SmartHawk

3.4

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08

05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe

分析耗时

135s

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.14	Unknown	0.05s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.03s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.73	Unknown	0.22s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	None	20190527	0.3.0.5
Avast	Win32:Malware-gen	20200501	18.4.3895.0
Baidu	None	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20200501	2013.8.14.323
McAfee	GenericRXEK-XA!333C2D70AD17	20200501	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b8b809	20200501	1.0.0.1

Time & API	Arguments	Status	Return	Repeated
1727545308.79675 GetComputerNameW	computer_name: TU-PC	success	1	0

Time & API	Arguments	Status	Return
1727545308.79675 CryptGenKey	provider_handle: 0x005f4698 algorithm_identifier: 0x0000a400 (CALG_RSA_KEYX) flags: 134217729 crypto_handle: 0x00608bc0	success	1
1727545308.79675 CryptExportKey	crypto_handle: 0x00608bc0 crypto_export_handle: 0x00000000 blob_type: 6 flags: 0 buffer: ¤RSA11éPßéxÒ=b ©fhÔMï\> A<ð»@óÌãï:VrÝmi8s5ËñÕc~`§18òÕÂ °à¯Þ¶ç@T0ÓñÎûnl:î\|©Ì(áÅF\|ý¯¿¦èYòÿ}!ðLpðö¬½Qnm¼¯ûÑýN¨õÆøè!\S(ÔÿU×´TT ÛÚQùõ9û3ðú¦6µB¬ÖDx4vlêÓÅ(ê`»]±ÖUå%ä<,.AÝ~£;^¢^Ýé}!p`þVÚ§b!Spe$_1·± t<ñ(¦8æÅ6æ	success	1
1727545308.79675 CryptExportKey	crypto_handle: 0x00608bc0 crypto_export_handle: 0x00000000 blob_type: 7 flags: 0 buffer: ¤RSA21éPßéxÒ=b ©fhÔMï\> A<ð»@óÌãï:VrÝmi8s5ËñÕc~`§18òÕÂ °à¯Þ¶ç@T0ÓñÎûnl:î\|©Ì(áÅF\|ý¯¿¦èYòÿ}!ðLpðö¬½Qnm¼¯ûÑýN¨õÆøè!\S(ÔÿU×´TT ÛÚQùõ9û3ðú¦6µB¬ÖDx4vlêÓÅ(ê`»]±ÖUå%ä<,.AÝ~£;^¢^Ýé}!p`þVÚ§b!Spe$_1·± t<ñ(¦8æÅ6æT l±ØÔQ¡R×äÞ·!õr¤? ±û¨ ý;û¼kãÞ0ï©ú¢±·ÛZ_0íï ÑOe÷94^Ôl 9¤êÏµ¹uÜ1¬Á®¯JÄÕ×âÙAvn × 0;Â=Ò(£Â¼^p@QûØÙ=¸ÿ±\|o¿Æ±wPââz\|fN]6Öð8¨_ 8}Ä=ëVmfd]»fL['Ñ 5ñüêxrTé{~rN°<Yp@¿M?{¨ï°z5_Lfó ïéMrÚGàã¸#°±þ'#sq)Æuc"«¹ÄLæ/=®ª6^8W Ë1²¨z¯ïÁúåIM?{áóhúKª.H(.A:ºÉé»ÜDà4ò7ª¥ßû ËØw=ÑÃï0ðÃFÖâ5:¹0¥±L¦ÔK<¼-©´I@ÅWàíÂÎ]¢ÂÎ&´w8+X£Ò¶sê¦TÑäh»í7¹¶.9cöyÑ:æîfð1hµÿÈÙÿÖîuãmbQfO³a¥äPãòÉ½u®rbF=íá±Ä;.âª1kêßð®¨mòGB©¬2nQÌ½wBß¹ã¦óýK·ÅáÄYD[!ëZrQ¾ Ç#ÔA¹õ¿«]S÷ÜtïÅ>«XÌ1;bJ®ûí¦ðañwúv!Æ¢`Ø[Ì$ö<fê@øë¢Þ·7=åôå ìc@4a¡4ðÉ£HV¨}$ÍÔe }¾µ¬ðR\Ë=÷#QH\|3bsÙYù1 Vâ¡>QI¸××xeªê²!>jÁN¹]U¬fLRDß`Bórüìc§]²éÁ=ª³RuÈ²AýÀb-ÇjãaÈ9p¢é\| ¢6ZíØà_¸#Ïø§\|ûÖ@*V®ÅA\|y ÍL%vl@ûYg;F_0[%ÙÎÜOs²u+ÊÑóÓK3Z{È¦KÞ[¢Ï45p"ÏCÐj6BsqqÂxVgíÙÄt«;¯0³?ñà5ÏûWCÁÝwNT\oötÚßàÉ^¸n%p©J	success	1

Time & API	Status	Return
1727545309.547125 GlobalMemoryStatusEx	success	1
1727545311.24925 GlobalMemoryStatusEx	success	1
1727545312.95275 GlobalMemoryStatusEx	success	1
1727545314.24925 GlobalMemoryStatusEx	success	1
1727545315.547125 GlobalMemoryStatusEx	success	1
1727545316.859625 GlobalMemoryStatusEx	success	1
1727545318.1565 GlobalMemoryStatusEx	success	1
1727545319.469 GlobalMemoryStatusEx	success	1
1727545320.76525 GlobalMemoryStatusEx	success	1
1727545322.047125 GlobalMemoryStatusEx	success	1
1727545323.36 GlobalMemoryStatusEx	success	1
1727545324.6565 GlobalMemoryStatusEx	success	1
1727545325.952375 GlobalMemoryStatusEx	success	1
1727545327.24925 GlobalMemoryStatusEx	success	1
1727545328.57775 GlobalMemoryStatusEx	success	1
1727545329.890875 GlobalMemoryStatusEx	success	1
1727545331.20275 GlobalMemoryStatusEx	success	1
1727545332.484625 GlobalMemoryStatusEx	success	1
1727545333.797125 GlobalMemoryStatusEx	success	1
1727545335.12425 GlobalMemoryStatusEx	success	1
1727545336.438125 GlobalMemoryStatusEx	success	1
1727545337.719 GlobalMemoryStatusEx	success	1
1727545339.031875 GlobalMemoryStatusEx	success	1
1727545340.344 GlobalMemoryStatusEx	success	1
1727545341.640875 GlobalMemoryStatusEx	success	1
1727545342.952375 GlobalMemoryStatusEx	success	1
1727545344.265875 GlobalMemoryStatusEx	success	1
1727545345.594 GlobalMemoryStatusEx	success	1
1727545346.9065 GlobalMemoryStatusEx	success	1
1727545348.202375 GlobalMemoryStatusEx	success	1
1727545349.484625 GlobalMemoryStatusEx	success	1
1727545350.7815 GlobalMemoryStatusEx	success	1
1727545352.077375 GlobalMemoryStatusEx	success	1
1727545353.37425 GlobalMemoryStatusEx	success	1
1727545354.672125 GlobalMemoryStatusEx	success	1
1727545355.953 GlobalMemoryStatusEx	success	1
1727545357.24925 GlobalMemoryStatusEx	success	1
1727545358.547125 GlobalMemoryStatusEx	success	1
1727545359.827375 GlobalMemoryStatusEx	success	1
1727545361.109625 GlobalMemoryStatusEx	success	1
1727545362.390875 GlobalMemoryStatusEx	success	1
1727545363.68775 GlobalMemoryStatusEx	success	1
1727545364.984625 GlobalMemoryStatusEx	success	1
1727545366.2965 GlobalMemoryStatusEx	success	1
1727545367.577375 GlobalMemoryStatusEx	success	1
1727545368.87425 GlobalMemoryStatusEx	success	1
1727545370.172125 GlobalMemoryStatusEx	success	1
1727545371.469 GlobalMemoryStatusEx	success	1
1727545372.7815 GlobalMemoryStatusEx	success	1
1727545374.077375 GlobalMemoryStatusEx	success	1

Time & API	Arguments	Status
1727545302.54675 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x005cb000 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545305.39075 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x00400000 length: 167936 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545305.40675 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x00412000 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545305.40675 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00450000 region_size: 94208 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545305.43775 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x00412000 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545306.43775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x000b0000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545306.43775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x000f0000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545306.99975 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00140000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545307.01575 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00180000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545307.15675 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00180000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545307.15675 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00180000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545307.17175 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00110000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545307.17175 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00120000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545308.96875 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x01f70000 region_size: 12288 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545308.96875 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x01f80000 region_size: 12288 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545309.18775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x01f70000 region_size: 98304 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545309.18775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00590000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545309.18775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x030e0000 region_size: 4096 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545309.18775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x030e0000 region_size: 36864 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545309.18775 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x03100000 region_size: 8192 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success

Time & API	Arguments	Status	Return	Repeated
1727545308.81275 GetDiskFreeSpaceW	root_path: C:\ sectors_per_cluster: 8 bytes_per_sector: 512 number_of_free_clusters: 1782182 total_number_of_clusters: 8362495	success	1	0

Time & API	Arguments	Status	Return	Repeated
1727545307.17175 Process32NextW	snapshot_handle: 0x00005198 process_name: taskhost.exe process_identifier: 1084	success	1	0
1727545307.17175 Process32NextW	snapshot_handle: 0x00005198 process_name: 05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe process_identifier: 3028	success	1	0

Time & API	Arguments	Status
1727545310.032125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545311.73425 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545313.01575 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545314.31225 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545315.610125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545316.937625 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545318.2345 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545319.547 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545320.82725 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545322.110125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545323.407 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545324.7185 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545326.031375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545327.31225 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545328.65675 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545329.968875 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545331.26575 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545332.562625 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545333.891125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545335.20225 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545336.500125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545337.797 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545339.093875 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545340.422 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545341.718875 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545343.031375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545344.343875 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545345.657 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545346.9685 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545348.265375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545349.546625 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545350.8435 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545352.140375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545353.45225 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545354.735125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545356.016 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545357.32725 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545358.610125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545359.890375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545361.171625 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545362.452875 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545363.76575 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545365.046625 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545366.3595 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545367.640375 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545368.95225 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545370.250125 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545371.532 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545372.8435 GetAdaptersAddresses	family: 0 flags: 1158	success
1727545374.156375 GetAdaptersAddresses	family: 0 flags: 1158	success

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2018-03-23 15:16:52

PE Imphash

5180b86c145a635292f366eada63a7d3

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x0000b93a	0x0000ba00	6.627204451224694
.rdata	0x0000d000	0x00002c34	0x00002e00	4.840775157692173
.data	0x00010000	0x0001566c	0x00001400	3.0311343019332413
.rsrc	0x00026000	0x0001b01e	0x0001b200	7.9603627258773715
.reloc	0x00042000	0x00000f98	0x00001000	4.58315636126557

Resources

Name	Offset	Size	Language	Sub-language	File type
JNKK	0x0002619c	0x00018427	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_ICON	0x0003e5c4	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_GROUP_ICON	0x00040b6c	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_VERSION	0x00040b80	0x000001dc	LANG_NEUTRAL	SUBLANG_NEUTRAL	None
RT_MANIFEST	0x00040ec4	0x0000015a	LANG_ENGLISH	SUBLANG_ENGLISH_US	None
RT_MANIFEST	0x00040ec4	0x0000015a	LANG_ENGLISH	SUBLANG_ENGLISH_US	None

Imports

Library KERNEL32.dll:

• 0x40d024 GetTapeStatus

• 0x40d028 FindAtomA

• 0x40d02c SetLocaleInfoW

• 0x40d030 EraseTape

• 0x40d034 VirtualProtect

• 0x40d038 Module32NextW

• 0x40d03c TlsAlloc

• 0x40d040 GetConsoleSelectionInfo

• 0x40d044 GetProcAddress

• 0x40d048 CreateFileW

• 0x40d04c HeapSize

• 0x40d050 FlushFileBuffers

• 0x40d054 HeapReAlloc

• 0x40d058 HeapAlloc

• 0x40d05c GetStringTypeW

• 0x40d060 LCMapStringW

• 0x40d064 IsProcessorFeaturePresent

• 0x40d068 WriteConsoleW

• 0x40d06c SetStdHandle

• 0x40d070 LoadLibraryW

• 0x40d074 GetPrivateProfileIntA

• 0x40d078 SetCommBreak

• 0x40d07c CreateJobObjectW

• 0x40d080 GetCPInfo

• 0x40d084 GetStringTypeA

• 0x40d088 lstrlenA

• 0x40d08c CloseHandle

• 0x40d090 FileTimeToDosDateTime

• 0x40d094 RtlUnwind

• 0x40d098 GetCommandLineW

• 0x40d09c HeapSetInformation

• 0x40d0a0 GetStartupInfoW

• 0x40d0a4 UnhandledExceptionFilter

• 0x40d0a8 SetUnhandledExceptionFilter

• 0x40d0ac IsDebuggerPresent

• 0x40d0b0 EncodePointer

• 0x40d0b4 DecodePointer

• 0x40d0b8 TerminateProcess

• 0x40d0bc GetCurrentProcess

• 0x40d0c0 EnterCriticalSection

• 0x40d0c4 LeaveCriticalSection

• 0x40d0c8 GetModuleHandleW

• 0x40d0cc ExitProcess

• 0x40d0d0 WriteFile

• 0x40d0d4 GetStdHandle

• 0x40d0d8 GetModuleFileNameW

• 0x40d0dc FreeEnvironmentStringsW

• 0x40d0e0 GetEnvironmentStringsW

• 0x40d0e4 SetHandleCount

• 0x40d0e8 InitializeCriticalSectionAndSpinCount

• 0x40d0ec GetFileType

• 0x40d0f0 DeleteCriticalSection

• 0x40d0f4 TlsGetValue

• 0x40d0f8 TlsSetValue

• 0x40d0fc TlsFree

• 0x40d100 InterlockedIncrement

• 0x40d104 SetLastError

• 0x40d108 GetCurrentThreadId

• 0x40d10c GetLastError

• 0x40d110 InterlockedDecrement

• 0x40d114 HeapCreate

• 0x40d118 QueryPerformanceCounter

• 0x40d11c GetTickCount

• 0x40d120 GetCurrentProcessId

• 0x40d124 GetSystemTimeAsFileTime

• 0x40d128 SetFilePointer

• 0x40d12c WideCharToMultiByte

• 0x40d130 GetConsoleCP

• 0x40d134 GetConsoleMode

• 0x40d138 GetACP

• 0x40d13c GetOEMCP

• 0x40d140 IsValidCodePage

• 0x40d144 HeapFree

• 0x40d148 Sleep

• 0x40d14c MultiByteToWideChar

Library USER32.dll:

