BLOB1|0x0|{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
BLOB1|0x47|wpcap.dll
BLOB1|0x51|MsMpEng.exe
BLOB1|0x5d|advapi32.dll
BLOB1|0x6a|aabcdeefghiijklmnoopqrstuuvwxyyz
BLOB1|0x8b|Packages
BLOB1|0x94|*/*
BLOB1|0x98|WRSA.exe
BLOB1|0xa1|tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
BLOB1|0x10e|vbs
BLOB1|0x112|open
BLOB1|0x117|select 
BLOB1|0x11f|Create
BLOB1|0x126|Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
BLOB1|0x170|shlwapi.dll
BLOB1|0x17c|SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
BLOB1|0x1ac|FALSE
BLOB1|0x1b2|.dat
BLOB1|0x1b7|Win32_Bios
BLOB1|0x1c2|user32.dll
BLOB1|0x1cd|WQL
BLOB1|0x1d1|Caption
BLOB1|0x1d9|coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
BLOB1|0x208|dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
BLOB1|0x233|Win32_Process
BLOB1|0x241|.cfg
BLOB1|0x246|aswhookx.dll
BLOB1|0x253|image/gif
BLOB1|0x25d|Initializing database...
BLOB1|0x276|AvastSvc.exe
BLOB1|0x283|%ProgramFiles%\Internet Explorer\iexplore.exe
BLOB1|0x2b1|.exe
BLOB1|0x2b6|setupapi.dll
BLOB1|0x2c3|Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next
BLOB1|0x3af|Content-Type: application/x-www-form-urlencoded
BLOB1|0x3df|%SystemRoot%\SysWOW64\msra.exe
BLOB1|0x3fe|ROOT\CIMV2
BLOB1|0x409|%SystemRoot%\explorer.exe
BLOB1|0x423|SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
BLOB1|0x455|SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
BLOB1|0x48c|Win32_ComputerSystem
BLOB1|0x4a1|crypt32.dll
BLOB1|0x4ad|SELECT * FROM AntiVirusProduct
BLOB1|0x4cc|wmic process call create 'expand "%S" "%S"'

BLOB1|0x4f9|t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
BLOB1|0x521|aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
BLOB1|0x548|c:\\
BLOB1|0x54d|c:\hiberfil.sysss
BLOB1|0x55f|%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
BLOB1|0x592|application/x-shockwave-flash
BLOB1|0x5b0|netapi32.dll
BLOB1|0x5bd|SELECT * FROM Win32_OperatingSystem
BLOB1|0x5e1|Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
BLOB1|0x6b5|.dll
BLOB1|0x6ba|displayName
BLOB1|0x6c6|CommandLine
BLOB1|0x6d2|Win32_PnPEntity
BLOB1|0x6e2|kernel32.dll
BLOB1|0x6ef|SOFTWARE\Microsoft\Windows Defender\SpyNet
BLOB1|0x71a|avp.exe;kavtray.exe
BLOB1|0x72e|%SystemRoot%\System32\mobsync.exe
BLOB1|0x750|%s\system32\
BLOB1|0x75d|%S.%06d
BLOB1|0x765|SAVAdminService.exe;SavService.exe
BLOB1|0x788|\\.\pipe\
BLOB1|0x792|aswhooka.dll
BLOB1|0x79f| from 
BLOB1|0x7a6|mpr.dll
BLOB1|0x7ae|mcshield.exe
BLOB1|0x7bb|SELECT * FROM Win32_Processor
BLOB1|0x7d9|WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("%s")
BLOB1|0x91b|ws2_32.dll
BLOB1|0x926|TRUE
BLOB1|0x92b|%SystemRoot%\SysWOW64\OneDriveSetup.exe
BLOB1|0x953|Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
BLOB1|0x995|SystemRoot
BLOB1|0x9a0|\sf2.dll
BLOB1|0x9a9|ALLUSERSPROFILE
BLOB1|0x9b9|cmd.exe
BLOB1|0x9c1|shell32.dll
BLOB1|0x9cd|Name
BLOB1|0x9d2|Software\Microsoft
BLOB1|0x9e5|winsta0\default
BLOB1|0x9f5|SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
