1.7
低危
DACN
0.15
FACILE
1.00
IMCLNet
0.78
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Malware:Win32/Dorpal.ali1000029 | 20190527 | 0.3.0.5 |
| Avast | Win32:Delf-VKC [Trj] | 20230319 | 22.11.7701.0 |
| Baidu | Win32.Backdoor.Wabot.a | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20220812 | 1.0 |
| McAfee | BackDoor-FDOW!C408812EE1EA | 20230319 | 6.0.6.653 |
| Tencent | Trojan.Win32.Wabot.a | 20230319 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(4 个事件)
| section | CODE |
| section | DATA |
| section | BSS |
| section | .lol0 |
动态指标
在文件系统上创建可执行文件
(22 个事件)
| file | C:\Windows\System32\xdccPrograms\Procmon.exe |
| file | C:\Windows\System32\xdccPrograms\execsc.exe |
| file | C:\Windows\System32\DC++ Share\InputPersonalization.exe |
| file | C:\Windows\System32\xdccPrograms\ConvertInkStore.exe |
| file | C:\Windows\System32\DC++ Share\ShapeCollector.exe |
| file | C:\Windows\System32\xdccPrograms\inject-x64.exe |
| file | C:\Windows\System32\DC++ Share\wmpnscfg.exe |
| file | C:\Windows\System32\DC++ Share\wordpad.exe |
| file | C:\Windows\System32\DC++ Share\setup_wm.exe |
| file | C:\Windows\System32\xdccPrograms\is32bit.exe |
| file | C:\Windows\System32\DC++ Share\MpCmdRun.exe |
| file | C:\Windows\System32\DC++ Share\ielowutil.exe |
| file | C:\Windows\System32\DC++ Share\PDIALOG.exe |
| file | C:\Windows\System32\DC++ Share\msinfo32.exe |
| file | C:\Windows\System32\xdccPrograms\InkWatson.exe |
| file | C:\Windows\System32\xdccPrograms\install.exe |
| file | C:\Windows\System32\DC++ Share\MSASCui.exe |
| file | C:\Windows\System32\DC++ Share\WMPDMC.exe |
| file | C:\Windows\System32\DC++ Share\ieinstal.exe |
| file | C:\Windows\System32\DC++ Share\Journal.exe |
| file | C:\Windows\System32\DC++ Share\setup_wm.exe.exe |
| file | C:\Windows\System32\DC++ Share\DVDMaker.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.lol0', 'virtual_address': '0x00014000', 'virtual_size': '0x00000ef1', 'size_of_data': '0x00001000', 'entropy': 7.528830647244613} | entropy | 7.528830647244613 | description | 发现高熵的节 | |||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell | reg_value | Explorer.exe sIRC4.exe | ||||||
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.Agent.DQQD |
| APEX | Malicious |
| AVG | Win32:Delf-VKC [Trj] |
| AhnLab-V3 | Backdoor/Win32.Wabot.R191213 |
| Alibaba | Malware:Win32/Dorpal.ali1000029 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Wabot.a |
| Arcabit | Trojan.Agent.DQQD |
| Avast | Win32:Delf-VKC [Trj] |
| Avira | BDS/Wabot.nncqr |
| Baidu | Win32.Backdoor.Wabot.a |
| BitDefender | Trojan.Agent.DQQD |
| BitDefenderTheta | AI:Packer.7A11A9861D |
| CAT-QuickHeal | Backdoor.Wabot.S17514 |
| ClamAV | Win.Trojan.Wabot-7053120-0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cylance | unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/IRCBot-basedA_DET!Eldorado |