• 0x40d15c ToAsciiEx

• 0x40d160 EnumPropsW

• 0x40d164 GetKeyNameTextA

• 0x40d168 ReplyMessage

• 0x40d16c CreateDesktopA

• 0x40d170 DlgDirSelectExA

• 0x40d174 WindowFromPoint

• 0x40d178 GetUpdateRect

• 0x40d17c DrawFocusRect

• 0x40d180 SetWindowContextHelpId

• 0x40d184 CreateWindowExA

• 0x40d188 GetWindowContextHelpId

• 0x40d18c GetActiveWindow

• 0x40d190 EqualRect

• 0x40d194 SetWindowTextA

• 0x40d198 DrawEdge

Library GDI32.dll:

• 0x40d000 SetMetaFileBitsEx

• 0x40d004 CreateColorSpaceA

• 0x40d008 GdiSetBatchLimit

• 0x40d00c GetMapMode

• 0x40d010 CreateFontIndirectExW

• 0x40d014 GetTextAlign

• 0x40d018 GetTextExtentExPointA

• 0x40d01c GetTextMetricsW

Library MSIMG32.dll:

• 0x40d154 TransparentBlt

L!This u"
cm cannot be run in DOS mode.
`.rdata
@.data
@.reloc
tAt2t$
U SW3j
3Y}]9]
;tV;|BMx
YYt"Mx
39]fD~
YY]jXh0@
395hFB
ffffffE
YM_3[:
3PPPPP
ItWhtFlt
3F tBP
itqnt(o
cj0XfQf>
t-RPSW>
u(~"j OwYt
u(~"j0O
j OKYt
`pM_^3[,
YYt|+ ;u
@;u`3@
ItUhtDlt
HHtXHHt
4itqnt(o
t-RPSWy/
0@?If90t
;u+(;u
u'~! OFt
`pM_^3[
1E3PeuEEEEd
Y__^[]Q
E_^[]E
9csmu)=T6B
t hT6B
8csmu*x
YYuTVWhA@
;r=P6B
3]j hP@
th5D6B
3PPPPP*V5
@Y<v*V5
^SSSSSyj
;tFtA3
S^`N`H
j$Y~\d9
QY^`[_^]
tAVWP2
3Y[_^58
3PPPPP
UQV3W}
ft;uf t
Bf8\tf8"u8
ft$9Uu
UQQSVWh
[]YY?sJM
_[^SVW0
j@j ^V
H3H/5@5B
;rSWf9M
YYt:V5H
YF\=x@
43_V5D@
YYt0V5H
E3E3;u
 EU_^j
W34809}
4 3,9E
P4UM`8
DQP C@
,PVEP$
3+4H;M
(PVHP$
(PVHP$
r3VVhU
QH++PPVh
(P+P5P$
\,+48;E
40?D8Y1$
8+0[M_3^
WPWPWv
M_3[Pj
whu;5x
8]tEMap<u
TM_^3[Gj
nM}_hu
3W;to=
t4V0;t(W8jYt
Fpt"~l
lVYYYEE
t.VYt"V
VYt.VYt"V
VgYt.V[Yt"VO
]39}~0N
D=VPYYtG;}|fE
YYM_^3[
YYu,9E
E`p;39]
YY]VD$
_};=`FB
47YX6B
W>+~,WPVxYP
Y/V|Yt
Y}3u;5`FB
tVPVPYY3BUX6B
F3uX6B
4VYYYE
F$|3@_^
f;v6;t
Map_^[;t&;w 
8]tE`py
<E`p0M
]SVWT$
URPQQhf@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
B(;r3_^[]
1E3PEd
Y_^[]j
Y+t"+t
+tY+uC}
Uw\]Yp
u>OdMGd
uwdSUY
UQSV5@
;r>PurYYt/
Eu}hx@
3M_^3['
ft'Ou"+
jPfDJXdf
^0o_^]
DDDDDDDDDDDDDD
S3VW;|[;
t6<0t0=
S3VW;~E
@;u+H;}
39](SSu
]9]tWuu
};~Bj3X
3;t?uWuuu
t"SS9] u
EYe_^[M3
u(Eu$u u
ES3VW]9]
39] SSu
ESEYe_^[M3
>67v /v$'v(v,
v8v<@v@vDvHvLvPvTvXv\v`vdvhvlvpvt|vxtv|l@
PYv4;5L
P5YF ;
P#YF$;
PYvL;5d
u,D ;t
Y3MW0u
SJYUSVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
FGIuX^_]
EPQEPEj
WVcYtP@5B
^]UV3PPPPPPPPU
UV3PPPPPPPPU
RQMQVp
YY]UWVSM
EM;M}O}
EPMQUR
hzgh%B
~<hi.U
(a}5hx@
UREPMQj
Fu^8Mt
MW3;u"
E`p^[9M
E`p33PPPPP!
[SMQMQp
E`p3[_^
MN{u#@{j
xs@PVS
E`p3_^[
^VMQMQp
(z0ylS]
z0yS;t
_WMQMQp
tS]3K}-
et_EtZfu
VVVVVAw^UW}
MOwEP3SSSSWEPEPv
E`p3M_^3[i
MvEP3SSSSWEPEP
E`p3M_^3[UWVu
DDDDDDDDDDDDDD
Wj@PWV
PEP"YYEPj
^3[u3PPPPPoWVU33D$
u'339\u
JBtj3Y+@M
}99}r"9U
JBjY+3B\M
3+BL1<
Jy3^jY+
u'339\u
JBtj3Y+@M
}99}r"9U
JBjY+3B\M
3+BL1<
Jy3^jY+
FWE}MuMMMMMMM9M$u
<+t"<-t
h<+t<-tk}
+t HHt
B:t,1<
+JMtHHt
B:}QMEO?
tEPuEP
}M]U3EE
3f;uAE
f;u!AC
u4}u+e
f;r#33f9EE
EAV#f}
W]EEE?E
S3PPPPP
\3f9Ut
EfUu}M
3f;uGE
90t!uuE
EMuUm
HuMu9Et
u4}u+e
33f9EE
UUUUU3##
f;wK3EE9
}fEEEEEf}Z33f9u
Ea3f;u
f~7}x+EMe
EM}Um
H}Mu9Et
u4}u+e
f;r#33f9EE
ufEEEEEfu
~(E]Mm
0K;]sE;]s
EM_^3[
K;sE;s3f
SVW}f]3
395(5B
S3VWEN@
tfM_^fH
(null)
`h````
xpxxxx
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
komekelakumokatoxewenogime wozibagewehegabuxapetezoxukadehi
Du nuperowajojiwoketekoharimi sojunene woboditikepubaviwusulecirekida detanimubugiveraliyuraye nezijojoyi bixukevitiju
%s %f %c
nimiwoma
hulinowujovimuxatelo zabemaperetaboyazowa vituxifuyuyakixi
fozotetuvotasafuzapujiyihukewu wovezusigafexidoyubi
xuxedo puwebalovofopoxe kemodozemofamulapogenuki lohamupunizuyozufazexetifibo mudesukikepimurilajilacata
jumecetaxekapavasura
GlobalAlloc
kanepagulumagusuxutuvadapayabige
Va penoyotoretunurosacidutezajogu fatixiposapapabicu boyokopusidonoyododusahehu
dagesadupecaxemacehiho cibojavoyovohiru jagahamuwifujuwexu
Nu boxifikaheyifoyano ximavujuro bicipuwave kurohijiweguvo
1#QNAN
1#SNAN
FileTimeToDosDateTime
lstrlenA
GetStringTypeA
GetCPInfo
CreateJobObjectW
SetCommBreak
GetPrivateProfileIntA
LoadLibraryW
GetProcAddress
GetTapeStatus
FindAtomA
SetLocaleInfoW
EraseTape
VirtualProtect
Module32NextW
TlsAlloc
GetConsoleSelectionInfo
KERNEL32.dll
SetWindowTextA
EqualRect
GetActiveWindow
GetWindowContextHelpId
CreateWindowExA
SetWindowContextHelpId
DrawFocusRect
GetUpdateRect
DrawEdge
WindowFromPoint
DlgDirSelectExA
CreateDesktopA
ReplyMessage
GetKeyNameTextA
EnumPropsW
ToAsciiEx
USER32.dll
GetTextExtentExPointA
GetTextAlign
CreateFontIndirectExW
GetMapMode
GdiSetBatchLimit
CreateColorSpaceA
SetMetaFileBitsEx
GetTextMetricsW
GDI32.dll
TransparentBlt
MSIMG32.dll
GetCommandLineW
HeapSetInformation
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
GetLastError
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetACP
GetOEMCP
IsValidCodePage
HeapFree
MultiByteToWideChar
RtlUnwind
SetStdHandle
WriteConsoleW
IsProcessorFeaturePresent
LCMapStringW
GetStringTypeW
HeapAlloc
HeapReAlloc
FlushFileBuffers
HeapSize
CreateFileW
CloseHandle
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Ix@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
:.y~(zBE
6aa1U"
D_L`#cP5%>
D/N~R9I"7^
6+QM\qApm4u#CS=~
6S)\9e4NFC
]5T#V,|
?d1M1uC
T]/C%@
bInIGGC
<]n/ka
d"e4j?_^njyKZdT2k(+1
4+5Ne
&ai\h 
]gPR; 
U0wb7h\8nrrm
xoRKbd
so$@`w"
4mE-:O6
t&GIx9
VnQLWZ#|
4zd>iu 9,*
C@%fv'
2j]j/bl
oB@\Na!#!2d)
XN'7iq
=QkU eykzXt
d:9{U#\z%!
^&CY$V
i!8bDQ
>j~o6_qN)?
Aioi#rO
A1lg_[
5\&(8L!)
z">el~
l&d\_P'/*
6vIT]c)#
yx&+l5p (
TLpW1s.Z?
un`yY#eb
P')4IA
]h;T2A
MtH #{Oe}3
=95lf$"uW
2krrNM<TjQnYi/CQN)8/V
j7RD[[
l_dj&/'
2PIAy-
\2|-(*Y*
9CmD^g
j:pMp<7nH
opx}8
+I3B;`7
~h<ICD,
`n<k":?n
kMf+uOW
rKi:Q+*O
'DX= B3_aXp
QHwY=#!`|L
mM%21@~
lOD(hm}<@=U6[]v{
j'\B2m
[I3:}wtrce/
HVZ"~K
fjZ&h-
@*B]JX$
Mnn)I@YC n`Zd
 pV13yu,<'r
CQ6W4Ho
}E9Xbl
n/shOj
Sv+F_n Af6
zJ@**0K1R.
`by@* 
RvZ'DPz*
u!#3@E6E@
,k#2u5]dF
H_hTfA(kQ2(
Y7 S]1%}:la
*aw=,W|z
o6?L@X
$Vk,Kor
FqWAna
IJWz0C
ftq}6Y=
W#J,@|9~Kp
Rwu?B:
y5Q4E*f
4T4.o9,
"L52j{<
$_>>Z[ 
U3W`<a
m/k;~K`Y
'k{:}3
'*yvMDz
0bEo.q$e$jP,{An=WXd
N?g3-f
]S2Qw_C.?RHN
?L*n*n~
7<Fe)=
|TJOD|Nv
r7oOa4mD_(,'
Nzv.2uy
vp|Mx"1
!uLo\<
_)PI>o-)`
/,7[)N@
>-0%sBh
n9JCIMZJ&3~K^
AJo^-b3vgLXWO%8
KDB&|XNb
8~P%x,t
/pmI83,
G"saEdtR7P
oH4${or
;w%6Gj
$Pj(c0
VsE:jtMnu
Bfg9LD'3 
:yB(k~.i[kh4=c:
l(w:W).
<B!v6X{
t7|I8B@
8=^&|+
n$TN2c
rTtKKr_
JEes~r
F%Gyr7:MZ
CA?k@InM
jJEel6dS
R%k}C/N<B:Q
zyO'4p
$,?"S#vv-o
"W]>6KE
dO^5/r/tM;Uu
2Vb+{0#i:
XJmkb_
@60q.6
IB:#O|\\)
yVFC~^e
.cmEPC"e@Z
_"#dp,
"FS&h+5VALu
qZ^e|n
j{>iL@ZG
9F;;_Dl
2tYKU1
A8[gVG
&AhY!AY
C!}wLrtKA)
2!HQGt
My\\r_
xlS4x{+;\ 
ki5F\-
1|p,:BRc.u
{ Ou D
[@ZUDGC
P^9?L|cyh QHC.;
'$KJujJUB[
Z"K-\E
7RTA&F
;"`C"R
_J~~Y3UzgnWd.2
kI_L`\karV]b6tdz4W<
FfP29$k12
6Q8U#GS/d
+4>Uer~L~
QN)x+$.
fYz|pL
2R^6$'k
Q@=b!O+>`Cg?
u5<0&ik
Ze7seZBtr
Z(M 5Cee
|u`GOkj
h}bLE"
=?G2fl*g!P
@'(kra
p*syoG#{JhDtT:$.
smK!Iq<SyB}/[/
W}kg=OE(QQ9
Vv8k.)Q#jb8I,7Jt#H*rrM(#[c]/
|?f5 C
N&w$ +~mYl[
+b0t5Q;Z(
0GM%6S
=%&prZ
'ku&aW:
!x~(P0l9^Z@r78
6X|g!/>"
s0?W$u3</)YJ
-53=,a
gd9T)Wi}3?#yr6
..bfbe
b%qKcG4\
*tky}:Gwk
H,gwF"
wa[Rd$6qhb}
l]X<j uT%j~
-zNHe&o
H5C,\l
WH0|D4h=
z>CWtq61
 Ta=mc%.
vT}^I$9
.]cT[x{
H$<V}]
025Q!Q{Np
qjO2G^Y
)aUOi,lM
l'|:G>R
vWy/i/}hA
//&:z 
ZC{@7l
uVQw3[[
,ogHj'm
{Vn!5f;dD]
VI,vy3 KT
