32.dll.GetLastError
kernel32.dll.Sleep
kernel32.dll.VirtualAlloc
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32First
kernel32.dll.CloseHandle
user32.dll.MessageBoxA
user32.dll.GetMessageExtraInfo
kernel32.dll.WinExec
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualFree
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.WaitForSingleObject
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetCommandLineA
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtWriteVirtualMemory
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
user32.dll.PostMessageA
user32.dll.GetMessageA
user32.dll.DefWindowProcA
kernel32.dll.GetFileAttributesA
kernel32.dll.GetStartupInfoA
kernel32.dll.VirtualProtectEx
kernel32.dll.ExitProcess
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
kernel32.dll.CreateMutexA
urlmon.dll.URLDownloadToFileA
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
iphlpapi.dll.NotifyUnicastIpAddressChange
cryptbase.dll.SystemFunction036
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
iphlpapi.dll.ConvertInterfaceGuidToLuid
ws2_32.dll.GetAddrInfoW
urlmon.dll.CoInternetCreateSecurityManager
urlmon.dll.CoInternetCreateZoneManager
ws2_32.dll.GetAddrInfoExW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.QueryActCtxW
kernel32.dll.GetModuleHandleExW
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.DeactivateActCtx
ws2_32.dll.getaddrinfo
ws2_32.dll.getnameinfo
ws2_32.dll.freeaddrinfo
ws2_32.dll.#112
ws2_32.dll.#9
ws2_32.dll.#15
ws2_32.dll.WSASocketA
ws2_32.dll.#7
ws2_32.dll.#2
ws2_32.dll.#6
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
ws2_32.dll.WSAGetOverlappedResult
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.AcquireSRWLockShared
kernel32.dll.ReleaseSRWLockShared
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.VirtualProtect
kernel32.dll.GlobalAlloc
kernel32.dll.GetLastError
kernel32.dll.Sleep
kernel32.dll.VirtualAlloc
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32First
kernel32.dll.CloseHandle
user32.dll.MessageBoxA
user32.dll.GetMessageExtraInfo
kernel32.dll.WinExec
kernel32.dll.CreateFileA
kernel32.dll.WriteFile
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualFree
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.WaitForSingleObject
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetCommandLineA
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtWriteVirtualMemory
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
user32.dll.PostMessageA
user32.dll.GetMessageA
user32.dll.DefWindowProcA
kernel32.dll.GetFileAttributesA
kernel32.dll.GetStartupInfoA
kernel32.dll.VirtualProtectEx
kernel32.dll.ExitProcess
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
kernel32.dll.CreateMutexA
urlmon.dll.URLDownloadToFileA
ws2_32.dll.#23
ws2_32.dll.#21
ws2_32.dll.WSAIoctl
ws2_32.dll.#3
ws2_32.dll.#116
iphlpapi.dll.NotifyIpInterfaceChange
api-ms-win-downlevel-ole32-l1-1-0.dll.CoInitializeEx
iphlpapi.dll.NotifyUnicastIpAddressChange
cryptbase.dll.SystemFunction036
api-ms-win-downlevel-advapi32-l1-1-0.dll.EventWrite
api-ms-win-downlevel-ole32-l1-1-0.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
iphlpapi.dll.ConvertInterfaceGuidToLuid
ws2_32.dll.GetAddrInfoW
urlmon.dll.CoInternetCreateSecurityManager
urlmon.dll.CoInternetCreateZoneManager
ws2_32.dll.GetAddrInfoExW
oleaut32.dll.#8
oleaut32.dll.#9
oleaut32.dll.DllGetClassObject
oleaut32.dll.DllCanUnloadNow
advapi32.dll.RegOpenKeyW
api-ms-win-downlevel-ole32-l1-1-0.dll.StringFromIID
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
api-ms-win-downlevel-ole32-l1-1-0.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.QueryActCtxW
kernel32.dll.GetModuleHandleExW
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.DeactivateActCtx
ws2_32.dll.getaddrinfo
ws2_32.dll.getnameinfo
ws2_32.dll.freeaddrinfo
ws2_32.dll.#112
ws2_32.dll.#9
ws2_32.dll.#15
ws2_32.dll.WSASocketA
ws2_32.dll.#7
ws2_32.dll.#2
ws2_32.dll.#6
api-ms-win-downlevel-ole32-l1-1-0.dll.CoSetProxyBlanket
ole32.dll.ObjectStublessClient10
oleaut32.dll.#2
ole32.dll.CoTaskMemFree
api-ms-win-downlevel-advapi32-l1-1-0.dll.RegEnumKeyExW
oleaut32.dll.#6
ws2_32.dll.WSAGetOverlappedResult
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.AcquireSRWLockShared
kernel32.dll.ReleaseSRWLockShared
"C:\Users\user\AppData\Local\Temp\e9b7110334eeff9ee59b.exe"
serhershesrhsfesrf
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.