| DrWeb | Trojan.MulDrop6.64369 |
| ESET-NOD32 | a variant of Win32/Delf.NRF |
| Elastic | malicious (high confidence) |
| Emsisoft | Trojan.Agent.DQQD (B) |
| FireEye | Generic.mg.c408812ee1ea97da |
| Fortinet | W32/Agent.DQQD!tr |
| GData | Win32.Backdoor.Wabot.A |
| Detected | |
| Gridinsoft | Trojan.Win32.Agent.bot!s1 |
| Ikarus | P2P-Worm.Win32.Delf |
| Jiangmin | Trojan.Multi.jju |
| K7AntiVirus | Trojan ( 00517d761 ) |
| K7GW | Trojan ( 00517d761 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=83) |
| Malwarebytes | Generic.Trojan.Delf.DDS |
| MaxSecure | Backdoor.W32.Wabot.A |
| McAfee | BackDoor-FDOW!C408812EE1EA |
| McAfee-GW-Edition | BehavesLike.Win32.Wabot.mc |
| MicroWorld-eScan | Trojan.Agent.DQQD |
| Microsoft | Backdoor:Win32/Wabot!rfn |
| NANO-Antivirus | Trojan.Win32.Delphi.ehuovt |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Rising | Worm.Chilly!1.661C (CLASSIC) |
| SUPERAntiSpyware | Backdoor.Wabot |
| Sangfor | Trojan.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
| Sophos | Troj/Delf-GBD |
| Symantec | SMG.Heur!gen |
| Tencent | Trojan.Win32.Wabot.a |
| Trapmine | malicious.high.ml.score |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
5662cfcdfd9da29cb429e7528d5af81e
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| CODE | 0x00001000 | 0x0000c984 | 0x0000ca00 | 6.576213314584368 |
| DATA | 0x0000e000 | 0x00000a1c | 0x00000c00 | 4.533685500040435 |
| BSS | 0x0000f000 | 0x00001111 | 0x00000000 | 0.0 |
| .idata | 0x00011000 | 0x0000083e | 0x00000a00 | 4.169474579751151 |
| .tls | 0x00012000 | 0x00000008 | 0x00000000 | 0.0 |
| .rdata | 0x00013000 | 0x00000018 | 0x00000200 | 0.2108262677871819 |
| .lol0 | 0x00014000 | 0x00000ef1 | 0x00001000 | 7.528830647244613 |
| .reloc | 0x00015000 | 0x00000724 | 0x00000800 | 6.30667395149089 |
| .rsrc | 0x00016000 | 0x0000077c | 0x00000800 | 4.039865509563651 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000165a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000165a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000165a8 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_RCDATA | 0x000166e0 | 0x00000078 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_RCDATA | 0x000166e0 | 0x00000078 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
| RT_GROUP_ICON | 0x00016758 | 0x00000022 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library kernel32.dll:
• 0x4110c8 DeleteCriticalSection
• 0x4110cc LeaveCriticalSection
• 0x4110d0 EnterCriticalSection
• 0x4110d4 InitializeCriticalSection
• 0x4110d8 VirtualFree
• 0x4110dc VirtualAlloc
• 0x4110e0 LocalFree
• 0x4110e4 LocalAlloc
• 0x4110e8 GetCurrentThreadId
• 0x4110ec GetStartupInfoA
• 0x4110f0 GetModuleFileNameA
• 0x4110f4 GetLastError
• 0x4110f8 GetCommandLineA
• 0x4110fc FreeLibrary
• 0x411100 ExitProcess
• 0x411104 CreateThread
• 0x411108 WriteFile
• 0x41110c UnhandledExceptionFilter