"<"9~`m
SFy>Pv
cI-20R
YnHIsj
CUtS,aE
i&x ea
 ]1;S4)F
uS]W*^n@.nF
%~[hi,AF[A-
El;y@I
RSP%(cOCe&O,
/Pear|A_-
kt2$a+
lWg35MTKxA
I[,u4GT&
3bO$=Ca}
R _-N|(y
p|8E9rp
1c5fFu1)~>z
RdED3^`
}"D%Vl6
! {n">Z
)WjU*6r
!iqM%1
XX RYWX$c
7s66#v{
^zp=s:
kn'Uri'?JU{t
l(SM$uw
:>lZesG)4
G@iN+jrx:
"!\d8IK)
RMq:bN+a"
K0GEuOP0
$K<xd\+.6
\2Aymad
8"N6.$
g%wZo?0
wr.7H"yy
@[pQb_
8&5w3]'gUl
\Z5c)JDac
sY0?@KfiQ
%vG/Dq
KJ8K[Rw%!)K+B
8:kU:f/EV yD
Q3fG_
PkfEp5CGgis\06v
P]5dA<O
M-<[aem-m8M
j8<pq 
7'iXa]1W5
"o\B|]
#k/4)l
v#>O.xe}
b.BT,{Kuk~{-J
0kH=lrI?
g_x?@O)
{"4C 7Z(x-.d
#9u6gWJ
KcW:YdB
?Y3Rtn
'+(CI0^
A@(F?i
,d1GdR
cpRB'>
921G-#
h:]-@I
7g_EUT+)
{1#Do$F
Yrm iW
F^PD} 
vczZpS
z[EQW:{9KpM(j[mcY0K2
:=z()Jck^
5J;sI7'{vx
{bQ,+
g$LxF|(K[z^
]wb-Uu-
* TiO$7).
T=B+xq
b+|0Eqt
u0Fdn.5V+ 7
E~vNW&(
t-\7SM
hgwz-W$zE
Q4^hh54
@o5^BE6XZx~;S
O>ZRsy1
2lq=D$
rU`+U i.
vAO,O8
&93_ua(~_
XP-~0J
t-GYok
Y=qwb
fU?q?Kq
(w")TTf$^-R
hjG36TJ{Zr
;/(r!X
!fdw\3
o9 [U(/^
{_UmO1^*
4FFn882
1|Bwkz7I0n
>,v{s*GWGL
?$vkk:2
UWg.00
h#yQI,/
}<E;%Q
81P=hcB
[h*k+G|+
sd"gN#XG
/`y~fv1+|rLaL}qMu"9c}kS
L29YoG
jd^v;1k
x.dhRX
?Ge}UzWO[
\b$^}7|~
]%Ex U5?b9q..
UNE2z?
05rFhPn
xeIsv\0
;2Bxyb(d~
>QP8y`<`1
g_P\;<v{q]xX
:MNGS2
QE9GVG**4YFy8
{r0lH,\/hO"
%:1l3pAz+V
'f^1Q*
)L1jX6x
\XuMEV-
FV!G|6&hd$G9
RF\?nT
aIgL!L
tcQj*l48p
HZN9n'
y,R]'7s4]{
FSkzo1xq^,
=LiZ;M-L`VFo
"1^W1_6
Z2JdwF
3n3Hl<
iaQ0+?f
P;Uq0(5k
]|m7sA
M$S+h$%m$:
t0i@Mv
AJ!-Qa8rs~\
24kNRIDA
tR:0OPI
`M F)1nU
-emh3)'P
|:cdHv%R
IBu+I sfHn
&HDt%[^e
"$3>\0LLn
,Oi(N4w
4Ns>n/C|cw
M@m!Tfs
.~pynhHS!)lC
yY$)IIDV
"}l1l&e-?NWW,k
zMF<ST:K`ha*xK
:*=zqf/
app's*
L`TRf!Pk
Qp+^WS(
O)7}P.
8T>bAKG~
2x,\b["
=cedA=q
zM}Bj#ntw`5ZW
/L=$O~i|`dX
5f|I=lMx
LdzSM4;Oe+@&u
&[AU?v8
!-7Vxk{
9OH4:^
6fav)i6
GiHQo`
S/gawax
>;gf{ 
N_`(@gY7|
+A~7#w$a6M
)-u"Bkq84aNe
mOx)uc
.>8A@P[^${$
]0t/Cc/s
o]z!6@
7>EuyTA+
:Gw%1lyz
 _ZcUUqA
A1qt:p
(4c3[.(zu 
&9@_^FB7
M0P_R1:BK|
Agf/M<
--go}w
c28^ga
.UzWtE>K6
]r5s|n
x#),E/
#]BZk=(YO
4w|PqJj
v]c{H%
+F7kmK# #:H^*
L|)ul2WHl9,~4ucc#K@&
8A*x'gc&D1
I~4b`h4
YMGpQc
:TeP{Xx9*QDq
Jde pb<j#.?j%Y_v
ElJ[xZhVf
S}bteG2xcp_b
]7jgJVZNor>
VACZ^z?
nH^nL4
;5JLFSxt
e|=6ub;H
1X'DXQS'
-rwA%5
|*X%<cJ8<v
k.!>#q^
x6?YZ}?B
eDinx*
3k[,B8j
 Suu&X
:N}#)v
m*`oUc
]SDAj<Ep
f#gz*z
tgHfSd
|$6~H"(R&9
gRsAHE0>
_/lOED/e@%rH!
{Br8.'?Q,{
)n1<*k
yHfvA?
/r<ky`?8bcYB>@\7Yo
x# %%4_G
$p8($!r
p2fUT,vd2HR/
rP=w$QX
J4MRVQoB`
]^mq#b~n
=BT'9f^^Y
HF4fxTZs
]o64|`
B3VpQ(;
~c{4 lh9$
N!B/xo
bZ~*>2
P4XdlgzO
I@s,A"x
J Uqfv%ms
a$~SN|&
0$>h1i
VGa?TSh
|6H(C(ow
k]P^jZX
jnHk1Y"v
nzeo&.p4
q8B`ZO,
\Pfw7 .D#7a9 F
$(r}C5
r__-Rp
#V\J}^t[LFT1
.ngmUkh=?y
N*YPL,{
NLm}h~
/'281`;*4hUx
njit/B@
$4z/A9`Ck,Ci
<=qXJ`
E`V?Hz<@_r
+&%D Rw
<+[9PJ
JOkre_s
i(M=hm%
8TsVRX
U(`.WEQD
eG}Ll2
pQ-0BtP
1]^7Q-a
+y{d:$
J{"OS2eD/i
@)~XSs[
#&:M+v#A
;Dd&\z"4
<z6JLJ
mD+"(o
fwSmcmBa[
:nEI'N(
YP0!jDeGI
B14D&a
|o9Q~y@7Z=#~
+vuy!h}|As
^$WX+b-m
Sf3>O
bQ-od"i\P3:#`
p@]76+Eq
:s,+N??-2
9bpxF/R"e
V'ZlWg
^~y*$,Qo
gpK6#"&P
CTCK9.
oi22{}Y^s!
qy>u<D^>?
n!m,&F
k9I2l5
_=HuWmY.s[
giT7(8c<{
4_h<x6E
qbL)EH
YFcfv`N3[)
u5m79S-c
D \(H_f
k|Yco9^R0?f
G$@Qw27WfsU
fD(:@6aaG@8
"$V8C_SG
"0h?R 
h/|vRIfa?
cs++H(B>im
DHa/wU
NYkO<kj6T-7s{H
dE6QOn
!P`<gV+i
.?7=3\#+lv9*F`,
})kXc^
ntP]wKld
-/c5JY
naGr)a}3
lc%f$A+m
UfMwwA
jRu~-)B
Ibv8EJ+
0<8axcro
g`h5b9c2GX$3m98Z7s7e
3JNl1U
G]Q^'w
-GWV_I*aL>]<mP
EaIPN]
zZ@4=8
T~'i,qe
]}{nV"]
8iL~U)"b'
4(%cFLEQ*jSa
,]\/@[
xv:&wo'f
 m~2K%i
h,Dg"xr
E=jZ?uC=
Xz1ueEIP}5
\i@}/"
T)jIIe
YN"De/Y*\!9v
0JMv9>
'*XF@>
SW xv6~9E=
`qi&8#I
&yF/<B
3quBLB
{6G<#
L WM@d^no0;'Q
n-k6]AFN4.H$A0W^:=6M2}
<Hw9Mj
Ai{[j-iY0;
u3i%.TG`77
C'Bue7
*,Eko(Zu;9>
(AHkfQS4
`LI&bmLyv
/SLu-@
d~EEH
e7}=fHNwww
rDsG"b.
[]9=h"J
|SQ7!+-d
n1!QJ!
6<@j?A{5
.\Y3vj.
69N/oqu~j
FqK(r{CG
j6$|@|<
/d4!`@dJ
}phBp:<
n_i*M7
0yHX3Z
|h^>hd_:V u
[|4y^d
~M(B k
8MD%2C!a*#
sG^#F9p.^T
mCth2'vsrp,
$zl_]}7.&
}a;)W(
X:x]=Q+Bt
h6:'-h
Kik}IGy&
HF2&m 6/yJOY
Is#ZPw+
E))zr4%
mD&n>.97
`':N"gb
z4<X4L
.(E};u
aB+W }%
'wAgZF9
&NI~xIv?1&o
FgV]x26a
 'dH+`
KPPV{^MR
j*D^C^W
`CcHq!{
c5\]BdV#_i
=@yTFfq.
A4/?NX
SrC:G
Ln4j>c
lh{pT_.
@HZS)3
^lJ}**zT8S!47
DpM{<a
&>9^8@
_?u9@s
'w=t0lO>X;r
&^dP,a_Is^c
Ghfb3}*i
+|'p\2
n-bR23kBS>9
-/E(g*N
uQnL95"
TT{Kw'vD]#i,o
#l+8Mvh
nWn?N4
"''@D&Fs[
=F&a[&*E}AK-vs4d+]^
2$?Hwv{
}n8/^bS'aNdEh
H.N(.
]C$n[V2%u
<hnAqhCY
j|(}ad&K
@},O8E2]B+
j:xKr[
|KTr5@|t
Zxstswx
qzawgs
bQKj#(OzEBT
-IVy4lp#@Ty.#Atk
dhphyU}_U
<E{Z{i
/C2.F(}
R50xr^@
T.NwXM|
@u|Zuffs9O
Ou-1Sd>IH
:&iXZp+ =
;<L |tXB`jKd
XwcDZmJk
$|#olZ6V;b
?pYdzA
SQ{%%Z>k
X@uk\n,mh
hu,ALC.
%W}Z%t
5_rZMqy
/)o`jp$W;
hSkffiu4
N["%#/Yl
pnerrM!t
m{=PXt\Bfh'
WhXh=pO
60i%L 
/]UYSXeV
6pftzl
.wWM(1
?@.;Cs^a
1\aru?r&~*
VB@S-U
Z)C!&@{
VqOUf-
t0..uTM
&Z39,m(
;FY{n4ja}
x :Ex36h;
zZ7]Y.T'Aa|4LY3W
wnOIc}Cv0
K$464o
gcPBr4e
g9e)Q0~
%5:x;Zg
!=NgO/A#
\*@Wd`XE(
E3l]y$*UBX
f1H|_Q?L1
a[Kw-OHJ"
\h0Pc;D(
> F{mnrFl
={)RU\\|NOq^Z^og7_1L;M
I50,[U
{9]!"-.
`8&%(R?Y
YnW({|
u"K$h+84
ysuoz|
oZ'K&c>:Q;b
)GxyI/JY
jo_I^SY
}0FBAxED)l^
yEu*o+a
VE2(7B:
E}WC=A
4@0aH
3] AP['o rx%e*
on'y,9
6lKUQum
.%>E!M+s
C|?Q(NP4}pC~
 =Glp4l
59=mfU
kUPr`r
+c4,hnZ
HbY=F,e
<|5~z6~9_BCRqR
99&ThG
$7*9y_8"
4&hR2^\
""5.x:>a/MiBvA
]#WY<ONl4Q
g_k0$5{Et5/=`~Y
af$<^Zn[qg
Zo!]z{h
2]^ s*
[gWEu:
G[Xx!xK
H+*c3*"8T2XQn
9Qm6ad>,<
6>{TJN
T6DM*<
T2yv+V3<?2
HZ0i{ Ut
FV4]9A<P
]:!W#g]"j
O8Q5u3O(
12ld}"
GfZ+H[F
4MhJn0(szspm)
o@#9~PK
x(<pS6
nM4PZ
S8>[KO3O2
hBN~k>
z>U'!V_|
O4|*[!bt0/L
b?b$$@"
-c%BvH
%<2X5
S<?7;^
3td0HlFU
[zeo@@8$]
<Z/<e7t
i$P,";
8I'koK
3 ?djkl@5h
 R)[#]h
Q}'2`im
NMwy+153S
+v!87H
(s=`/.
S'F2<z
h}I{Ru
d{mehH
qM}5ZTI3Tc
F[q.L&
iCIfjU*c
GQheVO
3\:mY,
"gi@{-'\f
S1Kqz8
BlG.Z![Fi8
~Pz{pbYO^
7$$,le
=@"9Sc=+Lt\
s-Gb`y=W
wX?U38
s=4C2C
@'.048=pw|
IrU~*u
cGH5%YO
3}a yw
|*u_UF
X-!?qvr s
YT)Z7w
.6mzrC
xX4Tizj&.^lkd0^
@:-oLiB&NyM{]H!399Y
(w^j.2zND
#MA5?Q
sDMGaB(0A
k6_[6 1x]
_#NhMbW&3` m
1oFZ^k]A
gC2Z#pj
JB)j%V
1P]{hQ1
5i4u{p
{Kqvo2f
GV/C>j
t`|F%[N
p2t4=:hRg
/&-_S?f
&s4YK,"vW9zc%s{
hKS>9R-2m\y
\FL{<O
w&X$l<V
lBbsa 6azo,O
fa<fo>*)
QM@ajUA1f7(
/|cE/~/<R-
~SQpG]n
7&7|3dAr-
"R!dh
78sf-"b
Z,X(Ob
8FpXkde
j10x7M
>=n?1)PKL,
_1N$/`9tnd)V
_OfM(>r]
-W"5"dq,
(u0qnZ>$Ht/
CmnSwOh
e=67$/
PY!+|[$s't`
m2lL^$/DB
}T,e\V
IQ%ZKcU^>x8$
O;/;W5
t~df^#j,
GEP<G X
hAp;O]1
0y9fl:
-y5SW`
z:FI>
64{);`
JA(A"G%D
Q%lVd{7a
}44Lue|H;
Pr6':'
ke8ZSV4E
o9H4t-Z
W&`%du#_7
#}3OA%QU
z{xr=`.
v%ONaEM@@
CIc6Hb~
bwzp31
)/.KhcX]Y1.B
_<)LSb32#
c5G"-}S,i
x0W}b!
4J!1n
'0jL^GuC{
Ib/{rU$bqr<
fT!r,BfA./P
g-fc8I]
2I|d"
2aZy6p
$|,&S0
gEFSP`Um
H7*9v~vJ
G99'OJ
%N/-RZR
\$`ht1J
09(1XN;T"\
~2 2`$w
2t=e@TI2Bw
S$3N7Xt8J9
I<="|_
jo.+4^
SFm0;H{]Y
G!gQPN
KfK#^@; `p
~&WD9s
2QgyVe9
hK0d]V4w>
-#3kS)
z. r~u'hv
j/y<4D
!_3(w8?
B%z a9,B\
bNtew<+<]l+2-
`iEh~p$'
370l|
64)Ba(v
E9'upw
3huV`6)(N7
z&cTj\0x
D]pjebF3
K}D[!$*
A6uK+V
Y2CWg"X)6
lBq;NX:!,ab
`PMyx
EO'oR;
mp|4zk&Cvi
Ou:xe"#
e?u1J4U
Pm0>Q8qYg{9
PrO|D|o
{'2TB-.2
aga~Ox"^}hC
'G*(^\
B;L9L*Y
|Ylw78$x!4
~!LrHt
xgt/d 9
]"?eXd
,\N)Mv
5{2B9N
/}a)F9KzoSmqmkd}$
tzwt*&
~g3T/)c0\
l/R+gvF
Wbk]n3_;N
Tz/)FKF
T6|X_mz
4hgEC2&
PXdV]7 
`>n[Z+`ha%
G;~Z-
])8'|O&CjF=co
;<)jAe
j{|~2
}`P&gV
hn'U*<pWVA
+-^*5D
P/oLW$++i
uz^7yo>@H
"P(B|_
VL: Wi
`\%y9}'7m
J/T|jO!1
q}'6u*|H
:8b$UlT
7F!sNzE|
xM`as3u"6WDOh
k8#1m{H6/p
%:YMw9#W
y@%Ui'6
{~_a4>Lj2
\Mds%B2)W
4T-c%4Gu
RvHZI1mXsUn
:1gH^7%,o'
.u:f{9
w+lkTrU :
DXzhyx
1(Mze]
Q4l53e
5:fhf
sY*$Lx!X