BLOB1|0xa2a|ntdll.dll
BLOB1|0xa34|fshoster32.exe
BLOB1|0xa43|%SystemRoot%\System32\xwizard.exe
BLOB1|0xa65|MBAMService.exe;mbamgui.exe
BLOB1|0xa81|image/jpeg
BLOB1|0xa8c|C:\INTERNAL\__empty
BLOB1|0xaa0|%SystemRoot%\SysWOW64\explorer.exe
BLOB1|0xac3|%SystemRoot%\SysWOW64\mobsync.exe
BLOB1|0xae5|1234567890
BLOB1|0xaf0|%SystemRoot%\System32\msra.exe
BLOB1|0xb0f|SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
BLOB1|0xb49|fmon.exe
BLOB1|0xb52|snxhk_border_mywnd
BLOB1|0xb65|%SystemRoot%\System32\OneDriveSetup.exe
BLOB1|0xb8d|LastBootUpTime
BLOB1|0xb9c|Win32_Product
BLOB1|0xbaa|egui.exe;ekrn.exe
BLOB1|0xbbc|urlmon.dll
BLOB1|0xbc7|ccSvcHst.exe
BLOB1|0xbd4|Win32_PhysicalMemory
BLOB1|0xbe9|NTUSER.DAT
BLOB1|0xbf4|avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
BLOB1|0xc1a|%SystemRoot%\SysWOW64\explorer.exe
BLOB1|0xc3d|SubmitSamplesConsent
BLOB1|0xc52|cscript.exe
BLOB1|0xc5e|S:(ML;;NW;;;LW)
BLOB1|0xc6e|wtsapi32.dll
BLOB1|0xc7b|Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
BLOB1|0xcc4|image/pjpeg
BLOB1|0xcd0|type=0x%04X
BLOB1|0xcdc|reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
BLOB1|0xd0b|vkise.exe;isesrv.exe;cmdagent.exe
BLOB1|0xd2d|LocalLow
BLOB1|0xd36|%SystemRoot%\explorer.exe
BLOB1|0xd50|SpyNetReporting
BLOB1|0xd60|ByteFence.exe
BLOB1|0xd6e|abcdefghijklmnopqrstuvwxyz
BLOB1|0xd89|Win32_DiskDrive
BLOB1|0xd99|%SystemRoot%\SysWOW64\xwizard.exe
BLOB1|0xdbb|bdagent.exe;vsserv.exe;vsservppl.exe
BLOB1|0xde0|root\SecurityCenter2
BLOB1|0xdf5|wininet.dll
BLOB2|0x0|ProfileImagePath
BLOB2|0x11|qwinsta
BLOB2|0x19|\System32\WindowsPowerShell\v1.0\powershell.exe
BLOB2|0x49|/t4
BLOB2|0x4d|net view /all
BLOB2|0x5b|netstat -nao
BLOB2|0x68|srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe
BLOB2|0xb0|route print
BLOB2|0xbc|524
BLOB2|0xc0|118
BLOB2|0xc4|.lnk
BLOB2|0xc9|cmd /c set
BLOB2|0xd4|net localgroup
BLOB2|0xe3|powershell.exe
BLOB2|0xf2|nltest /domain_trusts /all_trusts
BLOB2|0x114|SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
BLOB2|0x14d|arp -a
BLOB2|0x154|%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
BLOB2|0x1ad|jHxastDcds)oMc=jvh7wdUhxcsdt2
BLOB2|0x1cb|regsvr32.exe -s 
BLOB2|0x1dc| /c ping.exe -n 6 127.0.0.1 &  type "%s\System32\calc.exe" > "%s"
BLOB2|0x21e|\System32\WindowsPowerShell\v1.0\powershell.exe
BLOB2|0x24e|"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
BLOB2|0x2c3|VIRTUAL-PC
BLOB2|0x2ce|Microsoft
BLOB2|0x2d8|SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BLOB2|0x306|amstream.dll
BLOB2|0x313|whoami /all
BLOB2|0x31f|A3E64E55_pr;VBoxVideo
BLOB2|0x335|at.exe %u:%u "%s" /I
BLOB2|0x34a|Virtual
BLOB2|0x352|artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus
BLOB2|0x386|Red Hat VirtIO;QEMU
BLOB2|0x39a|nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s
BLOB2|0x3d6|Self test FAILED!!!
BLOB2|0x3ea|Self test OK.
BLOB2|0x3f8|%s "$%s = \"%s\"; & $%s"
BLOB2|0x411|net share
BLOB2|0x41b|%s \"$%s = \\\"%s\\\\; & $%s\"
BLOB2|0x43a|error res='%s' err=%d len=%u
BLOB2|0x457|ipconfig /all