• 0x411110 SetFilePointer
• 0x411114 SetEndOfFile
• 0x411118 RtlUnwind
• 0x41111c ReadFile
• 0x411120 RaiseException
• 0x411124 GetStdHandle
• 0x411128 GetFileSize
• 0x41112c GetSystemTime
• 0x411130 GetFileType
• 0x411134 CreateFileA
• 0x411138 CloseHandle
Library oleaut32.dll:
• 0x411160 SysFreeString
Library kernel32.dll:
• 0x411168 TlsSetValue
• 0x41116c TlsGetValue
• 0x411170 LocalAlloc
• 0x411174 GetModuleHandleA
Library kernel32.dll:
• 0x41118c WritePrivateProfileStringA
• 0x411190 WinExec
• 0x411194 UpdateResourceA
• 0x411198 Sleep
• 0x41119c SetFilePointer
• 0x4111a0 ReadFile
• 0x4111a4 GetSystemDirectoryA
• 0x4111a8 GetLastError
• 0x4111ac GetFileAttributesA
• 0x4111b0 FindNextFileA
• 0x4111b4 FindFirstFileA
• 0x4111b8 FindClose
• 0x4111bc FileTimeToLocalFileTime
• 0x4111c0 FileTimeToDosDateTime
• 0x4111c4 ExitProcess
• 0x4111c8 EndUpdateResourceA
• 0x4111cc DeleteFileA
• 0x4111d0 CreateThread
• 0x4111d4 CreateMutexA
• 0x4111d8 CreateFileA
• 0x4111dc CreateDirectoryA
• 0x4111e0 CopyFileA
• 0x4111e4 CloseHandle
• 0x4111e8 BeginUpdateResourceA
Library user32.dll:
• 0x4111f0 SetTimer
• 0x4111f4 GetMessageA
• 0x4111f8 DispatchMessageA
• 0x4111fc CharUpperBuffA
Library wsock32.dll:
• 0x411204 WSACleanup
• 0x411208 WSAStartup
• 0x41120c gethostbyname
• 0x411210 socket
• 0x411214 send
• 0x411218 select
• 0x41121c recv
• 0x411220 ntohs
• 0x411224 listen
• 0x411228 inet_ntoa
• 0x41122c inet_addr
• 0x411230 htons
• 0x411234 htonl
• 0x411238 getsockname
• 0x41123c connect
• 0x411240 closesocket
• 0x411244 bind
• 0x411248 accept
L!This program must be run under Win32
.idata
.rdata
P.lol0
`.reloc
P.rsrc
StringX
TObject%8
;u3YZ]_^[
SVWUL$
]_^[SVWUL$
uZ]_^[
YZ]_^[
_^[U3Uh
d2d"h@
d2d"=5@
u3ZYYd
#_^[SVWU
SVW<$L$
uSVWU@
]_^[USVW
d1d!=5@
2E3ZYYd
E_^[YY]
UQSVW3@
3Uh6"@
d1d!=5@
E3ZYYd
E_^[Y]
YZ]_^[
d2d"=5@
}3ZYYd
E_^[Y]
$PRQ$"
_^SVWU
< v;"u
3C<"u1S@
>3Q<"u8S
< w]_^[
Ek<1fU
Ht Ht.g
6Huv=L
VI3E?E3s
3EE_^[Y]
f=r/f=w)f%f=u
f=v)f=w#j
RPCHPt$
-C GL$
SVWPtl11
-tb+t_$t_xtZXtU0u
FxtHXtCt
~ExC[)A
FuY12_^[
PRQYZXt5x
@~d@PQ@
YXYX
uM3UhU3@
EP3ZYYd
f%fUf?f
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Iu9u_^[
PRQQTj
YZXtpH
S1VWUd
SPRQT$(j
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
3UhB:@
USVW$@
d2d";~
P'v_^[]
aSVWt@
^v]_^[
QRZX1Yd
PVSY_^[]
PQiZXSVW
ISVWRP1L
JZ_^[X$
thtkFW)w
9uXJt
8uAJt
t8JIt2S
PHXHI|
St-Xt&J|
t0JN|*9}&~")9~
tVSVWU
t@t1SVW
1Z)_^[
@+u<E@
USVWE(@
d0d ]ES
u_^[YY]
UQE3UhF@
d2d"E@
t3ZYYd
%3ZYYd
U3UhH@
U3UhH@
3U3UhAJ@
P~ SD$
U3UhK@
U3UhK@
U3UhL@
TFileNameL@
TSearchRecX
U3UhdM@
EEb3Uh
tC&EPU
U3ZYYd
U3QQQQQEE3UhN@
d0d EM
EPU3EPtKh
EcPh0O@
system.ini
Explorer.exe
UEEEz3Uh.P@
d0d U,
EP3ZYYd
IuQSEE3UhpR@
tjtfhR@
t-u)hR@
u-t)hR@
" -a -r "
" a -idp -inul -c- -m5 "
software\microsoft\windows\currentversion\app paths\winzip32.exe
software\microsoft\windows\currentversion\app paths\WinRAR.exe
C:\rar.bat
C:\zip.bat
PHuES3
E.E&3UhT@
EPEPEP?