tZ4%[K/4;B-9
}$K#0
q:c^#TD
KDt&}c
r0~~>a
g/x0IM_dU
ZU<q)RY0&e0G)2Hv
!]dskv
7/.,sjnP8
i{mCZNTyvw
GI(T+2.
<Smdp%:F"ZV5 
H:pduG
`V;oN&c[h
v"u:x036>
qM4N4H7Z
u%M0/%
`2Sh=M
:p@3kzSrYCI
%_Y9Fg
*E"%LT
KB{zY(#lk?RX}
j9d^&T\+$p
tr?a?P'M
_U?1$`F{
5 dnM%
a+az]"
/dd<8V
<{VO&w;]c
C3=dh\
?'hMPS
k^k>x`V1]Xq)d
P8e[Lm<
GFCE_03h
])3%eQ90
"5GvDksi<
4mL?7f`O
4hIm,@z_.No)
frf-Od$qBjd7@=VWg_
)NsqF;
<_>\ g
\5FG5sl.V<&~N"U,u4e
2!*mU&qUm-
;wfkxD
SM.<qVb>fi{z
@,wvGJ!-
4-, :aU^Hq>
+SfuN~
?jIt6I
crG{)x.Bil=~
v4~JFd9
wu*-[K
^kIy,l
LxpY-TG
2J#\%`dk[YbX
d[W{!8y #/
e#d!`#T7q
M'h"8u<Q+:VEL
[]RTvB%n"
D96Pyv
F"oe9$F(
~ )uUKdF.k)S=66
OT'6z?Q<$s[
^.#Yr)&e
i -A*? 
Hx/+6pi.zPE
V}b|=- K1
*g\hZ_|'
8Lj@JJ
]X)oeO
7px(yqb(do
H4vaRO
OThQ]53-
t2kXA%<WU
Ce"`!qkuL
5Zj+"0%
:^xa`n5]f
x@}) &
6w32BM1B&!@!
JkNPN:
9iqghf3
{ {}s 
ZE~w{\5
~wVyX
:qLqUF3Vm
cBXEv
\"_^9UazF
,->AwZ
mA*Z=T8
-AF[]*V
zz{A,%B3@};$
BD8qeCGsYZF3
6S+Z!'o"
snKt/|$d~MGR1Wj
~bh2lYs
+>s>8m
j-j\BU
MBPDU~!W?'<)
~*x9[s7)YLI
__lb){/
q<Bl T
CbI"Fs
]],ss=
ng0nHY
{*Vt)t,
3uBMkGT`@t
mCVj^F\M
E1"'YtF
#F}plGHU
+n.?!K(Kq{
./T!2~72A
xom|"Y
dVsLW[|Pt..!z
V@ D!S
Ou%*5`X#tN
]",A#-n
~_d:D[_\;[.`&nblP/E
#whyM:EH,A6
|(5ur3
}Y3yyeQ~
mlRcQNt*
?mk\EAL,\
Fc5q\c|,
BSB@y
hRBR3_HP
Mqk8^.{
}QMAz%
 l/wDA
Yd-p-O0
M(A\sX#.
j3Dawx$
t{_hAZ,/4
it'Zo$K
V ]lyd
r8<3.6
4{A'*%z
pY(ES}&-i-h
&ozN(dU
:oa:"i
mb^:&
X45F/
jx*KNj',T
LD?)j-d=
Xgy/St
=J`,[B}Gz
vli~7O
x`UQ'0xn+K
o Jv9QksMI7KD
0sLdzf)F.
 ||:$a}k
,%)]4p]\B[R[
!h?e\%z5
26OMLz;
Z2;aM6|]
qfT7~S
x?GT"4
LN&E?3
=cRELB
@3L_\0
.T]Jq%{?i
Xa}9U.s
LdY`=&Uc
M+$f^SezE4,
n<)SF
.!`(g}Fyk
C}P>Z9
|3|~L.&/(f^=,
^P!<p{W
}O/[R,Ds
xYCPqSiLd
nO]nBT
1d}7Z(
za=~kDEt
j15?J.
2kzSl[
d^ho'jN.*9
#3h=l%O'
0MGvC?
BDeYNel
A#2F^1
SBP8S)R
f3-E1stwC`O=
c3N>sq
]8M:gbG
y6Ak53
@8B[.E5yxu
U%pn(a
Q(`NB}
T!sQ.+
!I}_GA+
2`if4Tt/BzRfv
B$+Fy1DI
4M1dVH
-Qy'\sQk
j~(2!JT@_;
OwSazS]s
C5YdVC
 7G"_U
Ao#%Y|
{wIER
)7ETd-W90^?M
S\lFS fQ
0\Bnjp$&Brf
E_X5e9eOPEAA
a[Qq|s
j"mCCan
+kiR2vstJQ2
2}Aw?S8
%0=8U8
!@Vb-#VK
!A6Ef:}
$[<CKY
}E"^u[y
c1,}g:]?wO
ZF-0O3YGp+Qfz
QVc/?/wgE>h
fe_c`$}OQadd}$<
+57a.^;
=Gf0VG-
wZ9feL*A
DE}1I%0O_
r"'$LSsc{)
u,}]0Dq},A
`v<:=*m
{q"xGg1
qHr?kS]/3{
n)WS8-x
6Ml}qg'SA28
>{l0@Z8S%P
5 QfAN9}u
cZ@1I,
9_X0xgnWU
F(@P6ax
j\+M&e=}39s
R*h$lR
C.pZ"-
"bC&UDYpe
N`Qg)(
bU])1m:gp(
:Py^(h
NDgpkNB"
P-b?+Nfe
U<bmjm-|y
W/E}M#
^`Gk!nU
["2SW9
wuv4971_ck
8o7Yn)n1p#H%
CH:5Kh
H#r]\m=
:3Vrzj
WA]@[gNP]J!
Qf$QEXO-
wD+[iI{n
*g@mdn S
Dk}}wj
.gH VR
PNI"'K_
8U#73kO
y>,v?*
pUxGxm9;72X0
Zt8NNw
QsN8r<FJ}$C_'11g#4
R7]vLifG
9P7!*I
TSEO=<Z[
6a^8h6t
gp3c`f
yL5w;zL
c;b%GV
v`4Q3<[;gy<At<
rMiz*Y)z1V
Eo?D#_
l=a2mA3h:O@5
Ve`<Odp2$
Zd!omvt>g!
?zayNz*luO9
0r^de&b
G>"$`]g
F-}m)u
^af)SW
8hGyip}
f<}yph)KV
Rh<{rQc
d*dY"^W
TA@cng
)8]2~OE7foG
by`&;P"
bdp\W+
"_g]$X!@
^w#9oy`
*PUn-44]mi
p.ldmF|c
TY*vLH6+RI
DE4jD;
7H};#[<1mUz
CCNw]0~
9/;{1!O
O;d[lG
f,Kq#8
:)Yvr}AE\^%
vtL"u[O,N
9#pynf:Tms
OR7@P$
()l`pys
Bb.L,e
N%yr%xnGYJ
ErU}5g
;II%q-xi
l)<64%lIM
6wl;FH
ivSZ;'^I0B
'\OStH,wE
n|p!+BKort
CVhqZ}t;ZsEQIeTP1
Q20v~k
f^wnUb
Z1VY)anz
P,Pm8e'}g1
PSG f$Z,_
T/V~xuT2
ZdEXmr<Xxdk&oMm*QaS
m1'-lb#9*j,teb
qO}\??
(+p`@XLCnyVf0\K~uo!Aa%@
{S^l9o
hBosq/p
cF3eyGN!
e%gT``
L4%35LgF
mX<_V=WY`/bqI
>/hPz%
BPGtq}
vVojQ#
{wUa2
{\R{r{x
PFNu{rNlHljv
gJXZlWBu
pX+nG"h524aj
k-)qG~&.
2T0Y\HxgR
G<'>/emP`
E}<WtSj
b-+B_i
.Z?B:F
x)Bwh$
r~;1n
l?wRk[D
'l"q0%
gpUJr_f
[O=@{s
O\/TnB~1y|
@Ta@2)#]^IZ
|wwa2A
N#2j4\7q}IJgn
2@jZ|>^
\A"sN5#\|
\F6|q[*h(y_
s@_3."B
SG1X'V/
yCz~nCHM
Jo"z;.
?"IfH&
Ts~uATu
v!m;[tu
 8OaWFs"+^R
ARURqL{
M(FZ6M>nSuxOt_
x>_-n6
,"k/ol&
cG&e#n
1 [dP
hAmx^V?#
~x[@ Z
R?f^Y?'yWhY$6m
I%qN>#
?7(B/_
O=Nn?5
E/lm{AH
[DgnP/b/
%`w_IxSV
XN{[)=
>5z`dI7
>hxw|WrY
W5Dx@L'
g"7L;i*gQ8,Eslc
j}B>jH-7@Rx=w
xU<tFd
' f1_YYwQ]l;89
y= L4Y
[[I'mm'
,"jJ=m
5RYi1'%
aD%&7s~7K
S~/Y{+G
Fw'Gi
5?P4Ekqrmlg`
&2_.]V@B;:<`3
}*2dcQw!1
=mnr#;A
ZrV*0b
'q*f(EUs:*N}x
K:PpGiXH_s`
W}sD#Fg1j8~EH
B;9CzTa
~|HI}j:!Ygn`Pk
fP7z%t
~,KpuS;]
q_DeE&
6jX)xQ<r~
"nq`JY B
T3FMgT
J%l:R
AVV0kv
*P:N*K#>b}
3c#'hwnE|
e{Z2O_}CQ-k
9*|<_#DAXg
EG|Elec
s*P+aOl`
o0x{r*98 c
|GdGaAHv
csr{ffv.
$M5i;/
KN6A1o*
R+24wy~
r^d1-3
T=L<G{A
[K6T]+zxryex$
"ef1~GU
;#+cfq
{;.# T^; =V
a%0md~-
,46D9yQ4xc`;*
8l\,%~Pv
IW/:Ok
S'tr!=~9_
7ILGAoB
T_|KVX
#L_7vv4)zX+%7(
cW$6q4
}VSrz$H
*a<d>,
p.~[dN
/!`{-?Vh
/<$:]W$
xUV`K:m
;T?~S0/kje@
8iK_(CX
\X(ol[@'_R
0?LihE%0
<t<<-W@9
6_TwMp
>`+p2;-$
T*4nV0{}hAQ
(U-a.e
Es'X9_7KO
"` Anx
,1^9-UCAH#VkYJJ*P~]fQ./r]V
Oh:kir^
@tyn],s
!}CbII(3
9!_3L*0Ye-M^$/
`(K8D|
c=LE-z 
a5XY3lh
.|NlUV)
wZaRf{d
#U6q=mC?ej){M
,-+,-,lm]K&h
fD[!M#
d>`p]Au@Xzow
cex!VS`
B|E!`8g/Jp0lSc
3L<-A.
UarS@s#
GqfRhB-CK4
0r~T{h/
%'Uh'Dx4
j^V5n4d#)?Q)BOY\B'
x(zP10%,
WF2KUQ*
*eFY|k+
<ZbGqw
^LKp%S^q\9h
%$zqD:gp@^XO*m+i]DX
-I>7)b
EQ4lP;Uo|
|6Xd3Pw=%t
BJc.O~
!{CKj@-
joD*|
4KB$"Y#
=QDaLed
a9>f)s4v2h
^na4EX 
gFBo@(
8C(zS!?
ByL#x9AT{+R
spTK`@X
AEH0tD
/"$(U7=q
`l)Cc^S
9~mV-
){A g&e4:H
U4^:Z&l
p@"2";xE
;Cv>k>
[b66hJy>s25{1'H\YH
E@b!,\YLzcO&|U
40nsE;}&
D6"Sjn7
Tmo@G5
W1%2@:f0YRs g
#ben3+
|3gw+pX
{A{/*qZ#Jg
$ma.~U.S<;D_
JuB9h?
=+f.8-U
po1uCq8L/t-Ao]5>E|MF
E99O9+#j_C
87{^Rb
6SO(_H 3K
`@7&VDWxFU
#UuTq^gN{D\2cJ02
tZQl$uq{E`?mx48S
%ElwNyO
p!9a>1 
.D[5<r!b_
z!MqrI
;bGsw[
*nU9=NE>
B0OR)ifoPI3XEpy
q"j`fro
}f\LD~ 
Z!lR!U
P?aYXw
E-\+7+
sjq=!yBzm4qb
'#ZIW'`<O2
toWwFd
r>Ut#:K
obSfez
eVg3z+\\F}`
}q3^im
+uiI BU
gxMA9(r5%N
;bKXZWmop_F.9}J
3gpr[\H,!
Hw*l9Z#+
 @}uFUwYx6ESbY0
B)\st1Uf
G\\_xJJ9
;vPO(AB?1"
Vl8dqiVc
"];|iIf
 CMS$Rq;aj<6ujP@?"
prKv\.
#Y9sq]-
w6>2$G
?o' oZ9
%!R-m:x>
>Gh4\i==ZK
RC[Qk(Ix
@t>;]d}W
>s}vMs
~QTNt^)k
G~3BKj
3&%U21d#{ZGwIrM
[|I~\>
i`5-Yr
[TyZ\c
-4CD{_tlLipP'
_?(&mG&
dSN4A3)
Gi.Zc9
IPA r14n.
aRi)W=W
EK&^-K
rv4=<.P
gL3)I_u
?8s`>=h5~Fn?SN5fN
CX{X[C
gZxD"WjYV
!h0#[R8
2w5Q A
 tZR`G3pS?c}CW
6WLd"j
5liqbe
UM2|3cdsSq}
xxR+V}pKd
MLi3V?|xyoJLx2
qgXI*"$:$+nR!_
XCWPf^9
/+5*&\
Fj?Sponf
VX3&I*5
jbSY6W+
Dfn]yZ
\n:`uYt
$oXrN
g*,zez
>uzP<R
I%v29>
cL |?B+
=qbi6"
04?6/mjU~
SF|hqetH8&-
+ e(%/p,gZy
rsSaZh
|ebA<gM,!X?]
8t.NqK
VRJ%eKFVS 
a@uG,nV
5r(0dQ
!u]^Q#
1saEN
$cLN>D
=e4o6RAds
P: (e?
eOU"aXPW
2IH6\5Dj<!*<Vv'
x;?o`k0N
_Y%S>x@
{GZU-!
P}Z/KvA
"4i-nuDVcG
)+7Xx}{;
3j_>lr[=
4:E+&7p~jHJeA
/rBBZU
q{v![TK7>{B< 
B^[k2J"
>sC%dHI
v=s,(S
FEHU}+
0ouKC-3
8bgmka{U
[uXY2(
[!5x)$&
=3R:/F
W8zN[j_
l #d5 )X
? P{X (TpxhK/(10!D 
]rVC=kQ
9wZ6t&J
bM|`wN|UwK"
J\oM=,
gbk21Af
\`Z%fdB.{
fmAHnn
z/sSqL2
@rK6G/$=`>A1v#x=
diumleF
b'F!qH
zT<p+ZL
>90\z/X
#dbEWmf
s4B0.x{ipne8PKm!
i4-"bosL0
8^KQqbF#6
@}tl?`
^?-~M[=3
qw"{1q#k,N
QWIrpfc
/1LbL7
];][+n!_'Y
@LEd7B6#_2?o
91LvQt
3h_nC/'gk
\~NXLab9d/
bme$3S%
C.$I,1Y
_"XrzZ
lw}M'yv
L,MS]Pu'9
'x2bVX)
:IF^|O3
 I;J`R
Piy0U/y58
X"1zRk[z
u\LK_RK
z].|Q!%V
L27{4
#dhlU'3 "t8L&4l
,@.7i:
L ?'Mu
TVY(cr
9eG6ffQ
kVet1!}
FvJY1w
$fDTHw
-/.ac]%bq;:
rllI=* /
 8ONgWN_
$:[[Rm
-V/=d^.
*ev0(u
';YeK8
{4#m,v
1}sP5E%{:Q
!lGjwv,
u<$1EueM)Ym<G_t4
=~fC88
/1W1I[C+R
rz222vu~
iGX-aD&=-H
w=7QK4r@L
C<{0Kn{^
r2O^0G}qnl
yKrHV[;
?Zn+Ln
ymw>IB
a2~\)B#_l
jk<nvfI
^Q|mb`=wm
dcV!1@a
$.=v_D`BW
$72}&aI*m#
L]{2\; 6d1
S&ML*>lQ4
x"/,)Av
y,!.Y?
W0St;l(I
`5%J!LVoC}
M.K;q/
+g+fh5
nobYG\}
g2OHjO
KUa}Gq
Is)ch<A
k[Uz>"
HTJZyX5\oA6T1
<0nF`P
QhOn}0aE
'd$<nF0'r
=QDNC'b{{L
#%Ie-T1h-o
/;I\9+/
BmfZlU6<y
Kiz^H=F5>
Ka+.}6md7iv)
*"Pd%'
I 59U*DLx
OtB3dq.l
lZW3=r
xK]R_TQ.p,GZ(
gDCI|M>F`l0)
Hx%lraf
).>.&T!6%Vi
<2$wG#$
L$:F.`2_
