1.5
低危
DACN
0.15
FACILE
1.00
IMCLNet
0.78
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Delf-VJY [Trj] | 20200728 | 18.4.3895.0 |
| Baidu | Win32.Backdoor.Wabot.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200728 | 2013.8.14.323 |
| McAfee | W32/Wabot | 20200728 | 6.0.6.653 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(3 个事件)
| section | CODE |
| section | DATA |
| section | BSS |
动态指标
在文件系统上创建可执行文件
(19 个事件)
| file | C:\Windows\System32\xdccPrograms\FlickLearningWizard.exe |
| file | C:\Windows\System32\xdccPrograms\inject-x86.exe |
| file | C:\Windows\System32\xdccPrograms\execsc.exe |
| file | C:\Windows\System32\DC++ Share\wmpconfig.exe |
| file | C:\Windows\System32\xdccPrograms\inject-x64.exe |
| file | C:\Windows\System32\xdccPrograms\ConvertInkStore.exe |
| file | C:\Windows\System32\DC++ Share\Journal.exe |
| file | C:\Windows\System32\DC++ Share\wmpnscfg.exe |
| file | C:\Windows\System32\DC++ Share\msinfo32.exe |
| file | C:\Windows\System32\DC++ Share\wmpenc.exe |
| file | C:\Windows\System32\DC++ Share\ieinstal.exe |
| file | C:\Windows\System32\DC++ Share\wmprph.exe |
| file | C:\Windows\System32\xdccPrograms\Procmon.exe |
| file | C:\Windows\System32\xdccPrograms\InkWatson.exe |
| file | C:\Windows\System32\DC++ Share\WMPSideShowGadget.exe |
| file | C:\Windows\System32\DC++ Share\ShapeCollector.exe |
| file | C:\Windows\System32\DC++ Share\wabmig.exe |
| file | C:\Windows\System32\xdccPrograms\is32bit.exe |
| file | C:\Windows\System32\DC++ Share\WMPDMC.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell | reg_value | Explorer.exe sIRC4.exe | ||||||
文件已被 VirusTotal 上 64 个反病毒引擎识别为恶意
(50 out of 64 个事件)
| ALYac | Trojan.Agent.DQQD |
| APEX | Malicious |
| AVG | Win32:Delf-VJY [Trj] |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.DQQD |
| AhnLab-V3 | Backdoor/Win32.Wabot.R231859 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Wabot.a |
| Arcabit | Trojan.Agent.DQQD |
| Avast | Win32:Delf-VJY [Trj] |
| Avira | TR/Dldr.Delphi.Gen |
| Baidu | Win32.Backdoor.Wabot.a |
| BitDefender | Trojan.Agent.DQQD |
| BitDefenderTheta | AI:Packer.E2C7CD2621 |
| Bkav | W32.BackdoorWabot.Trojan |
| ClamAV | Win.Trojan.Wabot-6113548-0 |
| Comodo | Backdoor.Win32.Wabot.A@4knk5y |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.f57767 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/Backdoor.PJEB-4161 |
| DrWeb | Trojan.MulDrop6.64369 |
| ESET-NOD32 | Win32/Delf.NRF |
| Emsisoft | Trojan.Agent.DQQD (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Wabot.A |
| F-Secure | Trojan.TR/Dldr.Delphi.Gen |
| FireEye | Generic.mg.9d0c931f5776742a |
| Fortinet | W32/Wabot.A!tr |
| GData | Win32.Backdoor.Wabot.A |
| Ikarus | P2P-Worm.Win32.Delf |
| Invincea | heuristic |
| Jiangmin | Backdoor/Wabot.z |
| K7AntiVirus | Trojan ( 0055c5c91 ) |
| K7GW | Trojan ( 0055c5c91 ) |
| Kaspersky | Backdoor.Win32.Wabot.a |
| MAX | malware (ai score=81) |
| Malwarebytes | Backdoor.Wabot |
| McAfee | W32/Wabot |
| MicroWorld-eScan | Trojan.Agent.DQQD |
| Microsoft | Backdoor:Win32/Wabot.A |
| NANO-Antivirus | Trojan.Win32.Wabot.dmukv |
| Panda | Backdoor Program |
| Qihoo-360 | HEUR/QVM05.1.DDA9.Malware.Gen |
| Rising | Worm.Chilly!1.661C (RDMK:cmRtazozAIFhMgYuZx1mbuPLTnsB) |
| SUPERAntiSpyware | Backdoor.Wabot/Variant |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Luiha-M |
| Symantec | W32.Wabot |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:40:53
PE Imphash
5662cfcdfd9da29cb429e7528d5af81e
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE | 0x00001000 | 0x0000c984 | 0x0000ca00 | 6.572458888267131 |
| DATA | 0x0000e000 | 0x00000a1c | 0x00000c00 | 4.533685500040435 |
| BSS | 0x0000f000 | 0x00001111 | 0x00000000 | 0.0 |
| .idata | 0x00011000 | 0x0000083e | 0x00000a00 | 4.169474579751151 |
| .tls | 0x00012000 | 0x00000008 | 0x00000000 | 0.0 |
| .rdata | 0x00013000 | 0x00000018 | 0x00000200 | 0.2108262677871819 |
| .reloc | 0x00014000 | 0x00000710 | 0x00000800 | 6.25716095476406 |
| .rsrc | 0x00015000 | 0x0000167c | 0x00001800 | 3.2124871953120624 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000164a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000164a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000164a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_RCDATA | 0x000165e0 | 0x00000078 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x000165e0 | 0x00000078 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00016658 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library kernel32.dll:
• 0x4110c8 DeleteCriticalSection
• 0x4110cc LeaveCriticalSection
• 0x4110d0 EnterCriticalSection
• 0x4110d4 InitializeCriticalSection
• 0x4110d8 VirtualFree
• 0x4110dc VirtualAlloc
• 0x4110e0 LocalFree
• 0x4110e4 LocalAlloc
• 0x4110e8 GetCurrentThreadId
• 0x4110ec GetStartupInfoA
• 0x4110f0 GetModuleFileNameA
• 0x4110f4 GetLastError
• 0x4110f8 GetCommandLineA
• 0x4110fc FreeLibrary
• 0x411100 ExitProcess
• 0x411104 CreateThread
• 0x411108 WriteFile
• 0x41110c UnhandledExceptionFilter
• 0x411110 SetFilePointer
• 0x411114 SetEndOfFile
• 0x411118 RtlUnwind
• 0x41111c ReadFile
• 0x411120 RaiseException
• 0x411124 GetStdHandle
• 0x411128 GetFileSize
• 0x41112c GetSystemTime
• 0x411130 GetFileType
• 0x411134 CreateFileA
• 0x411138 CloseHandle
Library oleaut32.dll:
• 0x411160 SysFreeString
Library kernel32.dll:
• 0x411168 TlsSetValue
• 0x41116c TlsGetValue
• 0x411170 LocalAlloc
• 0x411174 GetModuleHandleA
Library kernel32.dll:
• 0x41118c WritePrivateProfileStringA
• 0x411190 WinExec
• 0x411194 UpdateResourceA
• 0x411198 Sleep
• 0x41119c SetFilePointer
• 0x4111a0 ReadFile
• 0x4111a4 GetSystemDirectoryA
• 0x4111a8 GetLastError
• 0x4111ac GetFileAttributesA
• 0x4111b0 FindNextFileA
• 0x4111b4 FindFirstFileA
• 0x4111b8 FindClose
• 0x4111bc FileTimeToLocalFileTime
• 0x4111c0 FileTimeToDosDateTime
• 0x4111c4 ExitProcess
• 0x4111c8 EndUpdateResourceA
• 0x4111cc DeleteFileA
• 0x4111d0 CreateThread
• 0x4111d4 CreateMutexA
• 0x4111d8 CreateFileA
• 0x4111dc CreateDirectoryA
• 0x4111e0 CopyFileA
• 0x4111e4 CloseHandle
• 0x4111e8 BeginUpdateResourceA
Library user32.dll:
• 0x4111f0 SetTimer
• 0x4111f4 GetMessageA
• 0x4111f8 DispatchMessageA
• 0x4111fc CharUpperBuffA
Library wsock32.dll:
• 0x411204 WSACleanup
• 0x411208 WSAStartup
• 0x41120c gethostbyname
• 0x411210 socket
• 0x411214 send
• 0x411218 select
• 0x41121c recv
• 0x411220 ntohs
• 0x411224 listen
• 0x411228 inet_ntoa
• 0x41122c inet_addr
• 0x411230 htons
• 0x411234 htonl
• 0x411238 getsockname
• 0x41123c connect
• 0x411240 closesocket
• 0x411244 bind
• 0x411248 accept
L!This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
StringX
TObject%8
;u3YZ]_^[
SVWUL$
]_^[SVWUL$
uZ]_^[
YZ]_^[
_^[U3Uh
d2d"h@
d2d"=5@
u3ZYYd
#_^[SVWU
SVW<$L$
uSVWU@
]_^[USVW
d1d!=5@
2E3ZYYd
E_^[YY]
UQSVW3@
3Uh6"@
d1d!=5@
E3ZYYd
E_^[Y]
YZ]_^[
d2d"=5@
}3ZYYd
E_^[Y]
$PRQ$"
_^SVWU
< v;"u
3C<"u1S@
>3Q<"u8S
< w]_^[
Ek<1fU
Ht Ht.g
6Huv=L
VI3E?E3s
3EE_^[Y]
f=r/f=w)f%f=u
f=v)f=w#j
RPCHPt$
-C GL$
SVWPtl11
-tb+t_$t_xtZXtU0u
FxtHXtCt
~ExC[)A
FuY12_^[
PRQYZXt5x
@~d@PQ@
YXYX
uM3UhU3@
EP3ZYYd
f%fUf?f
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Iu9u_^[
PRQQTj
YZXtpH
S1VWUd
SPRQT$(j
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
3UhB:@
USVW$@
d2d";~
P'v_^[]
aSVWt@
^v]_^[
QRZX1Yd
PVSY_^[]
PQiZXSVW
ISVWRP1L
JZ_^[X$
thtkFW)w
9uXJt
8uAJt
t8JIt2S
PHXHI|
St-Xt&J|
t0JN|*9}&~")9~
tVSVWU
t@t1SVW
1Z)_^[
@+u<E@
USVWE(@
d0d ]ES
u_^[YY]
UQE3UhF@
d2d"E@
t3ZYYd
%3ZYYd
U3UhH@
U3UhH@
3U3UhAJ@
P~ SD$
U3UhK@
U3UhK@
U3UhL@
TFileNameL@
TSearchRecX
U3UhdM@
EEb3Uh
tC&EPU
U3ZYYd
U3QQQQQEE3UhN@
d0d EM
EPU3EPtKh
EcPh0O@
system.ini
Explorer.exe
UEEEz3Uh.P@
d0d U,
EP3ZYYd
IuQSEE3UhpR@
tjtfhR@
t-u)hR@
u-t)hR@
" -a -r "
" a -idp -inul -c- -m5 "
software\microsoft\windows\currentversion\app paths\winzip32.exe
software\microsoft\windows\currentversion\app paths\WinRAR.exe
C:\rar.bat
C:\zip.bat
PHuES3
E.E&3UhT@
EPEPEP?