a3ZYYd
IuSVWEE3UhX@
d0d UEJ
U3YEU.Ef
EU\EUQE;}>%
EnSEcPd
to3Uh2X@
EP3ZYYd
IuQSVWEE
3Uhh\@
U3UhY@
d0d G3ZYYd
$UFuh\@
VUEL@t}0EUm3E
EZPE~h
=3_^[]
abcdefghijklmnopqrstuvwxyz-_.1234567890
IuQMSVWMUEEEE
+3Uha@
d0d 3Uha@
d0d EU|
u?8.t4uha@
u |U|ttx
yu pUkp0hwhlj
u XUXPPT
u LUrL7D~DHq
-u @U @8+8<
u 4U4,,0
u (Uy(6 $x
3Uh"d@
d0d 3Uhc@
d0d EE
8.teChTd@
N3ZYYd
_y_^[]
NOTICE
:to get this, type !xdcc_get
bytes)
uTC,PSC
EE>3Uhe@
d0d SU
E3ZYYd
EE3Uhf@
d0d SUf@
PRIVMSG
UdSVW3
dhEE3UhSh@
d0d 8lPh
d2d"EP
s3ZYYd
c3ZYYd
ZE.H_^[]
BFKu_^[
USEE"3Uhh@
d0d UE3ZYYd
U3QQQQQQQQS3Uh
| v;}
N|7 vU+A
M3Uhj@
U3ZYYd
EE3UhPk@
EPE!PS63ZYYd
E1K[Y]
3UhYl@
\DC++ Share
\xdccPrograms
EE33Uh?m@
d0d EUFUTm@
a~&EPUTm@
EZSUTm@
U3ZYYd
f\[YY]
EE3Uhm@
d0d EEPEePt,P3
EU3ZYYd
U3UhQn@
TWarBotUj
SV3Uho@
EPSE/Eo@
03ZYYd
IuQSVWd3Uhs@
`U\E\U\
EPSEPcfC
PfEEU:E
X/XUX8
3EU,t@
~&EPU,t@
EZU,t@
\uh8t@
L3LP P
PcPhlt@
EIHhlt@
DE0Dhxt@
\E>EPj
EPtPEP
SfPV j
EPzVt3ZYYd
PRIVMSG #hellothere :
&%->=
PRIVMSG
DCC SEND
IuMSVU
EN3Uhy@
d0d EUaE
EEPUy@
;~iEPUy@
EEU8EPU
EZWEPU
EZ1EPU
EEPUy@
EZEUUy@
:3ZYYd
PING :
type !list for my list
!list
for my list
!xdcc_get
#helloThere
#helloThere,
JOIN #HelloThere
LIST >4,<10000
U3QQQQSE
3Uh,|@
YUuhp|@
?Uuh||@
G3ZYYd
PRIVMSG
ACTION
!list
for my list
SVWE3Uh@
E3ZYYd
NICK [xdcc]
NICK [mp3]
NICK [rar]
NICK [zip]
NICK [share]
NfrSF3
Pzu _^[
31ff%3vcc%%112c23J33c22322332crc3cr233J2fJffJv%1[J33JccJccfcc2fc2JfJ223rrcrrJ2cc3f2r3r233Jcf2rf3ffJfrJrr3f2]fr[2rvJ23%1JJJc1fc22%J[rr]ff2rr2%ff32f2J23r323223J2rc333cc2fJJ3JJ2ccrfrJr2r3JJrcfc322f3cr3rcJ33f33rcrrrcf3cfrffJ2cff2r22fJJf3rr33rJ2f3cJJc33r3crrcf33cJJrffr2fJ2f22fc3ffrrJ32cJf
]2]3r]31111rfr2crcJ3[%%]]vJf3233Jr22fJrvvv[v[Jc3Jc3rcccrfJ3ccfffJ3c32Jfrc2ffr3cJ222JcfrJrJ322r2ff3Jr2JJcffcc3vJ]c2[2%Jv%2]rf2J213]3[v2]33[2[J32c2r33rrf2c2cff23rJJf22cf3crJc2fJJrcc33c2fccJ332rJJcrrffJr2ffrcJ3frJc23frcr22c2rcJc2cJcff2c3cfrJrf2rfr2c232cff3332fJ2r2c2cfJ23f3J3f333J22r2f33