B[l|HiE
_9<io_C
L17})}uB#I7
$!g%R]<Q!
JgS`5/:
CtykOIL
m{s?ohNhU
GB},)8(R2>g]ny
8 tXF 
$U4F[Mt5
KN"pL@bh< [[Zp3\"V'
j,$iy7s(rMO;H
~@eXK"yH
,lxZtQ
u29Epv+rd
!,2I#('U
;Yw_hr
M4'?adu
!g.\=p
S"_|zHX
df7x?F?
_^F66;MVKR)|
,}C8K$
U!%MK~
k{U$GWtM
~u^OD3Fe
gWrZ>=Z/
s[wv=d
?G5I\+r
+9s`Ah
FqyJqR?
YXu@ee%E
#z+2w0.N@|[q87
_"X|+5
*:^?@:7
! Ha s
G"GDna(M
7D,NDk$^
IjX4Bc
fvMC&R
ron] daI
tB,yQ/
(z8&/q#J
uqwz^,eS
j@~tXn
DRxQ3dZ_@2
dW+O^{M,
*IQ[>/2
*s/~Lhb
/oEt-$nA[p
NNk[&PL
]/Ll'c
N+zM(o[J]
U%I<l H-(,1d6
Ik7|S4?K$
?C'ySx
SVTKGBN
^rFvn,
KdsRxH.
66E.y*q/JW:|&
<R."PFX
;ac+sjH&
?O*lr;[J)$)5qN)o?])
>fEq%AD
? uB|T
;=kybxg
&[5i"c?
c3Lqk{!V
-MPfzv
WdbnSx+$xXD
`v\*=E(2
clLm4YP]Yy
Lz1,/:
}f1pj(%sM\Gm'_!8
:'6/:J7/
&BTScDF<
PPZ`qlb
f1W$Iz3Kp
=*mCth8H,U8u/~%n
0!q{'t
.:il-'N/@
";):)H
.N[{1-
"),*'A5CyLO(
nyXddH0F
.t:bmK.
F}UDek&J+
*BVhX0
5yy~eY.bV5SjU
%**WiQ
OGiQ'U>
/,:1CGu'
}){V#2|
4_{!i"
1>,wI=
_Ebljb
3C+N|N}-X~7%
r{i0Pf
'5^0b}Z#\e
a+`ztuKu
%?fv%Txe
 vQ7zam
.+5i3w
[BDHW:-
BzHGgB
 XPJ=!*2YKm
,sXo60
\N,~:3OLA\Py8g}!CKE#
n,F3dv
I!KCjsC
nUromg
;=!RVpH
k6EFN0
#Dmfg
Nv7G-x
.a*g@F
%[W@pOIm
Z_8U!+G<
l>H!cq}e
)$_E?
EoX6zwBv!
g75I`Kn
U({1Wt~!aQ 
lc 6syC{
`{Qbv2u7EC$gAZ^'
pARx?s"v94
p)\LxUD@hO9;
v:{h"#Xe4
U'dJ?uN
,M3=.xB9
HljBX0
A\H?4IJs
qWge$x
xsdrAS0i
^%Gb5I
"HZSrix(cumb3e
=z[w}iz
D5kYPzfhls|kQkn
aQKM3fmtB\7kV
ho|D'M{
*`z5.f%\zru
A^Q0NTptU'UTq
PX=^H[T,
9iY=B}0^8!
& L`$8
LM]F~r;s=
_P7hIMw,71=
,gFajy
W>A{#z-2YbfN
.R':yD}K
^.?px;#!`
f?A[5#
x>rka&Kt]o%
4]8/"Lu2%O
"A15&(t$*
ihU8&BSJ[_d
=[BpU:+mP
G'?*,,
%-X"Bn=7
km0A8/e&wB
"7hfN} RW
&OZ(f5li
]\09t}
NR%dJH5hA&
ePav9 %d1~
E^~QkC8k
,0'TyK<
g}iJeA
I=@$BaJg
Y=RCj0
dyf5lf*
s/ME'
[[~P*53
Lv_%j.G
`O;SY|
9,dBfyQ
noa*$5
{3mZipG,:H;
4^@-aLr,
I.k=1]
5!W'8X
YPn"jVBZW
;W,}6Ha1
xALd&r
Cv#0lt
2w^g|_
,wG)~NZ9Aop.
shN;,INT
c>Set@
=?Ju*iHYv
TI%+l]S
C~Qa%4`ZE/yMv
&orvA'9krI
nmg~Wck+
^G>Q69
H+Dnd%7P
a[E6'Z&
U.s$=W)I
N"50TkeD
GA(j%YBT":
f7\t!&
h7}fk|
QI{>u&OdvZ%
-%9S,>?
Dcwg%uI
vy7NMtchi
-zLi4:(Yx
+f/Ued
OOQOQQP>
POQOQp<
PQp7Q7P7Q7P7Q6P7Q7Q5P6QT! S!
6P5R7Q7P5Q6P7R6R5P7R5QT!!R#
5Q7R6P6P5R7R7R7R7Q7R6R T"!R! T#
8:99:s
5P5P7P6P7Q7P7R6P7R7P6PS#R"S!
:::8:99r
5R6P5Q7Q7P5Q5P7R5Q6PS! S"!S#!R"
99:::989q
=vFwFvF#
898:898a<ob<or
#"#OPOQP=
<vGuFuH!"
9:99:9:#a;qb=oa=q#!#
###!QQOOOQQ
>vGvFuHvGvG
N89989!b<qc=qc<qc=p##
"""#QPPPPPQP><wHuGvHvGvGuF
b;o899c<pc=oa<qb=pb=pa<o
!#!"PQQOQQQPOO
a<qa=o9b;pc<pa<oa<oa<qb;o
OPQQPQPOP
b;qb;qb<pb;pa;qa=pb;oc<qc=o
OPQQOPQQO
c=oa=oa<qa;qc=oa=qc<q
PQOQQOOO
k-=a<qa<pa<pa=oc<q
OQPQQPQ
QPPOOP
s/vFvG
99889:9
9:8:989:
9989988998
-3-2,1,3+3
]_^^_]
+2-3,3+3-3
-3,3,2+2
]]_]]_]^
,2+1+3,2,3,3-2
+2,3+3-1+3-1+3-1,3-3+2,1-1,2^_]__
+3,1,1,1+2,1+3,1
-3-1+2,3,2,1@1}?0~>2}?0~?0~?2}?1~>0~+3-2-3-2,1+3+2,2,1,2-1
+2-2,3-1-2-3+3+1+2
-2-1-1+2?0|>0~@1|?0}@0|>0~>0|>0~?2}?0|@2}@0~?1~?0|+2+3,1-1+2+3-2
-1-2-2+3-1,3+3+3-1-3
+2,2+1>0}?2~?2|@2~?2|?2}?2~?0~?2~@2|@2~?2}?2~>1|>0}-1,1,2-3-1-2+2
-2+3-1-3,1-3,1+3-1-2-3
,1+2?0|@1|?0~?1|?2|>2|>0}>0|>0}?1|?2~@2}?0~>0}@1~,2+1,1,1+1+1+2
,3,3+3+1-2+1,3,2-2,3-3-3
,1+1@1}>2}@2|?2}>1|?0|?0}>0~@1~?0~>1|@1}>1}?1|@0}+2-3+2-2,1,2-2
+3+1,1,2-3,2-3+3,3+1-1
+1>2|?1~@1~?0~?0|?1|?1|>2|?1|@1~>0|?2|?0}@1}@1~,1,3,2,3,3+2+2
)P'PuH(O(O)P)O
Z+2-1,1+2,2
>2}>0|@1}?0~@2|?0|@2}>1|@0~>1~?1|?1~@2|@2~-1,3+2-2,3-3+3,1
)N'OwFwF'N'P
,1@0}>2|>1|>0}@2}?1~@2}>0~@2}>0}?0}?2~?0}+1+2+1-3,1-2,1-1
qvGwHuF
p>0|@1}>2~>0|>2}>1~@1~@1}>2}@0~@0~@2},1,1-1+3+3,2-1-1
qqwGvG
xJ[yJ[zKY>2}>1|?2~>0|?1~>1|@1}?0}@0}@2|:899:::,2
ZPssruHvH
xIYyJZyKZxJYyJYyJZyKY?1}>2}@0|@2~9:8:9:8:9
OZNYOZNsrswFuG
yJYzJYzKYyJ[xIYyIYxKYxIYxJ[zKZzKY9:::8:8:9
N[OYNYPqsquHwG
YxKYxK[zI[xI[
zK[yJZyJYyK[yJYxI[yKYyKZzIZzKY:8998999:
OZPZOsssswFvF
YyJ[xJZyKZyI[xKZ
zJYxIYzK[yJYzJYzIZxKZxK[yK[
::9:::9:
OrqszI[xKZyIZyI[zJYyI[xKYyI[zI[xIYyJ[xI[xIYyJZ
xKYyKYzKYzJZyKZxIY
n:89::889
PzKZxJZxJYzKZyJYyK[yJ[yJYyI[zJ[zIZyKYyJ[zJYzIYxIYyIY
yJYzIZxJZ
p}*::99888
NxIZyKZzI[xKZxIYxKYxKYyKYzJZxK[zIZzIZzJ[zI[yIYxJZyIZzKYxJZyK[
|):::999
PyJYxKYzJ[zKZyJ[xJYzJ[xI[zI[xI[zIYzI[zI[xJ[zJ[yKZzKYxJ[zKZyIYxIZzIY
}*|)9:988
PzIZxIZzJ[yI[yIZxJ[xJYyK[zKZyJZyK[zJYyJZyI[yKZxK[zK[xKZzKYyJZxJZ
{*})|)9:99
OzJ[yJZxK[xJZxJ[zJZxK[zJZzIYzK[yIYxIYyK[zKYzJYxIYzIZ
|)|+}):::9
PxJZxIZyI[yIZzIYzK[yIZzKZzI[xJ[xK[zJYzIZyKY
P|+{){*:88
PyJ[yJZxKZzJYzJ[yKZzKYxKYzJYzIYxJY
/`.b/`/a0b
P}*|)9:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
11S2^2o22222222222B3G3Q33
5u55g6q6~66666
7/7R7e777778999<4>???
01d4h4l4p4t4x4|444444444444
505B5P5e5o55555
636u667T8r888
9"9p<`=>>
1<3@3D3H3L3P3T3X3a3~334444>55555555R6Z6m6x6}666666666
7"7(797r7|777777888
9%9@9H9N9\99999
:L:z:;;-<j<y<<<<<<j>v>|>>>>>
?I?o????
0&0m0w00000,1>1l111111111
2 2)2/282D2J2R2X2d2j2w2222222.343^3d3j333384[4e44444
5$5*51575?5F5K5S5\5h5m5r5x5|55555555555555555
6.646L6p6|66666666
7b7o7777
88899::1;<y=I>z>>>>???
e000%1-1`1
2Y2p233+484B4P4Y4c4444444
5=5r555
6[666^7j7}7777777
8#828Y88888B999::G;a;r;;;
<#<l<<p=v========!>*>6>o>x>>4??
2'222U22222
3%33393\3c3|333333
4j4455%616<7
88=8Q8W8888
9.9]9c9k999999
;#;2;?;E;j;q;y;;;;
<)<.<3<J<<<<<<<<
=%=+=5=>=I=N=W=a=l====???
:0l000000000
1 1$1(1,101z1111111
22$2(2,2M2w2222222222
3 3$3(33333"4J4c4
5 5.5;5Z555555555555555
6#6(6.686A6L6X6]6m6r6x6~666_7d777v8F999|:g>y>>>>>>>
?/?A?S?e?w????
00L1{111
222222m33
4+4a4k4415=5555
6Q6W6o7u7z7778888#9U9}9<======B>L>T>h>>>>>
?&?8?>?L?\?j?????????
0I0W0a000000000
1%11161<1A1z11111111111162>2P2Y2^2e2j222222
3&3-34393@3F3333333333333
4#4'4-41474;4A4E46G77<=?
0%001111111
2)2O2m2t2x2|22222222222R3]3x3
333333
4 4$4(4,4v4|4444@678899g:H;;;<<<7=N==
01171111222\3
606|9999999999999w::::
1111111
;$;,;4;<;D;L;T;\;d;l;t;|;;;;;;;;
11`???????
(0D0H0h0000000
181X1x1111111
2 2@2`222222
x1133x8x9|999999999999999999999999999999999
: :0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|::::::::::::::::::::::::8;H;X;h;x;;;;;;;;;;;;;;;;;
= =$=(=,=0=4=8=<=H=L=P=T=X=\=`=d=h=l=p===
MTk7MTk=
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
@jjjjjjjjj
@jjjjjjjjjjj
@jjjjj
@@@@@@@
(null)
mscoree.dll
runtime error 
TLOSS error
SING error
DOMAIN error
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
- abort() has been called
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
@Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
KERNEL32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
         (((((                  H
         h((((                  H
                                 H
CONOUT$
zisigipixivedi kamoxedisifapikupesagekorapi pawenikohabaxavecisumucugidiwexa mucacezo purevo
yuponicemirefikinadaxepiworafu vohiparubewodo kucugebe ju carekawe soluvixezelekehe nabuhubujekaputewapabeha ve sijewajuzipofazutu
ikernel32.dll
cwocawucugisasupiyecejabi xehujozenirelosije du
@@@@@@@@@@
@@@@@@@@@@@@@
@@@@@@@@@@@@@@
@@@@@@@@
VS_VERSION_INFO
StringFileInfo
FileVersion
1.0.0.2
InternalName
sgahffjfghj.exe
LegalCopyright
Copyright (C) 2017, dogndgee
ProductVersion
1.0.0.2
VarFileInfo
Translation
RESOURCE_FATOKENIZER
KERNEL32.DLL
smscoree.dll
nruntime error 
TLOSS error
SING error
DOMAIN error
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
- abort() has been called
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
WUSER32.DLL
         (((((                  H
CONOUT$