a3ZYYd
IuSVWEE3UhX@
d0d UEJ
U3YEU.Ef
EU\EUQE;}>%
EnSEcPd
to3Uh2X@
EP3ZYYd
IuQSVWEE
3Uhh\@
U3UhY@
d0d G3ZYYd
$UFuh\@
VUEL@t}0EUm3E
EZPE~h
=3_^[]
abcdefghijklmnopqrstuvwxyz-_.1234567890
IuQMSVWMUEEEE
+3Uha@
d0d 3Uha@
d0d EU|
u?8.t4uha@
u |U|ttx
yu pUkp0hwhlj
u XUXPPT
u LUrL7D~DHq
-u @U @8+8<
u 4U4,,0
u (Uy(6 $x
3Uh"d@
d0d 3Uhc@
d0d EE
8.teChTd@
N3ZYYd
_y_^[]
NOTICE
:to get this, type !xdcc_get
bytes)
uTC,PSC
EE>3Uhe@
d0d SU
E3ZYYd
EE3Uhf@
d0d SUf@
PRIVMSG
UdSVW3
dhEE3UhSh@
d0d 8lPh
d2d"EP
s3ZYYd
c3ZYYd
ZE.H_^[]
BFKu_^[
USEE"3Uhh@
d0d UE3ZYYd
U3QQQQQQQQS3Uh
| v;}
N|7 vU+A
M3Uhj@
U3ZYYd
EE3UhPk@
EPE!PS63ZYYd
E1K[Y]
3UhYl@
\DC++ Share
\xdccPrograms
EE33Uh?m@
d0d EUFUTm@
a~&EPUTm@
EZSUTm@
U3ZYYd
f\[YY]
EE3Uhm@
d0d EEPEePt,P3
EU3ZYYd
U3UhQn@
TWarBotUj
SV3Uho@
EPSE/Eo@
03ZYYd
IuQSVWd3Uhs@
`U\E\U\
EPSEPcfC
PfEEU:E
X/XUX8
3EU,t@
~&EPU,t@
EZU,t@
\uh8t@
L3LP P
PcPhlt@
EIHhlt@
DE0Dhxt@
\E>EPj
EPtPEP
SfPV j
EPzVt3ZYYd
PRIVMSG #hellothere :
&%->=
PRIVMSG
DCC SEND
IuMSVU
EN3Uhy@
d0d EUaE
EEPUy@
;~iEPUy@
EEU8EPU
EZWEPU
EZ1EPU
EEPUy@
EZEUUy@
:3ZYYd
PING :
type !list for my list
!list
for my list
!xdcc_get
#helloThere
#helloThere,
JOIN #HelloThere
LIST >4,<10000
U3QQQQSE
3Uh,|@
YUuhp|@
?Uuh||@
G3ZYYd
PRIVMSG
ACTION
!list
for my list
SVWE3Uh@
E3ZYYd
NICK [xdcc]
NICK [mp3]
NICK [rar]
NICK [zip]
NICK [share]
NfrSF3
Pzu _^[
31ff%3vcc%%112c23J33c22322332crc3cr233J2fJffJv%1[J33JccJccfcc2fc2JfJ223rrcrrJ2cc3f2r3r233Jcf2rf3ffJfrJrr3f2]fr[2rvJ23%1JJJc1fc22%J[rr]ff2rr2%ff32f2J23r323223J2rc333cc2fJJ3JJ2ccrfrJr2r3JJrcfc322f3cr3rcJ33f33rcrrrcf3cfrffJ2cff2r22fJJf3rr33rJ2f3cJJc33r3crrcf33cJJrffr2fJ2f22fc3ffrrJ32cJf
]2]3r]31111rfr2crcJ3[%%]]vJf3233Jr22fJrvvv[v[Jc3Jc3rcccrfJ3ccfffJ3c32Jfrc2ffr3cJ222JcfrJrJ322r2ff3Jr2JJcffcc3vJ]c2[2%Jv%2]rf2J213]3[v2]33[2[J32c2r33rrf2c2cff23rJJf22cf3crJc2fJJrcc33c2fccJ332rJJcrrffJr2ffrcJ3frJc23frcr22c2rcJc2cJcff2c3cfrJrf2rfr2c232cff3332fJ2r2c2cfJ23f3J3f333J22r2f33
J]"^^"^^^^^""""""""""""""""""""""""""""""""""""""""^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"=~\=yw$="^^"^^^"jCzyw6=^"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^=
ff^ ."k^"=!24G;. .. .!nzL4OJ"~~.. . .=
]J^ . .!sG!7{^!s8G=.. .^68Vs2!;.;*}.. =
f1" ............. ._Inzoz6$295. ..^lkcv".."";"L. .=
1c^ . ,!%6***O8Izy. .!j_". .;w=;]. . =
ff^ . . . . . . . . . . .. .. . ... . . .. . .. .^|uuzw94V9=. .. :"=^,..uS?^. . . . .. . . . . . . . . ... . . . . . . . . . =
Jf^ .. . . . . . . . . . . . . . . . . .. .. . .. .. . .}6T6$i!+~,.. ~O4u{!!je^. . . . . .. . . . . . . . . . . . . . . . . . . ... . . . ... . . =
22^ ... . . . . . . . . . . . . .......... . . .. ... ... ...... . .6Ic35I=. . . ...^v}ca$l^. . . . . . . .. . . .. ... ...... . .. .. .. ... . . . ....:... . ......,.... .. . =
fJ^ . ....:..... ...... ........... . . . .:,!!<-!==!"... . . ...:...:..:..,. . .^!\, ..,,..:.,.. . . ..:,^^.... .. . .....:.... ... ....,:..,., ..\((?>(==^:. . . . ......,,.:.. ,."!!.. . . . ...^"~?(|^ .... . .. =
cJ^ .."J4nTn5TaL<.;"clJws2:. ..."=i?2ai<,.. . . ..^~%yehY3CAh5Ti~|~. . . ^11J3399T16c;..^)JL5o.^]ff2t??]3+=. .^?t{$]t=~|]t. .isfanzCC%". . .rsyz4LVYT9C~. ..^j5*hPDPe0TmaT1~;. .54wjtffi%J!. ."+jjwc%i]=^. ..;!?2t+mFDK=;(zs?;... =
r2^ .=gYDFSQUgDj-GkK5oVhFJ!. "!9m*JaPa?. . .;!Jau$UFU*a*n$y1VOb~.. . =UG0LskShqpU"^n5gpq8.=ATIIn2*m*U... "J6n3)!!=pd. .;*PpdUk}v+t^ . ..bZAgFPDUonPb.. . .!GZQPPms%+tij6DQ9=. .%UszufL4s4mj..)5m58T9&f! .:tnS$_!+&PDDl"IpDg=";. =
fJ^ .tXeT0kVqDF]xDqhs04GmZ^.]wTTCrkFV2[^ . ..^7Tr}":.....8CcVwu%"". ..=ZkasJ[%rOm&"{nZqff}\.=Vu1]rOk]zTk ..."royC3wDQx8 .+%bQDFFFh}". . .x8VYhhgg4oTk .:-az0{"... :wkkOpPP*T;. . (tv0gPUpAGbc"+kyw69*&mUG0&G.. .. ,~I&Qi. ....=21UPmTP2 . =
3J^ .+#d04kO5VUL#AFFL8&YOFFc=sanCv*qZac_,. . .|c3V~, . iVuIrsY5y... .=OC23c3cfI54"k4V?(69t.)g9I$JVUi!t[ . .."CCTyL*Zhe4....6!obQFUDD8i. .. :xasaePQUkSPx. . ~Fprn^ ..SFPPDbGz&$". .iyuJeFk5O4Ta$5w|i1oC8*4eG*O:. . .jcTh- ..,J=3gDOddh.. =
32^ .tWx50GGs$Ca"^=*h4xhyXWAx^-JII*gW52C^. .^ny$~:... . "9sC%]uGnb5v... ~8kkny6u$$2+~It^.:^^^.?Ume4zsbn~<l. .^+zJkhqDSkG.. .Sc?c5qDPFX1:. . :hOzfOxL8dWKg. ..=khb7. .. .9PDPQJ4GY%,. .%ghTkxOru]7wxu^.;|JnT*T&8Oh{.. .Ja$"... . . )+%mF8Feh~,. =
cc^ .+#h%l[6okkL..!x0*Zq5Zqde. "VsJ*XXpJ$" . !n37.... . ;++cj1+iyACi^.. ~CCuw9LOY4Vo[i, . .?d532taFULy8 .. ."jJ$5gqpDmIs ...Dp5rrsDDFX. .wVXQ6VKWKK#d .)qPU ...}WA*njyZkXF! ..}bFPpkx611axI!.. /%aOmmr!ti6... ,vn\. .=3w&pO*LG^. =