Process Tree

05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe (3028) "C:\Users\Administrator\AppData\Local\Temp\05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe"
- nslookup.exe (2644) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (3792) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (3472) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2760) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1472) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2984) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (1700) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (316) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2200) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2224) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2800) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (488) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1192) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (556) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2940) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (328) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1852) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1104) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2824) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1776) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1260) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1384) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1912) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2916) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (3280) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2092) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (852) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2316) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2672) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2096) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (3408) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1984) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2764) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (3152) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2976) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2876) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1188) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2544) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2352) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (696) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (1760) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (796) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2020) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1240) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2440) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2868) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (3052) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2728) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2164) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (888) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (3216) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2476) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (3536) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2004) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2772) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1980) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (3728) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1612) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (3600) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1836) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1928) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2552) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2884) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2652) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (1528) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2136) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (2704) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2340) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2276) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2988) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2856) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (1996) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1176) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (3664) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (3032) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2456) nslookup ransomware.bit ns1.cloud-name.ru
- nslookup.exe (1200) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (3088) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (3008) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2756) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (3344) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2740) nslookup zonealarm.bit ns1.cloud-name.ru
- nslookup.exe (2712) nslookup ransomware.bit ns2.cloud-name.ru
- nslookup.exe (2380) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2388) nslookup zonealarm.bit ns2.cloud-name.ru
- nslookup.exe (2472) nslookup zonealarm.bit ns1.cloud-name.ru

05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe, PID: 3028, Parent PID: 2600

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3008, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2004, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2704, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1996, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1176, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1928, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2388, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2728, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2020, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2916, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2380, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2772, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2740, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2340, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 888, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1612, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1760, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1192, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2552, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1700, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 556, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 696, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2856, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2884, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2652, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2984, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2316, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2136, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1260, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2092, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1980, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1912, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 488, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2712, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2760, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2456, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2472, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2440, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2096, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 852, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2276, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1240, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2224, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2868, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2544, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3032, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2824, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2940, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2976, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2800, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2164, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2476, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2876, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1104, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 796, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1472, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1528, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1984, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1776, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1836, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2200, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1200, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2672, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2352, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 328, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2756, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1384, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1852, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 316, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2988, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3052, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 1188, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2644, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 2764, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3088, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3152, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3216, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3280, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3344, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3408, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3472, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3536, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3600, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3664, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3728, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

nslookup.exe, PID: 3792, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114
8.8.8.8

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255 A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
ipv4bot.whatismyipaddress.com
ns1.cloud-name.ru
114.114.114.114.in-addr.arpa	PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com PTR public1.114dns.com
zonealarm.bit
zonealarm.bit
ns2.cloud-name.ru
ransomware.bit
ransomware.bit

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	61714	8.8.8.8	53
192.168.56.101	56933	8.8.8.8	53
192.168.56.101	138	192.168.56.255	138
192.168.56.101	58485	114.114.114.114	53
192.168.56.101	57665	114.114.114.114	53
192.168.56.101	51758	114.114.114.114	53
192.168.56.101	52215	114.114.114.114	53
192.168.56.101	52216	114.114.114.114	53
192.168.56.101	52217	114.114.114.114	53
192.168.56.101	52218	114.114.114.114	53
192.168.56.101	52219	114.114.114.114	53
192.168.56.101	52220	114.114.114.114	53
192.168.56.101	62361	114.114.114.114	53
192.168.56.101	62362	114.114.114.114	53
192.168.56.101	62363	114.114.114.114	53
192.168.56.101	62364	114.114.114.114	53
192.168.56.101	62365	114.114.114.114	53
192.168.56.101	62366	114.114.114.114	53
192.168.56.101	62367	114.114.114.114	53
192.168.56.101	62368	114.114.114.114	53
192.168.56.101	62369	114.114.114.114	53
192.168.56.101	62370	114.114.114.114	53
192.168.56.101	62371	114.114.114.114	53
192.168.56.101	62372	114.114.114.114	53
192.168.56.101	62373	114.114.114.114	53
192.168.56.101	62374	114.114.114.114	53
192.168.56.101	62375	114.114.114.114	53
192.168.56.101	62376	114.114.114.114	53
192.168.56.101	62377	114.114.114.114	53
192.168.56.101	62378	114.114.114.114	53
192.168.56.101	62379	114.114.114.114	53
192.168.56.101	62380	114.114.114.114	53
192.168.56.101	62381	114.114.114.114	53
192.168.56.101	62382	114.114.114.114	53
192.168.56.101	62383	114.114.114.114	53
192.168.56.101	62384	114.114.114.114	53
192.168.56.101	62385	114.114.114.114	53
192.168.56.101	62386	114.114.114.114	53
192.168.56.101	62387	114.114.114.114	53
192.168.56.101	62388	114.114.114.114	53
192.168.56.101	62389	114.114.114.114	53
192.168.56.101	62390	114.114.114.114	53
192.168.56.101	62391	114.114.114.114	53
192.168.56.101	62392	114.114.114.114	53
192.168.56.101	62393	114.114.114.114	53
192.168.56.101	62394	114.114.114.114	53
192.168.56.101	62395	114.114.114.114	53
192.168.56.101	62396	114.114.114.114	53
192.168.56.101	62397	114.114.114.114	53
192.168.56.101	62398	114.114.114.114	53
192.168.56.101	62399	114.114.114.114	53
192.168.56.101	62400	114.114.114.114	53
192.168.56.101	62401	114.114.114.114	53
192.168.56.101	62402	114.114.114.114	53
192.168.56.101	62403	114.114.114.114	53
192.168.56.101	62404	114.114.114.114	53
192.168.56.101	62405	114.114.114.114	53
192.168.56.101	62406	114.114.114.114	53
192.168.56.101	62407	114.114.114.114	53
192.168.56.101	62408	114.114.114.114	53
192.168.56.101	62409	114.114.114.114	53
192.168.56.101	62410	114.114.114.114	53
192.168.56.101	62411	114.114.114.114	53
192.168.56.101	62412	114.114.114.114	53
192.168.56.101	62413	114.114.114.114	53
192.168.56.101	62414	114.114.114.114	53
192.168.56.101	62415	114.114.114.114	53
192.168.56.101	62416	114.114.114.114	53
192.168.56.101	62417	114.114.114.114	53
192.168.56.101	62418	114.114.114.114	53
192.168.56.101	62419	114.114.114.114	53
192.168.56.101	62420	114.114.114.114	53
192.168.56.101	62421	114.114.114.114	53
192.168.56.101	62422	114.114.114.114	53
192.168.56.101	62423	114.114.114.114	53
192.168.56.101	62424	114.114.114.114	53
192.168.56.101	62425	114.114.114.114	53
192.168.56.101	62426	114.114.114.114	53
192.168.56.101	62427	114.114.114.114	53
192.168.56.101	62428	114.114.114.114	53
192.168.56.101	62429	114.114.114.114	53
192.168.56.101	62430	114.114.114.114	53
192.168.56.101	62431	114.114.114.114	53
192.168.56.101	62432	114.114.114.114	53
192.168.56.101	62433	114.114.114.114	53
192.168.56.101	62434	114.114.114.114	53
192.168.56.101	62435	114.114.114.114	53
192.168.56.101	62436	114.114.114.114	53
192.168.56.101	62437	114.114.114.114	53
192.168.56.101	62438	114.114.114.114	53
192.168.56.101	62439	114.114.114.114	53
192.168.56.101	62440	114.114.114.114	53
192.168.56.101	62441	114.114.114.114	53
192.168.56.101	62442	114.114.114.114	53
192.168.56.101	62443	114.114.114.114	53
192.168.56.101	62444	114.114.114.114	53
192.168.56.101	62445	114.114.114.114	53
192.168.56.101	62446	114.114.114.114	53
192.168.56.101	62447	114.114.114.114	53
192.168.56.101	62448	114.114.114.114	53
192.168.56.101	62449	114.114.114.114	53
192.168.56.101	62450	114.114.114.114	53
192.168.56.101	62451	114.114.114.114	53
192.168.56.101	62452	114.114.114.114	53
192.168.56.101	62453	114.114.114.114	53
192.168.56.101	62454	114.114.114.114	53
192.168.56.101	62455	114.114.114.114	53
192.168.56.101	62456	114.114.114.114	53
192.168.56.101	62457	114.114.114.114	53
192.168.56.101	62458	114.114.114.114	53
192.168.56.101	62459	114.114.114.114	53
192.168.56.101	62460	114.114.114.114	53
192.168.56.101	62461	114.114.114.114	53
192.168.56.101	62462	114.114.114.114	53
192.168.56.101	62463	114.114.114.114	53
192.168.56.101	62464	114.114.114.114	53
192.168.56.101	62465	114.114.114.114	53
192.168.56.101	62466	114.114.114.114	53
192.168.56.101	62467	114.114.114.114	53
192.168.56.101	62468	114.114.114.114	53
192.168.56.101	62469	114.114.114.114	53
192.168.56.101	62470	114.114.114.114	53
192.168.56.101	62471	114.114.114.114	53
192.168.56.101	62472	114.114.114.114	53
192.168.56.101	62473	114.114.114.114	53
192.168.56.101	62474	114.114.114.114	53
192.168.56.101	62475	114.114.114.114	53
192.168.56.101	62476	114.114.114.114	53
192.168.56.101	62477	114.114.114.114	53
192.168.56.101	62478	114.114.114.114	53
192.168.56.101	62479	114.114.114.114	53
192.168.56.101	62480	114.114.114.114	53
192.168.56.101	62481	114.114.114.114	53
192.168.56.101	62482	114.114.114.114	53
192.168.56.101	62483	114.114.114.114	53
192.168.56.101	62484	114.114.114.114	53
192.168.56.101	62485	114.114.114.114	53
192.168.56.101	62486	114.114.114.114	53
192.168.56.101	62487	114.114.114.114	53
192.168.56.101	62488	114.114.114.114	53
192.168.56.101	62489	114.114.114.114	53
192.168.56.101	62490	114.114.114.114	53
192.168.56.101	62491	114.114.114.114	53
192.168.56.101	62492	114.114.114.114	53
192.168.56.101	62493	114.114.114.114	53
192.168.56.101	62494	114.114.114.114	53
192.168.56.101	62495	114.114.114.114	53
192.168.56.101	62496	114.114.114.114	53
192.168.56.101	62497	114.114.114.114	53
192.168.56.101	62498	114.114.114.114	53
192.168.56.101	62499	114.114.114.114	53
192.168.56.101	62500	114.114.114.114	53
192.168.56.101	62501	114.114.114.114	53
192.168.56.101	62502	114.114.114.114	53
192.168.56.101	62503	114.114.114.114	53
192.168.56.101	62504	114.114.114.114	53
192.168.56.101	62505	114.114.114.114	53
192.168.56.101	62506	114.114.114.114	53
192.168.56.101	62507	114.114.114.114	53
192.168.56.101	62508	114.114.114.114	53
192.168.56.101	62509	114.114.114.114	53
192.168.56.101	62510	114.114.114.114	53
192.168.56.101	62511	114.114.114.114	53
192.168.56.101	62512	114.114.114.114	53
192.168.56.101	62513	114.114.114.114	53
192.168.56.101	62514	114.114.114.114	53
192.168.56.101	62515	114.114.114.114	53
192.168.56.101	62516	114.114.114.114	53
192.168.56.101	62517	114.114.114.114	53
192.168.56.101	62518	114.114.114.114	53
192.168.56.101	62519	114.114.114.114	53
192.168.56.101	62520	114.114.114.114	53
192.168.56.101	62521	114.114.114.114	53
192.168.56.101	62522	114.114.114.114	53
192.168.56.101	62523	114.114.114.114	53
192.168.56.101	62524	114.114.114.114	53
192.168.56.101	62525	114.114.114.114	53
192.168.56.101	62526	114.114.114.114	53
192.168.56.101	62527	114.114.114.114	53
192.168.56.101	62528	114.114.114.114	53
192.168.56.101	62529	114.114.114.114	53
192.168.56.101	62530	114.114.114.114	53
192.168.56.101	62531	114.114.114.114	53
192.168.56.101	62532	114.114.114.114	53
192.168.56.101	62533	114.114.114.114	53
192.168.56.101	62534	114.114.114.114	53
192.168.56.101	62535	114.114.114.114	53
192.168.56.101	62536	114.114.114.114	53
192.168.56.101	62537	114.114.114.114	53
192.168.56.101	62538	114.114.114.114	53
192.168.56.101	62539	114.114.114.114	53
192.168.56.101	62540	114.114.114.114	53
192.168.56.101	62541	114.114.114.114	53
192.168.56.101	62542	114.114.114.114	53
192.168.56.101	62543	114.114.114.114	53
192.168.56.101	62544	114.114.114.114	53
192.168.56.101	62545	114.114.114.114	53
192.168.56.101	62546	114.114.114.114	53
192.168.56.101	62547	114.114.114.114	53
192.168.56.101	62548	114.114.114.114	53
192.168.56.101	62549	114.114.114.114	53
192.168.56.101	62550	114.114.114.114	53
192.168.56.101	62551	114.114.114.114	53
192.168.56.101	62552	114.114.114.114	53
192.168.56.101	62553	114.114.114.114	53
192.168.56.101	62554	114.114.114.114	53
192.168.56.101	62555	114.114.114.114	53
192.168.56.101	62556	114.114.114.114	53
192.168.56.101	62557	114.114.114.114	53
192.168.56.101	62558	114.114.114.114	53
192.168.56.101	62559	114.114.114.114	53
192.168.56.101	62560	114.114.114.114	53
192.168.56.101	62561	114.114.114.114	53
192.168.56.101	62562	114.114.114.114	53
192.168.56.101	62563	114.114.114.114	53
192.168.56.101	62564	114.114.114.114	53
192.168.56.101	62565	114.114.114.114	53
192.168.56.101	62566	114.114.114.114	53
192.168.56.101	62567	114.114.114.114	53
192.168.56.101	62568	114.114.114.114	53
192.168.56.101	62569	114.114.114.114	53
192.168.56.101	62570	114.114.114.114	53
192.168.56.101	62571	114.114.114.114	53
192.168.56.101	62572	114.114.114.114	53
192.168.56.101	62573	114.114.114.114	53
192.168.56.101	62574	114.114.114.114	53
192.168.56.101	62575	114.114.114.114	53
192.168.56.101	62576	114.114.114.114	53
192.168.56.101	62577	114.114.114.114	53
192.168.56.101	62578	114.114.114.114	53
192.168.56.101	62579	114.114.114.114	53
192.168.56.101	62580	114.114.114.114	53
192.168.56.101	62581	114.114.114.114	53
192.168.56.101	62582	114.114.114.114	53
192.168.56.101	62583	114.114.114.114	53
192.168.56.101	62584	114.114.114.114	53
192.168.56.101	62585	114.114.114.114	53
192.168.56.101	62586	114.114.114.114	53
192.168.56.101	62587	114.114.114.114	53
192.168.56.101	62588	114.114.114.114	53
192.168.56.101	62589	114.114.114.114	53
192.168.56.101	62590	114.114.114.114	53
192.168.56.101	62591	114.114.114.114	53
192.168.56.101	62592	114.114.114.114	53
192.168.56.101	62593	114.114.114.114	53
192.168.56.101	62594	114.114.114.114	53
192.168.56.101	62595	114.114.114.114	53
192.168.56.101	62596	114.114.114.114	53
192.168.56.101	62597	114.114.114.114	53
192.168.56.101	62598	114.114.114.114	53
192.168.56.101	62599	114.114.114.114	53
192.168.56.101	62600	114.114.114.114	53
192.168.56.101	62601	114.114.114.114	53
192.168.56.101	62602	114.114.114.114	53
192.168.56.101	62603	114.114.114.114	53
192.168.56.101	62604	114.114.114.114	53
192.168.56.101	62605	114.114.114.114	53
192.168.56.101	62606	114.114.114.114	53
192.168.56.101	62607	114.114.114.114	53
192.168.56.101	62608	114.114.114.114	53
192.168.56.101	62609	114.114.114.114	53
192.168.56.101	62610	114.114.114.114	53
192.168.56.101	62611	114.114.114.114	53
192.168.56.101	62612	114.114.114.114	53
192.168.56.101	62613	114.114.114.114	53
192.168.56.101	62614	114.114.114.114	53
192.168.56.101	62615	114.114.114.114	53
192.168.56.101	62616	114.114.114.114	53
192.168.56.101	62617	114.114.114.114	53
192.168.56.101	62618	114.114.114.114	53
192.168.56.101	62619	114.114.114.114	53
192.168.56.101	62620	114.114.114.114	53
192.168.56.101	62621	114.114.114.114	53
192.168.56.101	62622	114.114.114.114	53
192.168.56.101	62623	114.114.114.114	53
192.168.56.101	62624	114.114.114.114	53
192.168.56.101	62625	114.114.114.114	53
192.168.56.101	62626	114.114.114.114	53
192.168.56.101	62627	114.114.114.114	53
192.168.56.101	62628	114.114.114.114	53
192.168.56.101	62629	114.114.114.114	53
192.168.56.101	62630	114.114.114.114	53
192.168.56.101	62631	114.114.114.114	53
192.168.56.101	62632	114.114.114.114	53
192.168.56.101	62633	114.114.114.114	53
192.168.56.101	62634	114.114.114.114	53
192.168.56.101	62635	114.114.114.114	53
192.168.56.101	62636	114.114.114.114	53
192.168.56.101	62637	114.114.114.114	53
192.168.56.101	62638	114.114.114.114	53
192.168.56.101	62639	114.114.114.114	53
192.168.56.101	62640	114.114.114.114	53
192.168.56.101	62641	114.114.114.114	53
192.168.56.101	62642	114.114.114.114	53
192.168.56.101	62643	114.114.114.114	53
192.168.56.101	62644	114.114.114.114	53
192.168.56.101	62645	114.114.114.114	53
192.168.56.101	62646	114.114.114.114	53
192.168.56.101	62647	114.114.114.114	53
192.168.56.101	62648	114.114.114.114	53
192.168.56.101	62649	114.114.114.114	53
192.168.56.101	62650	114.114.114.114	53
192.168.56.101	62651	114.114.114.114	53
192.168.56.101	62652	114.114.114.114	53
192.168.56.101	62653	114.114.114.114	53
192.168.56.101	62654	114.114.114.114	53
192.168.56.101	62655	114.114.114.114	53
192.168.56.101	62656	114.114.114.114	53
192.168.56.101	62657	114.114.114.114	53
192.168.56.101	62658	114.114.114.114	53
192.168.56.101	62659	114.114.114.114	53
192.168.56.101	62660	114.114.114.114	53
192.168.56.101	62661	114.114.114.114	53
192.168.56.101	62662	114.114.114.114	53
192.168.56.101	62663	114.114.114.114	53
192.168.56.101	62664	114.114.114.114	53
192.168.56.101	62665	114.114.114.114	53
192.168.56.101	62666	114.114.114.114	53
192.168.56.101	62667	114.114.114.114	53
192.168.56.101	62668	114.114.114.114	53
192.168.56.101	62669	114.114.114.114	53
192.168.56.101	62670	114.114.114.114	53
192.168.56.101	62671	114.114.114.114	53
192.168.56.101	62672	114.114.114.114	53
192.168.56.101	62673	114.114.114.114	53
192.168.56.101	62674	114.114.114.114	53
192.168.56.101	62675	114.114.114.114	53
192.168.56.101	62676	114.114.114.114	53
192.168.56.101	62677	114.114.114.114	53
192.168.56.101	62678	114.114.114.114	53
192.168.56.101	62679	114.114.114.114	53
192.168.56.101	62680	114.114.114.114	53
192.168.56.101	62681	114.114.114.114	53
192.168.56.101	62682	114.114.114.114	53
192.168.56.101	62683	114.114.114.114	53
192.168.56.101	62684	114.114.114.114	53
192.168.56.101	62685	114.114.114.114	53
192.168.56.101	62686	114.114.114.114	53
192.168.56.101	62687	114.114.114.114	53
192.168.56.101	62688	114.114.114.114	53
192.168.56.101	62689	114.114.114.114	53
192.168.56.101	62690	114.114.114.114	53
192.168.56.101	62691	114.114.114.114	53
192.168.56.101	62692	114.114.114.114	53
192.168.56.101	62693	114.114.114.114	53
192.168.56.101	62694	114.114.114.114	53
192.168.56.101	62695	114.114.114.114	53
192.168.56.101	62696	114.114.114.114	53
192.168.56.101	62697	114.114.114.114	53
192.168.56.101	62698	114.114.114.114	53
192.168.56.101	62699	114.114.114.114	53
192.168.56.101	62700	114.114.114.114	53
192.168.56.101	62701	114.114.114.114	53
192.168.56.101	62702	114.114.114.114	53
192.168.56.101	62703	114.114.114.114	53
192.168.56.101	62704	114.114.114.114	53
192.168.56.101	62705	114.114.114.114	53
192.168.56.101	62706	114.114.114.114	53
192.168.56.101	62707	114.114.114.114	53
192.168.56.101	62708	114.114.114.114	53
192.168.56.101	62709	114.114.114.114	53
192.168.56.101	62710	114.114.114.114	53
192.168.56.101	62711	114.114.114.114	53
192.168.56.101	62712	114.114.114.114	53
192.168.56.101	62713	114.114.114.114	53
192.168.56.101	62714	114.114.114.114	53
192.168.56.101	62715	114.114.114.114	53
192.168.56.101	62716	114.114.114.114	53
192.168.56.101	62717	114.114.114.114	53
192.168.56.101	62718	114.114.114.114	53
192.168.56.101	62719	114.114.114.114	53
192.168.56.101	62720	114.114.114.114	53
192.168.56.101	62721	114.114.114.114	53
192.168.56.101	62722	114.114.114.114	53
192.168.56.101	62723	114.114.114.114	53
192.168.56.101	62724	114.114.114.114	53
192.168.56.101	62725	114.114.114.114	53
192.168.56.101	62726	114.114.114.114	53
192.168.56.101	62727	114.114.114.114	53
192.168.56.101	62728	114.114.114.114	53
192.168.56.101	62729	114.114.114.114	53
192.168.56.101	62730	114.114.114.114	53
192.168.56.101	62731	114.114.114.114	53
192.168.56.101	62732	114.114.114.114	53
192.168.56.101	62733	114.114.114.114	53
192.168.56.101	62734	114.114.114.114	53
192.168.56.101	62735	114.114.114.114	53
192.168.56.101	62736	114.114.114.114	53
192.168.56.101	62737	114.114.114.114	53
192.168.56.101	62738	114.114.114.114	53
192.168.56.101	62739	114.114.114.114	53
192.168.56.101	62740	114.114.114.114	53
192.168.56.101	62741	114.114.114.114	53
192.168.56.101	62742	114.114.114.114	53
192.168.56.101	62743	114.114.114.114	53
192.168.56.101	62744	114.114.114.114	53
192.168.56.101	62745	114.114.114.114	53
192.168.56.101	62746	114.114.114.114	53
192.168.56.101	62747	114.114.114.114	53
192.168.56.101	62748	114.114.114.114	53
192.168.56.101	62749	114.114.114.114	53
192.168.56.101	62750	114.114.114.114	53
192.168.56.101	62751	114.114.114.114	53
192.168.56.101	62752	114.114.114.114	53
192.168.56.101	62753	114.114.114.114	53
192.168.56.101	62754	114.114.114.114	53
192.168.56.101	62755	114.114.114.114	53
192.168.56.101	62756	114.114.114.114	53
192.168.56.101	62757	114.114.114.114	53
192.168.56.101	62758	114.114.114.114	53
192.168.56.101	62759	114.114.114.114	53
192.168.56.101	62760	114.114.114.114	53
192.168.56.101	62761	114.114.114.114	53
192.168.56.101	62762	114.114.114.114	53
192.168.56.101	62763	114.114.114.114	53
192.168.56.101	62764	114.114.114.114	53
192.168.56.101	62765	114.114.114.114	53
192.168.56.101	62766	114.114.114.114	53
192.168.56.101	62767	114.114.114.114	53
192.168.56.101	62768	114.114.114.114	53
192.168.56.101	62769	114.114.114.114	53
192.168.56.101	62770	114.114.114.114	53
192.168.56.101	62771	114.114.114.114	53
192.168.56.101	62772	114.114.114.114	53
192.168.56.101	62773	114.114.114.114	53
192.168.56.101	62774	114.114.114.114	53
192.168.56.101	62775	114.114.114.114	53
192.168.56.101	62776	114.114.114.114	53
192.168.56.101	62777	114.114.114.114	53
192.168.56.101	62778	114.114.114.114	53
192.168.56.101	62779	114.114.114.114	53
192.168.56.101	62780	114.114.114.114	53
192.168.56.101	62781	114.114.114.114	53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	2fe7b6ccca6b992f_ashnin.exe
Filepath	C:\Users\Administrator\AppData\Roaming\Microsoft\ashnin.exe
Size	205.8KB
Processes	3028 (05c8cbd8e5353d19cda79a909da73b1fcf52ac81c10841c9c5b229c428dcbe08.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`737bdc9c99f28510e20ed04e8b9bb5c7`
SHA1	`f8bcd5694b9f59dc091ae7c51343a78fa3a01860`
SHA256	`2fe7b6ccca6b992f9613afd14be80bb854b94341079dd9b1a315ba2b017a3630`
CRC32	`F853808E`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.