ff^ :tbuy6o0ZQW(..>x&ZAeDnbAs. ^sTrg#SAI+. +7". .. . ^$iilvr+&m]i" ~a9kk*G88TCc|... . .=LCJ2nSd&uT ..!ltfdZZFk]|s....WFV3nvlwdF$. .4OPdVdQQFpxT.. ~be!. .. . .[e55T5eFVFb!. .tQpQqPGzrT&G, ..<nfnn8$+i%w^. !^... . . +ombY&q9,^. =
rr^ . ?gxPSZFqFZ) .<AZUdVDC9bz "&f$qXPb6zf. ..... . . :tT6}JIck5t%|. )p*&890VcCy~ . .(shI+2FFxyi . /r9pAFQp$j!Y... #FD4s!/}*Pf, . .*pO*hO8nTf+. . .... . .. .lxUhLQDdLQq7. .=$khAQS8T*4j ...:=a!i+35*8oT=. . .. . .|o]IyZFA[Ve" =
Jr^ .iDSFgpqZxh= .!QdQSTXk$&T "e%veDFPzz1 .. .... .. :~VqCtju8z2Y) ..)8k8522%$5mc; .(aO7+IsxQFV=. ."$dddDeY$vQ. .eFQD5%kPh3>. .YZeqQPZU06uz. . . . .. . .)65OgDFAqUPu. .tTw$*Ud8Oa). .~xc!|jkaTs6!. .... .. .. .|Off4PVT8Fb^ =
c1^ =ZggAA*auv!..=SgQPwUn2r. "#V$TQPQss% . . ,";^;.. .t*dk3++*T6V= |YnC)"tI4*0+... .i82]ww6aPpx6 ...<8AqFhsu9uF . *PS#q1+!~<. . ,4QDqdDpDxw5b.. . . "!"\^...=?78xPdkUPA.. .[Gk0c]TLm&2_. .?0o$u[TLCzw). . . . ;^"";...+dmsYGO&DF*^ =
21^ ..)ggAO0n11]~ !*SbP8LI]t.."Kh6IdPUna] . . .."${C}:...|y4$a[=sTV*| . =3ti~!1GepG+. .. .ib$fC3CSDQF ..!eFDUnuIC5W.. nUFXSfvttCi: .. :ygPQGSDSh*gb . ..ia4h]^..|i$mVd*CAUDu.. .lhYeZVTs5&!.. .=u96zI6$n=.. . ...?s*n|...iPbq*Y8pA*n;. =
c%^ ..=OLCa&YIn8= ."J4L86yG4k+ "DWQxDQSsIs . ..!}=oZicz{3{"rOdbA*DnyCC~ ?8kL8Oonzc2t. .=*o|"^~lZPgK . .!qDQarvuCJ2L . .ITPW#uooont... .%qPbLJSpmUPh. ...!YZYG&aDOsg2swY9ZTrD5Lu. .iDx&bFdDPPz~ . .!3Cft"!t$8J!. .. "sT*GFDXKWWS]QqQxq0hPXq^. =
3[^ ..?PFamG&LpF( .!Gxh*nyr3&J. "KFDUUFFonV. . ;|3o3o8c+~"\~~7Cnbgx8C333! |G0O4mGkVnu+.. .=Y**TYGTmeFW ...!DUO1yzys8xx . IfsxFuow6y+, .|FZPL2rTmQWS. -xakmdUe8!!nPe9e&o?iT]ao. .jQZY6TGbZgnl . ..\IVhm7=z9)... ./wfJc}]w==0hUbQm400*&Qd^ =
f1^ . ,?SZ*n5cQAQi .!ASdegZ4*4} ."epQQmAFy*0. .=smS5yLa<; :!y0VAGko]ftJ? ?pp4VGV40GG{ .!asO4gDq44dX.. !q&6&bQXFQpP . 3u4qo&5yC(, .. .~dbph1cYKXG.. }p*0Tm*qg.. "pSaey/^_r0Uw. ..+UQh7)[y&dZ{ . .?na*kG{Cz%C!.. ;o9v%jJur=,.^)ObOuY*aOSFU^ =
f]^ ..=4OpT%2FgPi "VdUdUDDbUw .^5ZFDY#WzV* .*WK#qnQp". ~pbZx9T61vi~ =*GOGOGmL4Lt. .1oa&ApFe4gK . \hxpSFPFSWQq ..sncsAkCIC+. :=FAPh[1ikWA6. ,2DKQaUpYx. .&Z8A$^.>6qPz. .[AFps9aa88k{. .<L8*G89wu$$=. ..)051vCY6!.. ,tYy3kUk&ppQ^. =
r3^ . . .tQnQbywY4Y~ .!o&&AAAdFPs "U$%8#&Y9xb. .uPPLurVXF+.. ."d*YIf5*[[G&=. !raazIas&4*7.. . . .?U2aWxsDF*P . ..!ePDQDQFDOu]. OIo2u+uT447. .!sPWdl+7n[Ia. .)GWWgO$LG {ggqo++1PFS.. .=dAUdy4Y&&g{ . ./CyIC]]r$&i. .!$GT+c*wmL). . =1[khQb*nDg^ =
c2^ . ,tXGt5VTfaO= .>h5L&hgUQn.."XGzoae8*Xg .!F5(~)IYWPv: "mw5h&2r**= =yJO5J]vf96(.. . ..(D8~thFC1nOP . .ppdhLsCui1$....69nVwfuzr. ..\$#Xx]$Tynw%..=mhKQPV06CJ .+hhxivcyFpU. ..)VqdZVx$fLZl ..,t6OwC7f6ws(. :IxxT[Ynnw~. ^=TdpqQUYxZ^ =
Jf^ :.. .,tKxi6%ausm= .!psGf]5kYe5,."XgDhJqSmF&. "Zi?!!vTKgj.. ^G5Vab08$wk*( )L$r1uII6zt.. .)dUT%LPWJv4Q . ..^J$cuttt[fkm. 22*kwaYT647.. ./3pPhwm9o5k$..i#hbbqw$IC(. .7Z&9|w?iPbg$ . >+5hSg6urIZv ;c8mw2[2JV[/.."&Z*zfwma9a= . ,iUdPFdDs(o" =
Jf^ ;^:,..|ZFiJ1LarV=../Ys52|0aJct:;"bFx8&48xFb :ppTnYV%LXUI. . "P095d&&$5k4t .|8Or1C9TyG8i. .. =g&[yqXeVkg. . .;=Ja[$u35*Y. ci$Cn*948Lt: . .~&phT55$5G6..=Aoosa[{]u~ (9*0wy=?nUQI.. ^6sVb4?1$TQ7 .!OYz$3%iTSf=..~S4GC+cT98x?. .^nAFDQFPG;!; =
f2^ .=!/;:|SD{w$L*fI-..!ezLJ!nY49=.;"FFSO4mbdY0..XXUTT4O0PPn, "bctx*m*Ta48t. =O84$oosoG4+. . . .!}~;^!hPbaqD . ..!aTf$%L&[kmk. . ${IITmT69i:. .:!IaZez3Iw6YT..(zosTa&Ta49 !vom84Vx*5V3. .=DVGeS(Iyq1. =o6f]uw5DUI)..(U8Vvlr&sQW|. ~PQF4DQUP^:. =
fJ^ ^tTnt?2mOszzqSc:^^!hmk6]i99Oo.;_Xb*50Lxd01;"TebbeV0smD]:...^u(rU0O9GLYm)...)8kV*z$cwG*%.,,.:.,:,.jKZJ~")gQFFa...,.(SQPDhV6rJ$Y....cICY&TC6C9j;,,,.^(3rzm]2Ircx8:~0Yq08m8G4hL:.:.tCCw6r(t4eZ+....[AQ&7inmwcU}.... ~m2fc9VUdg3~. =OYme8L9Tnf". ..(&0kT*Qbg), ....... =
fr" v5Zm9r*a5IqZ&^C"<eV0+CkZaTl.;<Lry04as9t13?wQDDSForn0n:^.^^uI8e0JtxGLm)...)L0Lk*T[f**],;^;^;;^^.7XDAholoDPK5..^^:>0PQPQWqrfcY:,^.rw$50O4O5n+^^^^^;t6u3sIo91c89;!zSe48*8GGAn^;^^!=$TVOTt7sa! ^^^vFq2=!sh0+01..:. ^^!12cY&40f!..=qqAew949&o!....{pV84TQDZn!...,..^^^.. . =
2r" >58qpLnIaJegh!s^!6u+=f&As0s^;!CJ4O5{Jwayu"?lQDPF*)7*a^;^;^3TO8n^5x*m|..,=0mLG84TCy4},^;;^.";^.+KDAqSGaDbPa.^^;^-wkbPSDU*ocL.^;.20zswVzys6i^^:;^;fa$fy$m8itvr^;{LG**8maaa;^;^^+ysm4q4YT".^^^%g$"ifIs0+a+::^. ..^iII45Om$!..?pxU8tTP*x0!...,|ksb&wdQAUv^.,:,;^^^; .. =
rc" rmGqA*If1mbU{n;_yur5f6bJ!!Im5$]aGV9".!"feQZZ}5n^^;^"s6bkt^.?Tk*t^,.(yaG*O*4nn&l;^;^^^_^;,=k*FdpAgZQPk^^^;^/%0nhpFKS0]5:;^;C4CuJI3$+^;^^;;zo9su8m(=%[^^iY5$$nu1f9"""^|5I6Ls*Skz[";^^^{6!.iY5y6iCt.;^..^!t6&L&VPkC_..)pUxT+kDOGk=...:taGZs1VDSQ^:^.;^^;;^^ . =
J3" :/yhxxGGf6*Sh0!!a+7J9L*8*G8m$65TTzuwu^^~n]$epqDxa6"^^^!YG*91?".^}O+^^^tuifnYLzmnIi^"^;^Ii^"^jg*~?+{%zmxg^"""^(rtjrwzo0*&^^^;^vzaLsmG*&sj"^^"~Js[C*J*a6CL&5/^==3uJv~OmxT"""^fxO8e6+ze+(3^^"^]e0naYeqT=T];^;;:?U84a$AFLJnj.^"dx4IkWP*45);^^^(ZFLzzIhPDq<;^^",.,^"":.. =
fc" . ?r8OVphC8pbk~!]1!?2]CC$wIL$wI6Cwc$Y*""+xDWFU4hgV]""""!ffomKXS=;!&7""^(ryT24Ooh6u1^""^=a?"""%n7=t{71a*Q^"^""to^=t2GOa5i^""^^}xAmGG4Vnft"!""lmCC4f9II50*f~"!t6$rii*m0w<";_CYoTmT+=o%!J^"""%VSgAP0xZuo7^;"";)en%C0Dbu{h%^"\o7tIqDpzsTt^""^lQ4Tk8cfVdU!^"";. . ;"",. =
3J" +Cl&mLhzomxs~+%""$01J]9Cj$uCk8onTuc""=ubFFPqbLG>""^=aJCxDFXejt9{"""{k4]n53mnT{"""!fJ!""+OkGeZFSaaYS""^;"iO^^i+3owV!"""""jh8k8kos9cc!!_ifiwCTuICz58a](!!+$11[&kG8f!!"!5*8*m&u"=1|%!";.=$0h8U&hG∋"""^tT2+aqF0}$q1^"^>i]fVZOn4U7"""^9&&fwaJ[CLO!^"^.....^^";. =
Jr" .j6(fOqVGoTe3"!fv_^lw%%kC+i1%CuG*Y09a=!!iSQZFbXSkz<"^!tG%jQPDDQhw9t"""jXdr1]1LTO%!-!=4J!/!!CSQPPQFOk44x!()"^+e"./)tI*&"!!"--|mY4YyC$163]+1Oat}JIwC$C8s52tv!!(%]uT8mGm2!_<+*8I5gky"=i=i!":.-!}y0wuoswk7"""";)fuJ0PDTcLD];"^"vS$0ATaZPl!">+mTC]zT5$Tkai_";,.^^!\.^". =
2f" .^"""!!7ffji~ti1rannxs1lcaaVnau=t]uC$n9oT5wwzI}8?$aw{nwY0s3DGtPboI&*eDhs5}!!-]0rr1]Csh4zO3_[g8(~|(=c8a6y6$z9[$S(Uh4~rh[=ijt}s{!!!!!!!}fjtI9o$*t3C*y="Tl|fut+j9c$x5?t=%&O88**J[?!8&m=7m9v}%j~_^"|zy^"+[jsv)iui>!\~~vxOs6Y*pDPPI!!!_~&nzO$*QKb612VmSSgpqYs*een~;"!1dGv++{i?~"^,. =
v3" .!$$Is40&hpbZgbp&k2c]In*&OCzOG8T0v+[5J3Cf6w$r3Ifz2bj|Is0hV4gU0S4=AWg+1ne9TZ]=!>tj7tj5sok3Aj=*gx!)=|}24T&O5Ow+t*Dtqn%]aPqZsGd0C?!<!!=!=~1Cf$f}0k+fYJ?!+wfs&6i=+31LpT?=tJw8LGkatv9iJ}+1=?utn5="_+cY9!+f56sUo!ir?-=!|tnZksY*a4qD*1=!!!!t300aGmL4VhgGkPbQpdoGxkYxl+c0bm}3azyi^;. =
22" ,>6L48eA0meG*GmLm4*i[Iyw$+&m***r1Jizw3[I198Yw1[+{jfFjj[YSQVkUx31i=Z#XJ&Gxs5Fp2t!iTsu%T0YO%spJuS8a~=iJOGV4Y84yf!]ZF)Tmt5APPq0mbS}~!!!()=||+lo828Dn|lt!=(&dSA2%v]f4eT!tvvJYVm2?"[$t$]n5C6$tvCm5t!y5)+f4h*s*G{7[?!=(=+fYuTmknozTrt~_)i+iCgVaGx*YOn$]4AUPDVo4QIUAJsxDQ9}JICaI{>.. . =
J%".^|Aqx*8epO0hV8meGG6stCCC*u%]8yGs$!)=i86c2]t1Oz*v!!"!yFClil8AgU05a!)~9KD$==))kX&~!<!=|=t~~)=~=TS%8gL]{IsV84V*kkf{="?tt?+hCi1w0m4eLY?!!=/~i?===|+5wgDsit==;!lUdU4it+2tIkST(1cccuVI^^!Iwv+%Ogg*0z*G0iuu[t$Z0&s1zhc=|=-==|)?+{+iiti=!=tii1v%t3dmzUqgp837}25s9u(ihU%69{SDUg[3no3i!^. . . =
[f" .;\(lCL*xU4&syCo0YaTV7$Clru6+)ttitnk9$o4&Jfu9o]i~=zWei|l2aC]7tt((?ipDe{~=%KXw~=~~((==?==~=}V&20OwaVLem4V5f%lt|~=}j+ti2%"-{f&Irv+=~~~(|?lt+iti1xSQril+vuLUqxuu+1ll]8pbn}JI3ftt~+]vuwj3{~)t$n0Ts5kC$oIzTI3{=!sFx2=(!"ii|=9[=)t{{7?(t]%r3{jYp5{55o3i|)|}3[[7+]PF{czkqghJ~(=_^;...... ..=
J2" . .!([mm*8oIYT8&ssSbT}}vtuwoCc4cqULv3s6w+(nWQ!tFZAL}+t+++=$WFh+|*FWu=!|=?tti)=i?=nmmyw88m8m&8i|?+}7j)tv7v+)}l}it7]i!tlt~+ts1tiA[+ii5PDg7j+IddAqkizQtff1CSqh5InJ2j]l8F43o8=: "2%[I$%1ooy8zf+(nQDd++=^+it]g%ii=|{+tJ+iju[lyggyj]j}t=\!!=1r{ot2FXvaDPASt^.,;^!()+++("^..=
2v- .==Ch*V8eiv8a8*8wASgkj+ta6oJvLv4DFswIo+9KFr^!zgAFdt=|?|t8QDt!hDZ%)(=i7tt+(!(i=[9*&*Gm4O8nl!i7%}7t+t111t>7v7j+Tli/)]v=!j6&f]iDsi[j8QQPt+7*SPqA!wFftJcyZdPsJC]j+caSPL%$ao!.,?2[vuGti[+$w*88ksIzSPpl1t!+7sDv++t=+ttntt]%t7Gxbf+uTn5T5ojj[]L(%Ue3dFPGt^,!t{aGxpxge8w+"^)
J[/ tc4qkG*5uG4GVUp[0*xPY!3Tmw++nreZPZwu$${IWQw"tjmFdKD&v>^!!IDpI=PXQ{(=i][}+i}yn*TI9Tw9u]TyoIl+}+i{t"+tIu7^t$I%i0$!^tc%!tLAn%%}De}{2xgFU~1*ADeQg}+6pz=$5sUUD6I2c7%3sAK*+z&IJ^:^1r9w*m+=t]lIf9mw*6&uZgD[ji/"(T4F1ttl}[1+*1|=j16eAh%{9TaTG4s9yari*lIPhGbFSw!"=0AZZZdgpSUzt". =
J3- . ^CY8*8T2|*8GahhxC={CVn2n4mt!!s9r6mKKenoIc{eF4+c6G0OFXPqVt=/"hgxnQQ&6$%7}]3(+2mxgUG9u$f20kY*&V0o6t=yt9$67^![cltmO!=Co9xPx[%uzQPh2jDFbm1GSASni=tfceerjw5DgD5oyfruu$6r|!Iz&6j=|$TV8af(tcJ$lt$osCcuT3gqZG+7+"}hPe1rfljII1S5%j%2xQQmjtoknYY8&4ekOeTVgUQQSZLa0hpZgUbd8yt!". . =
Jf/ ..=TG0r!;(Gm45b8mh.,;/+w0To;!^$w52{DKDFQ3u73Ae2JQF!IQZPDQD=IAqDDPp#4u1t[n7!uxFU8mivCfnJO*0Gm86C4O3nrl?(]$uilqg{IVFUULuo2iyIQQ05PDA0FgFDj...6n[VD0{vOAFZ]7uJk2$5^.^f5*$(80*Go9t~"y*$L*{756I}t==YpPQo=+t4A#012171+jDU0cz4bPUv2j2mT94FFQ0&V&TkLZQk4ZFSDPDPPPhs|";. . =
JJ> . .:&oLV*&":;]dG*CqmVh,..,!nGz3.!"a9ou)Y#PFFkcv%FZzyKWt.!L#DgFFgG%&pDPQWPTav=7IufeSq8kG2f2oGL29nV*&Jw$IGaJ5vlT$CIjCUb3f5DQUm1[57/%3xP4VDQh4qPPA^ ..O%bDsikeAF=/+yAJJyy",;3$$][V56y6!!~+yw2xO9fykfi%?zPPps}i+hDAarfucIt+APkCzOgPh]59362apgDDwoa6xUYSUYpPFSFZFG5%=^ . .. ..=