domain	ns1.cloud-name.ru				description	俄罗斯联邦域名 TLD
domain	ns2.cloud-name.ru				description	俄罗斯联邦域名 TLD

ALYac	Trojan.BRMon.Gen.3
APEX	Malicious
AVG	Win32:Malware-gen
Acronis	suspicious
Ad-Aware	Trojan.BRMon.Gen.3
AhnLab-V3	Win-Trojan/Gandcrab02.Exp
Antiy-AVL	Trojan/Win32.TSGeneric
Arcabit	Trojan.BRMon.Gen.3
Avast	Win32:Malware-gen
Avira	TR/AD.GandCrab.ecpqx
BitDefender	Trojan.BRMon.Gen.3
BitDefenderTheta	Gen:NN.ZexaF.34108.mu2@amWffHei
Bkav	W32.AIDetectVM.malware
CAT-QuickHeal	Trojan.Chapak.ZZ6
ClamAV	Win.Dropper.Gandcrab-6518210-0
Comodo	TrojWare.Win32.Crypt.AEG@7ku1nk
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.0ad173
Cylance	Unsafe
Cyren	W32/Gandcrab.AI.gen!Eldorado
DrWeb	BackDoor.IRC.Bot.5026
ESET-NOD32	a variant of Win32/Kryptik.GESY
Emsisoft	Trojan.BRMon.Gen.3 (B)
Endgame	malicious (high confidence)
F-Prot	W32/Gandcrab.AI.gen!Eldorado
F-Secure	Trojan.TR/AD.GandCrab.ecpqx
FireEye	Generic.mg.333c2d70ad17383a
Fortinet	W32/Kryptik.GOGY!tr
GData	Trojan.BRMon.Gen.3
Ikarus	Trojan-Ransom.GandCrab
Jiangmin	Trojan.Banker.Jimmy.ef
K7AntiVirus	Trojan ( 0052908c1 )
K7GW	Trojan ( 0052908c1 )
Kaspersky	HEUR:Trojan.Win32.Generic
MAX	malware (ai score=88)
Malwarebytes	Trojan.MalPack
MaxSecure	Trojan.Ransom.GandCrab.Gen
McAfee	GenericRXEK-XA!333C2D70AD17
MicroWorld-eScan	Trojan.BRMon.Gen.3
Microsoft	Trojan:Win32/Gandcrab.DHA!MTB
NANO-Antivirus	Trojan.Win32.Ursnif.ezdauq
Qihoo-360	HEUR/QVM10.1.ED7C.Malware.Gen
Rising	Trojan.Kryptik!8.8 (TFE:dGZlOgW/QY6JxvtV0g)
Sangfor	Malware
SentinelOne	DFI - Malicious PE
Sophos	Mal/Agent-AUL
Symantec	Packed.Generic.525
Tencent	Malware.Win32.Gencirc.10b8b809
Trapmine	malicious.high.ml.score
TrendMicro	TSPY_EMOTET.SMB1

cmdline	nslookup zonealarm.bit ns2.cloud-name.ru
cmdline	nslookup ransomware.bit ns1.cloud-name.ru
cmdline	nslookup ransomware.bit ns2.cloud-name.ru
cmdline	nslookup zonealarm.bit ns1.cloud-name.ru

host	114.114.114.114
host	8.8.8.8