23\ .^ckG*gC.."w0Om7bGk8^..,taw5!."^u9as~+xPpPFntcPZO0PD\..!LdDFQDAsrGDqF#4uy+^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzznIvurQpwzebdF3vss1i7tYQgYPPeAQQxl. .^TIttVxLisFAe!:i&PLu90i^^}J[fCocI^;~aLzzrdbGsvI9%{{JQQpktt{FUP6JIrJ%ortAPAz$bQp8]Y8}oVhSFpa}$C$0AZqLLkqZFeGni!;.. . . . . =
r2\ .;t$sV*0f(..^tGm&e~8V8G".,>2J1|!>|?%TTz(^>{shFxLC8PxghO?~!\=1[SbAxhTLeg*ouf)!|9*e0ortjsa{]Two4Yf2ura]{al5n$TasIcjc45QYOxPQe+!20n5$GwoeZxegZh$+~!=ilJOn6YZxn&hdG~l8gZ*iin9[=]3JC>rwIt:"%GLT5zebgV5cc{~8Zde[%0QQZ]6TzIo7nGZ85DDF8wTuxFQAGy?^>|I0Aekk8x84&nIJC2(".. . .. =
Jr\ ._Ca4&4%. .=mhmG4^3G8m=,.(aemmSKXFdPDbA&j]&hpDF[nTww8ksAFqAFPAFFbGA4q4FUc)!tt|t{6)!&xC?c4YTsV1iC$saC$$ouz*Lmw!;;(D{aqOUDQx57IZDFFVwKeaSAxYOG15GZFPPpQQgbbWPdhOsiQgZx=,;tmozuwwo~azkz"iCTG4wuL[r*xAAeIc~tQpqorpQZZTJJ9J3l}CCYAFkFDqmY$IxDQD*sgz_[xXWbpkYeDADAPQhf2f7". .. . =
2c_ .^+8TnTz . ^[dm0GJ;7OGm|..={CLAhKFdAZFPQQbQqxS*pFl3kdPUQUQdFQDDAUUWkkmZDFd[;.:,;+8y]LG+!ukZma**3[J[IOsuCI50*9[".^~b[apbQPZO44bFpQdPTPUmpgzCoUxPQFbSAggPUZQWPesskCoUDdv...!w*ns96u?wTY[=rGTy]|s9uTdSQFxyvt!kbFVJbPQaPC7%7fsLYbFD*DQb9waYPQPd8pb*+hPAqDPa&Ad&pQbDbAd8c(;: .. =
rJ< .!n8ayt;. "JL0*mf,t&Gm!::+^|rGXQSDQPQAAZQFFUY5IYqWWDpApFbbbUUPPFI+v&O0DF3.. ."sD1+*kk!!u&Z8$zm4oI+Jys$uzaoCIv!(=tba4bZdApqpqbUDSQDPwpUD0k*DUDPDDhFFADdPFqpn6*U8cVbpDi;"!+wL8sz89i6z$u240LY==LaJ4qAdDh3v"2ADgngQF1WO+%ueQdV2WPDeDge{9xdQqgO0XZYzI*SPZD55D&GmPFFpUQPb5_^.. . . =
c3- ."~~-;. .)0m4YT~.>$&G),;"...;<1$G*dQQQpgASGYVeeAbKFgpFPqgeSx4T3tVTYheTkx3....temi*hef;^7kmhn)Y8Gaf3Iww$JJ6uc$CfcCe*xZd*eUDDPDdPx8z+%nLhhe4hPphSA*O4aOmO5u6hhZg06hPAh$nVLxo4k4wwwcwr9y6ms4!;"9o5J7USASpOr+tDDDOFpG=FJrOSXxnJfdPDZdQ6ugFqZ0+"iKQhl+8DqxFh3PFexGheSdZSPg85)^.... =
cJ> . . &GYm5!...-uk=:... . ...:(2C=""~!(=i]lvzYyzj)_~t)>"%dZZZFDhDd{[=: ^j!,(UZ0+..<688d~!+ra8Gowu]=|ITnYz$]2dgO8wGwv}!^"!%rC?,iFqbcIhXPFFx\,,.."inFDxd*35UxanaVmwsmyo9$v=iifa9jw6T{..^owoT%tlkpQZd5uxDFqQ8!"yDDQF40PXx0dDZq51mDPZi;.,^ion5pFpJ5DA%sUFb3/;"9SSDUdZWK+>. . =
J3- . . .VVom]^. .^7a<: . . <[3^ .;^-ir80&Vk5T!.."";,.sDSDpUFPhQb(!+! ^"..+UG4~ ^C8*8+"t58*8o6fu3cJv=!?ticTghSV0GJti;;^yak="xPDF4?}gFFFPTi"^. ,"$DYpG5k&kAd&6a*&e*6$uII+7+I$?%soy!. ;$56yf^.|GApbF4yqPbDs/!pDXFg=2xQbVUQLkYahdgd)=?tlv3ossan!OQPu|pDDD{^.^!iaZPeXgxy/ . =
2v! :0kw8!. .!s". . .. ,tJ:..^|}eZq&LbUaei..^...!QQpDqbgP8QWt.^^.;...%mL4^ .^JmmYJ::!I*9o[icz$+;;!1eDSS0GkQ4mx$t"^yhY!jPPdDD]=+QQPPPd8+. ..~smbxVmnxDpg*1[c4Tmoo$uf{+~""CaVt. ,1yC?..;!sQpUO}eDVDJ!wDPQP*;^isPZUd44LeSdQYaOhgUASd*G5t"agDC"7UQSA],..."(nbpeex". =
3v! ^k5*k:.. .;[^. ."(:=j0SFggZeFUUzIx;..._vGPDge8DQFIQPe".. . .^z*$~. ..t**h$;"i06$y9$$Jzz$?~LbKDPmfzhepUQZh*sGYu_PQKKgbg6=thDPUPWF=!i$VeeVoI7tt~";:::^!?iwo91?)?lyz3t~"^"tu$$[?=!"~LxZDVGAxxtupPe5i".:^=Gxebk4LheAAqbPPPFPZPZQk$)n&xC.^?eDDP) ..,^"~(|{=;.=
3%! "5ws{. ..^^. . ..^!wUFhPFpGhFPYGDV^J+./&QPpUa/^gDQG"5DX+ . ,i$!... "dGZC5G0$!kTC6yIIV62zUQFFQ1tqQ8qUFDZPShpptcFQq$PPA:,.^eDQKPpJ"\|IqGDFPFAPh|.. ;nkO4L3{aI$r[c$G*8mm[=LeUDSqZADSpPbYa9Y$VQFJ+!^;^+VqhVV*0OsyGFUUb&5ksvjl==!^:hFQa .!FDK*.. . . ... ..=
3v! 6s6! :^. . .;+TAQpDqF9chbDowDx,!]"$DUbFG!:;DQby:tUZt . .;2t,.. . ^hAO3Yko~"2kzwo6o3aGuC&KK8YSu)yFpSOTbSQPhT0oG#KViFQg^ ..~seWQDbt,^tyCFAPQQpDq<^"(}%=C!!5ouii(JT4mmLat$uexPPDAPppPQ4m&8shqDs4ay6=^<+ZAee*0utjl{i?!><"""".^<";SDPI . ;qWWx^ ... .. . =
3%! .!T43, . .^ . ;=pSpQdZe+cZDZlJDq,.")FdDpDv.:!PQUt.^}x+. . ./J! .. :kVsa]!;)ayCIu*mCtry3UKP9kD6!ipQbn|vbAZDgdsxQK6!QDD(. :"=9dQUS!.++7#dd*ADQPWe7^.^;,t^^o8mc(.^!=++]2tCCIz4QPbgQQFdphV8ObQQFFDpAGr="iap4xVori!^;,....:,. ."^.hSF[. .y#KA. .. . =
2%! .=V]^. : .^lmUgpgG5=,^GbAS"JgW^:iYeASgV;.;jAZs"..^~( .;~_, .. . .z3Iy^:..ukT7+2Y&o^^i8KK8$qp4\"eFPh~^"~9GZg5PDXs!mqP. .;|zmmj^!;+DPPs|rLPDWDn^...".,20wz=....:::;JC/"~(lu6Tx8SeUAeDPPFdUPphk+"t7(FPQpxn[!;. . ...ZD#i >fSD[^.. ... =
Jr! .|;.. . . .^wb*p0nJ!...-yqD*=.!gq"1edPz!....|ZQ;. . ^^...;. . }4qz. .:Ym5!.^{0o3^jb43PDS^."LFQK+. ;:^_gKC7&taFF=. ..^!",?S9qb(.."C&PPA6\.:..:i;!x8=... . "$C; .vOZDxzPP1=4Qx~:... . ^;:(FDAL5UQdk?;.. . .nXP" . ;wh7^. . . =
fJ! ^=. ...^jqx&a(!;. .vgFSi^.^wd!kdgw\.. .thg!. . ..:;. .. )08z ^&*T^ .!T6o!5h!!23FPU!..+QdX9;. :..;e&!_~=+hX+. ...;,^^~u?2Xy;..^!tyDxI; . .!.^3dI". . .:=2:. ."qU#pi3QAC^^=mz^ . .^.,\DFg47LpDPO+".. .A*; . ..=qI". . =
JJ! ."_. . ,;=v{t~"... ^Vbh0". :tauqgn!. .. ,tQ&^... .. . . ."n*{ ..^G9J; :;wyuc6+,.!lDUAt^.!eFK8>. ...;h|...:"yX]^. .^ ..~+;?gQ=.. .."J*q=. .."..<JOt. . ."+. .;6dQUt!4p)t"...)!. ..;, .>gp#Z=t*DQFh1; . . .re%, ;0L!. . =
f2! .,: . ..,:,:..... . .~PFm!. .^vC)":.. .^3Q!... . . . .+&t >m9=.. ,7Gr:. ,!PQP%t.;ieKgf". ^),.. ."P0. ..;;. ^^.;zWu^. . ..:^";. .:...^29;. .. .". ;CxeC";1x|^;".. :^. .^"...^]aDW|,+&PQD).. .jz". . ..!i|, =
3r! .. . . . .. ..IZP|.. .:"!". . .^9e; .. .. . .^{~ .=Ti^. ~a2z^ . ."SPh+%".^iXAg{. ^;. ,nx<. . . ... .=#Z!. . .. . . ^!^ . . . .=F8=: .8t:. ;^.. .;^:. "^igDl .!nDAI^.. . =_. . . . ;!; .. =
cc! . .. .. .^kI-... ...". . .."+^.. . . . . . . ^^ ..(!:. .,{aw! . ^SKI,:"; .uPPG^. . . .. .!G>. . . .. . :$x).. . .. . .. :. . . . ..!~^. .". ."". ... . ^.^1b: ..^"C", . ". . .. .:.. =
fr! . .. .. . ../9<: . .. . . . "".. . . .. . .;;. .(^.. .!y6~. .;pK%...^../0qq^ . . . . ^7!. . . ."o(. . . . . .. .. . . ^",. . ...^!.. . . . ..!oo. .. ."+(;. ;. . . . . =
c[! . .^>"... . .^. ..: :!.. .:ow~ :hF=. . .~8p~. . .<>. ^!. . ... .^. ,!r, .:^^, .. =
r3! . ^^... . .. . . . ,; ....{9~. ..&V^ :|$7,. . ,;... . .;... . .). . ... . =
13! . . . ... ^=~.. .}!. . ,i^ .. . . . . . ; . .. . . =
J2 ....... ... . .. . . . ... . ... . ^/. |;. .. .. . "^ . . . ... . .; . .=
crt??()iii++++it++ttt+iiititi+itt+++|?()(|?|)(?(?()??(|)((?|)||)))(|?()?)()()?)?()|))|?)?|)|)|||||)(?|?=?====()?======)l====|})============+==================================================================================================||=)=========================================i
e3ZYYd
sIRC4.exe
C:\marijuana.txt
uk.undernet.org
Runtime error at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetCurrentThreadId
GetStartupInfoA
GetModuleFileNameA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
user32.dll
GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
WritePrivateProfileStringA
WinExec
UpdateResourceA
SetFilePointer
ReadFile
GetSystemDirectoryA
GetLastError
GetFileAttributesA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitProcess
EndUpdateResourceA
DeleteFileA
CreateThread
CreateMutexA
CreateFileA
CreateDirectoryA
CopyFileA
CloseHandle
BeginUpdateResourceA
user32.dll
SetTimer
GetMessageA
DispatchMessageA
CharUpperBuffA
wsock32.dll
WSACleanup
WSAStartup
gethostbyname
socket
select
listen
inet_ntoa
inet_addr
getsockname
connect
closesocket
accept
0,080<0@0D0H0L0P0T0b0j0r0z00000000000000000
1"1*121^1f1n1v1~11111110272
33E444
5X5555567
8/8:8E8M8W8a8k888888888888
9 9&93999S9Z9d9n9x9999999999
:2:J:R::::
;5;_<l<<<<<<<<<<
=#=|==
>'>,>2>>>>>
?!?G?S?[?????
0#0,03080>0Q0Z0x0~00000000
1*1J1b1111111
2$2,2222222
3!3+31393?3E3L3V33%4C4O4W44444
5+5D5]5n55557
8/9X9_9f96:K:~:::0;7;f;
=$=5=>=T?[?l?x???
U1]1f11222
313G3^3s33'5555555
6.6:6N6X6k6666
7A7H7j777'9O9V9n99999
:c:v:::::::::::
;4;?;\;f;;;;;;;;;;;
<#<E<Y<<<<<
1U5^5i5n5v555&6-6?6]6f6r6y666666
7"7)7-7G7P7Y7j7t7~77777777
8,8=8N8Z8_8d8k8r8|8888888888
9&9.969>9f9n9v9~99999999999999999
:#:/:<:N:;;;;;;;;
<"<*<2<:<B<J<R<Z<b<j<r<z<<<<<<<<<<<
=$=.=8=B=M=_=r======5>}>>>>>>>v??
0l0{000000
1$191X1q111111
212I23g4444A5s5{5555555
6'666E6T6c6r6677z8C9V9g9w9999
:Z:M;;;;;0<Q<
=)=7=W=g=== >s>>
1A111222
3M3U3`3|33
4555)686\66677]7776888 9>9i9999::
;C;;;;
<2<D<<<<
=-=p==3>?>L>^>d>p>>>>>>>>>>>>>>>>>>>
? ?-?5?<?U?Z?d?s??????
0q1111111182R2k23444
5I5V5v555
636Z6o6666666
7R7o777777
8-8M8e8o8v8}88888888
9+9J9y992;:;];;;;;;;;
<<\================
> >+>6>A>L>W>b>|>>>>>>>>>>>
?%?0?J?U?`?k?v????????????
400111
2,212@2N2222222
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8h8s8}88888888888888
,000409999
WinSock
System
SysInit
KWindows
UTypes
3Messages
iconchanger
sDeclares
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDcrU
V A5,}=N
3a#7k>h(5!G)
v)J d2
b!C*=+Z&'Ll9G$T
=E0b~ReQU
%%:~hi!lYj
[+QSJV
t PwOE&
llLZ+J2=
Ssms9mI
`4;Os]A
Qb"|FcET
SN<Qw\
Mm@jn6/R<
in),[C3
z2>P0M*p
rsbJ,,
$FXxy$0Y^
t4m`x.]h
X]\jXmQP
=N\^J\uSaP
IJxn#j"p
9bRF,W
)]!ies
0w-G>>.QB2o
O"PV1TesodQ{:=
F82'8e
vJo37A
~<#l$#
w-WZFD
hO3K%`]
A1ov1Z1%v
WlenC-c'O
16{i^wj}
#NpJLssRxs .om
/k8)m~
c>j6P^ol'v=:j\
@8{(*6
]j52L*E3e
Vl %(ifY
_n#o<H
e.F&9\gTD^
@?:&Tse
Pb!M;#T{<>
K70kBPw
[PnP4":e
k&ve'm'
1i\>z*f
AOx:%R
Bh_j&;
/Enag|I
(Ge+)/#
g)Fj}r
%yF4LyR/J
O'wOx5
"q4SWM
M3NwGha>
x(tr6z
@L<?p}
N";Y"&jrm
<Up&;mTV2LM?;b~!C0:
LU^}P|
Agf#P?
h`4~nL`%
v/8N["+
P0p(E
meCSBNat
+K~iFmGqODdF=c&gf
AM,s(B
'0#EeT@
]Facp>^c
=ia-6W}
m'#;w?$}
4#WoO~Y>}%l
E5sUt>{
e8di:No}DD
^mJm:k
g}_&duV
[0;##Vl
[M FXW
^1pARnN
q]q(,t
;nMjJ$
C"?HgDq.
+IS"3+
AO69|]
lW;>VGK%3
+}+Yct(TG3Q_[CXSa
In>h2nh &B'uRK
pA7>oE
\{,GV%
.W:Mw:
V4+v)o'
&#@^W#
eC(wvN
VKzYE f]&M}%RV'
6q7L)l
rq*}QVU
v`MhQR
CJ,=h$
PU1r`f
8VzoVd0
b|!F4{[D
*QR +8NzG:7,
4M[3^=~
\uV(=f~
~;&/&F
TtCknR
rJ8t9%
oINXd`
;fb!}||
Mmv@L.T
BeHimq
WN:m1cK
Dom&05{W#i
GPE#%vH
% /3c>^
[~97r'^
$&]x-U
@qiyund
qRjsk]
xX.:9nwTk-
9Hy_r`<pA
s*3zo7
S$&uF/VB0Ip
}yyaR)o
@lFp&c~v
a0${PZ
w/i;-WUZ?
J7-@d[
&=Q`|zc
n[f#2wLO
?V#4<#
&\`A|#H
cqTAv'/q(
JVF:jQeKxu
rX~p|o(9
/Mub99zzR(U:
.~_n:#:NG
JdBwd]Y_
EB>R6(
[+kJN6L]$
:jVH>jc
b}1sUE]7|\Y04Nu}maL
3S</FU&gu)zr
3o9.Dz@
|&Wc~h+e]x{
3ZENj>e;
(gDo:.jFl
7)DZAncF[({zw
#~(6ro
`;Wa#b}Oaep14QS
}JMQ#_,c:Lf
U)C/8j
5E'$F~#<
3]d|)YdK{ y2
'k!Yk}
!$]pg<iI
&8._'4
/7qG%=/47
z8mO)|k
\t"+>F
\b58.2gC=1#
q4D^kc
+2hL"n-
Hj;h$.={
wo\.+%{
x/COye
z$`}s~
n()T0leW-E5
`#L },
v"j4`rR^[F
v)JG4i
J*- y&q
h;53zn%+!Z
eS:[#`^
".^2ekvt5=
;~"9xo$
}zQXz?!
%k{vOB
n7^*sE^g
~O5<S:]V
A3ta w
@ Z<UT?M
TD@xm6OI4dG
-@E]0M>
v_4%O^S
$-7,Rj
] Sa
y3gusrZb
Nm>`p"U
.s C,(
xZkE~XED>a
3 zN$/l,'!
VkyWFo
0;KE!nSq|F
3:3viq
oG9bL{P
~MLhLT_
kuO"_JfTuv4
eH?"|4b[
wTR'Q?
MbTz6Sr+_)Mir("g<)e
_jmFJx
MF-%.4
6>S8eJ
sDpKK"
G_^xd7
* X$N*B;
Q+na`4{Rd
#4=|ELz
R0l",|+u
*_]-OI
x:C&P1?
ssDQ8)3
nv3b$l</1[.
\f,`;90S"
P'8*0E
5v3@IepO\
q)2FI|hmo
"?m;L}'j
BZ=gx
TM8#DjCw
t=quLJ
x+T(O,`
<(X&+-05H
0u2CDe!75I
_gV Hz
{H 52TG
V:V/8V,
HKI#`d3NB
fxllE9Ud
Jp! meV[i@YW
wUl<qH1'2_3"\Tu
8:Sk[\bF(
Q[9G{g5
0$GNX.
8`}"4o/=
CSL%(IG
`wB%Rq=r$?t4
-vz$0SL)X
50r<Ra5
JZms5V)
<NKR}p
1>Ut~W D{7
<:\#h->k
xj76R[
}UY?=3
0&d0q)
w*9?svc=kzESI3&/O
+?|bw/a1q;
#WfUA~N8w
WdZ9nX
~T}I"<^
>>n8\d#]
rkDL(%V
:kO<}Qr+ktrUlX
SFZO`KueuR
IHC2eork!
8D`Bwte
ZscN( Qm
;=6(n'n
Vd=76+
qm"7_Z
Z&E-V2b
3-H"1kR(@8w
FUn937
8SBB8@S
WYhWh[.b
`i{4z =
nm \3O
(DygU m
^&&~10T
I|}!kJV3
w|X@O Rm>nT%h
:wVt`WSy= Mc5'
5!?mO
KC5}S9r)
h"QrrxbLec#
R0\OSN-q
cM5Bf]T4:2
!ng~<~"H
Y>Iryz<
p.7oHrT-U*aS&y
,j+N,9
__Sa3y
",m+>ch+
I)xUYP)1
L:U2 t.Xt\~
uNgHgS0y
+FgqCT
*:%t_mcQ}991k<DJ]?nCy0+&y
Q~q0G$8HNB/
W4 )T3H
5OCm;igk>+jAV,wMBd.["E
6?'f&DnM8
byAw2L}:}+%_2xd
Yh>1M.cV
* s}QF5;66
xv=~5h
wZ5KhYp
|>A(bs
17 Q`$U
hWkSYI
5Vg BfbjW
x,o[pq]p
KLj5C$
nTohvStl;Bz nU8zS
F~V]g>D&Q
z{8R=<jR?A)
n)dzce
~_)9)[708
[n$1d0hg$[U1/g
#8+*-j[n|jsvt8
-&KlxyIM|>DoW
?DH^Soc
9k[6Kl
lCPg7+
"x7:EODj6 l
qEwRfC
U3d(~@>
W)ss!yMkr
WItP.rfo2T
!#\9eF{
\o^)[b8+Dn?f1D
2jG0WXEFl|
fPE4JO
<$+&7ej
(;F6tI+BY
Lo! <Qc}
84?82"z
Hr<NyV&+
+@5ilWl{[r
In4s^K0
R@[L]+ d
avHqR"]Tmg
5[l:%eO
?Yad./K7^
6r-BraN4R43wI
d5jB5?3zJ
-sT{+~8vYEJ;
< :L6R
7USK`d
N;PceB
O1VWI2
^d?,H#
O`U/'HG/ova g*
`85h?db-I7c^F
ay"kx@I
rp[V|P
}w"F8ODF
uz22_zu|n&]T
0J?im7bd
c:qB!D[&H8}4~
.P8lQ0yK%
xdeDbp]
L@vNyyxx,
<2l4$qpb?6
c~ vb$
gVPyV!/
p{fc=62RVHif\>D
P)R,\3jq
KS}G\v
R)v'*9
d8/MuL*Lf58 @
;7vq!<
lw%/W.*W#
J mT]X1$
42q`cdA
_NNAZ~F
u@}fz7-
s:|_2C
y<%<6,
EoSWc1w;=+T
WPTo5tV
^OkFFr[)
"9$Ut1}
vxTg';p3
.]HSG:_
#/W):G
8Nj)rO
r\7/}-@
e)`GAR#qG
v$1mc8I
&A$!%=
f_B_](9$>
VU0l:i[SzK
O#9PF.VQi
fGYMxBK6VUcA
mN*J#Q
-/,dT;>
!F"mst7;
B))7'o7
[")HUgl~%
)rXFLf{(
sQk{Zn
TxPN4Y<
4?%$Y;9\G
:BYN4B|+k/1qg
(z^%M? k
^Xyeuqwc
BsZ a8
;|Sx|lz}Oiq
@7`gF2
uY.kgnj-
ZNh=zF
dI#&#Juk
,F_@M}
LonykO!
UtpMAp
)8\zg!
8_eZt1zGA
E/A3</
+MVjM7aG?S
5!#QuL>
MCyoIw= .`
0J(*bLF1G0Si
,S6?~~A
aWCwOa5U
\?I:73o
+#~LEz
gPq#Sk-8
/>Pi(:
YtFUQt5yq7-
>~$TiD
hDgQ_]kz5q)h
:uF2Tw
%iB8"$nI<
$t{%iQ1
jqO8tx
*u|a?ST
V!czsSx
vX&ftO
{;qK7u
994GJL:I
z _CTy
,>KvS_RJ
nEP~#i
0<H,+J
"OyjI%X^
b@= 5!eO
DL.@Pr
6\~/+-
7q`9=Afz?qM
,}@j`!>z191M}
8mbI8sF
hL=AKBFy
!9JvFw
`h{ n)T\
Kfw&%Lw
jnt}pcG
ndbQCgr
"%-6Mv
S*sJ=iOHQ_
iy$G9=@5Jz
eVAk6^#}/
\{)J~[pZ
;;]%m5X
^=1f`Kg
uD>2YU\K}
kXU>5{|
c]A?=Y
E,:IS<-
IrI2\2
K<oY:'
$9W2]!
b}Ms]8noX
Pq#ysym&
xf10bG,LX
'X[_%@lXr=t
P:<\O{y@vqj
.K$Xr%*`3&S
sQEDres=
"&&:tY
IgOt1U
;i]5)d$
6Q{m,!4 Jrhb
adW4qt
~4p.1 ,&~
/&lj{;
'{Y<2 :
5MAyfEm(ww
eZIq{S8,LD,
X{B6,VJP
pY?@"$I>
1B{X.P2ruU
bZXFBt\
y3.)>B,R<raDs
hz@Qm+>q p0E
~@G@GJ
.z7( c
]4{qKPeYs8Y
sRezm<@
@ihY9f4
',opg+</`c
"5E~H@RV.
L!;kn7uU3%fYB9 q
?&W.s|K=!y=I
rQ)Xla
jpmWKh/\Nz
;-D:Om%
,hq^mB(C[QAgRPSwZ
mfQbxP
,i1z!y
8@jR ^ 3]#jNA'
Ecc;gR
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
M�A�I�N�I�C�O�N�(�
Process Tree
- 0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe (2224) "C:\Users\Administrator\AppData\Local\Temp\0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 74a560b51666bbf6_wabmig.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wabmig.exe |
| Size | 128.4KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 2bcfa53fb161c35eb3f1267dce415a6c |
| SHA1 | 0d4b8e5bc5db5e7b630bab161bcaff831593f2a3 |
| SHA256 | 74a560b51666bbf67c0f8233df9511afc207cbb625740836c08f0ede76f1da9d |
| CRC32 | 14C673A8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9610947cfe4c5760_procmon.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\Procmon.exe |
| Size | 2.0MB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ba30df521605b27c8a07b1f63e50b029 |
| SHA1 | 7fa6da2e5aabdc0148bc5978d6a0c13fbc1412f1 |
| SHA256 | 9610947cfe4c57602610d1e0d019580597693ea125005e696b06c59896204936 |
| CRC32 | 1C918185 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 267b729384f87070_flicklearningwizard.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe |
| Size | 906.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 621dd436b944e7897af5b2df6a4ff14a |
| SHA1 | 6fe15a1dfa6fe928c33bacd76a338c07b9b470ff |
| SHA256 | 267b729384f870705299f67d44eda890ea51b85ddd208595c296a9891dc1db9e |
| CRC32 | 335E4401 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 410ea1daaee897b8_convertinkstore.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe |
| Size | 188.5KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 106621b39185bf7f9b932aa309cfa7c9 |
| SHA1 | f358b03e69db1ccf4ef21262e471baa93d4e58eb |
| SHA256 | 410ea1daaee897b8ab0a623a1ad70ad4f7e8a1f134fc524c6061100f188e3813 |
| CRC32 | 78F35301 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0ab8a8bc8a521725_wmpsideshowgadget.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\WMPSideShowGadget.exe |
| Size | 162.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | a84d1ef0bf5b0bb501887504683e1ec1 |
| SHA1 | e3f2471726eff215a4c89dac2c7750a6a1c933e4 |
| SHA256 | 0ab8a8bc8a521725f23ffb7a33773ae96b05310f8efb5622c3b70764b117a697 |
| CRC32 | 8F9E18CC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 96ffd715798fb86f_inject-x86.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\inject-x86.exe |
| Size | 113.3KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 16fd9778bff633874ec1983e37be6a54 |
| SHA1 | 5ae4ac26a7f15165f57093ea149d7b5f23c879ad |
| SHA256 | 96ffd715798fb86f2935900d7b76ce95a08d1211fb2e43f2e723a44a76571607 |
| CRC32 | 7DFCF8EB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 38c2ccccb59a88b7_inject-x64.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\inject-x64.exe |
| Size | 121.1KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 3d82d4198b178b837272053c9c7fbc4e |
| SHA1 | 1cbcfefae9d7a5feaa7b615652154206300b9352 |
| SHA256 | 38c2ccccb59a88b7cce363e2b189a4863b8c8bce15bcba3893233c1ed7257cca |
| CRC32 | 9AA91340 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | be776e46386fd28e_shapecollector.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe |
| Size | 679.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 94a8b68a310eb87d494a1243f8d61849 |
| SHA1 | c4113532527a42b2eaf0c599adf0225237bbc095 |
| SHA256 | be776e46386fd28eb534a188c9bf1ce981ea560081780e899ec31f552367eda0 |
| CRC32 | 9B276AE1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | fab0f57e199e5845_execsc.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\execsc.exe |
| Size | 98.7KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 5a4c3b883b3c3a072ec17cd72ab34a1c |
| SHA1 | d53e56b5c962506d3063a915ab7b61a5d36e9fd5 |
| SHA256 | fab0f57e199e584557f1b74af691ecc2e177513a892cf1378a9b0f8517bb75cc |
| CRC32 | 8512885D |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 3fb679088e2455a4_msinfo32.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\msinfo32.exe |
| Size | 370.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 2b8e5c71a3d1941f4029716ff931218f |
| SHA1 | f31d1207d0c3a9468c07724a02185064b29c1f48 |
| SHA256 | 3fb679088e2455a4ab972bcf11ba3062e1d9b696dd8178e940491d925a480808 |
| CRC32 | 80E6F750 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 130a719d34052211_ieinstal.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\ieinstal.exe |
| Size | 263.5KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 70b1d547f3dd5d42d1498e568f8d84fd |
| SHA1 | b3a810e3b83d709d51c8743878c9f74a71b9d91e |
| SHA256 | 130a719d340522115c4d6219b5560c77683c0671fdb1a7998031175b04c13d8a |
| CRC32 | B88570B1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 605c8ce97ab3caae_wmpdmc.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\WMPDMC.exe |
| Size | 1.2MB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 32b9bbe0d69043090c198a6708e072c8 |
| SHA1 | a0e226909ebf41833b43cf2f57222600cd8f9efa |
| SHA256 | 605c8ce97ab3caae5fed267e48362c9af2f4b10330d85e94ffb5222f47d7a650 |
| CRC32 | 1C16F66D |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 6b0e9f4971ff8838_wmpenc.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wmpenc.exe |
| Size | 94.8KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 55b92e773ab1fdfa2146537db47ce2fe |
| SHA1 | 33c843ded90c14e0a1955caf337866da8c921d3a |
| SHA256 | 6b0e9f4971ff88386b7a05205a70e6665ed42668212a19c513448c1e68c67db5 |
| CRC32 | 4673101D |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b602b69bb488559b_wmpconfig.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wmpconfig.exe |
| Size | 100.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 20799e3ec36910e17aef26ad32cda85b |
| SHA1 | 87de34d4ba7098862a898359a5f13d8dd46bdb99 |
| SHA256 | b602b69bb488559b35bcff8f92b615942090629bdd8ba1b425e13683b0f44540 |
| CRC32 | BADAB0E5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | fdcd7e5816b49e81_wmpnscfg.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wmpnscfg.exe |
| Size | 127.6KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 0a4485571a605641763bb0e49cedf809 |
| SHA1 | 6e0e9eb26141644b78f27a71a50c2223c77aae89 |
| SHA256 | fdcd7e5816b49e810e6e7a927c749d69f83d88f9627bdf00b7210fa39dcb7fbb |
| CRC32 | E487613B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 8efc4ceb5c7a1b9e_inkwatson.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe |
| Size | 388.0KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 253022c312da58dd6e2e9755db59f69d |
| SHA1 | 9998cadd95cc2992251ff3f8cdeeb09f4a62e7fb |
| SHA256 | 8efc4ceb5c7a1b9e6f64eff977ce297abd58754b261f443901c922035d4da94b |
| CRC32 | BD8C8ADB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 285c778712d6f58f_is32bit.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\is32bit.exe |
| Size | 105.6KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | cc67170f7d56c005644b1ba371fb2ce0 |
| SHA1 | 0c6cc806ff4694e95dc9e8015a47c5f935a0cb17 |
| SHA256 | 285c778712d6f58f8b352aba49ae94a1c0d3c1249e8ab9bfa526b2402ee48c3e |
| CRC32 | 6F4CADBF |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a1e88659a4ad4f4f_marijuana.txt |
|---|---|
| Filepath | C:\marijuana.txt |
| Size | 21.2KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | ISO-8859 text, with CRLF line terminators |
| MD5 | c0214c7723fe7bde6bc2834742bcc506 |
| SHA1 | f3d8e78975bf169fc1ed3ae95ad41d84ff6a36c3 |
| SHA256 | a1e88659a4ad4f4fd55f246ab076dee048881fcac3ea8a300e2fe8cdffd88b73 |
| CRC32 | 0D0BD2E9 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 6fc36b717ec08937_journal.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\Journal.exe |
| Size | 2.1MB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | c7f98f80553962a3e4e7781ebc7f1076 |
| SHA1 | bb4380b07e1d42eb4c840edeca2378ec6830bed7 |
| SHA256 | 6fc36b717ec08937c3cc6fc3fd55acb867887ef9ba674c082cceb09d51ac32a6 |
| CRC32 | 7B729592 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 95ee441bdaf3d0fe_wmprph.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wmprph.exe |
| Size | 93.6KB |
| Processes | 2224 (0a2d1ea1fce0cd3784d3c8b28ff0e46fca481ec82d98c99d448608512ae624ba.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ece5934774e03d5b53f4d3df8f2f1702 |
| SHA1 | 4aa73c49cde36259341f82b0e16f62704f28d879 |
| SHA256 | 95ee441bdaf3d0fe2514e8e6d6fcc115c5e66d96edc99867fff1f9adfa39e4a2 |
| CRC32 | 9A19569B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.