J]"^^"^^^^^""""""""""""""""""""""""""""""""""""""""^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"=~\=yw$="^^"^^^"jCzyw6=^"^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^=
ff^ ."k^"=!24G;. .. .!nzL4OJ"~~.. . .=
]J^ . .!sG!7{^!s8G=.. .^68Vs2!;.;*}.. =
f1" ............. ._Inzoz6$295. ..^lkcv".."";"L. .=
1c^ . ,!%6***O8Izy. .!j_". .;w=;]. . =
ff^ . . . . . . . . . . .. .. . ... . . .. . .. .^|uuzw94V9=. .. :"=^,..uS?^. . . . .. . . . . . . . . ... . . . . . . . . . =
Jf^ .. . . . . . . . . . . . . . . . . .. .. . .. .. . .}6T6$i!+~,.. ~O4u{!!je^. . . . . .. . . . . . . . . . . . . . . . . . . ... . . . ... . . =
22^ ... . . . . . . . . . . . . .......... . . .. ... ... ...... . .6Ic35I=. . . ...^v}ca$l^. . . . . . . .. . . .. ... ...... . .. .. .. ... . . . ....:... . ......,.... .. . =
fJ^ . ....:..... ...... ........... . . . .:,!!<-!==!"... . . ...:...:..:..,. . .^!\, ..,,..:.,.. . . ..:,^^.... .. . .....:.... ... ....,:..,., ..\((?>(==^:. . . . ......,,.:.. ,."!!.. . . . ...^"~?(|^ .... . .. =
cJ^ .."J4nTn5TaL<.;"clJws2:. ..."=i?2ai<,.. . . ..^~%yehY3CAh5Ti~|~. . . ^11J3399T16c;..^)JL5o.^]ff2t??]3+=. .^?t{$]t=~|]t. .isfanzCC%". . .rsyz4LVYT9C~. ..^j5*hPDPe0TmaT1~;. .54wjtffi%J!. ."+jjwc%i]=^. ..;!?2t+mFDK=;(zs?;... =
r2^ .=gYDFSQUgDj-GkK5oVhFJ!. "!9m*JaPa?. . .;!Jau$UFU*a*n$y1VOb~.. . =UG0LskShqpU"^n5gpq8.=ATIIn2*m*U... "J6n3)!!=pd. .;*PpdUk}v+t^ . ..bZAgFPDUonPb.. . .!GZQPPms%+tij6DQ9=. .%UszufL4s4mj..)5m58T9&f! .:tnS$_!+&PDDl"IpDg=";. =
fJ^ .tXeT0kVqDF]xDqhs04GmZ^.]wTTCrkFV2[^ . ..^7Tr}":.....8CcVwu%"". ..=ZkasJ[%rOm&"{nZqff}\.=Vu1]rOk]zTk ..."royC3wDQx8 .+%bQDFFFh}". . .x8VYhhgg4oTk .:-az0{"... :wkkOpPP*T;. . (tv0gPUpAGbc"+kyw69*&mUG0&G.. .. ,~I&Qi. ....=21UPmTP2 . =
3J^ .+#d04kO5VUL#AFFL8&YOFFc=sanCv*qZac_,. . .|c3V~, . iVuIrsY5y... .=OC23c3cfI54"k4V?(69t.)g9I$JVUi!t[ . .."CCTyL*Zhe4....6!obQFUDD8i. .. :xasaePQUkSPx. . ~Fprn^ ..SFPPDbGz&$". .iyuJeFk5O4Ta$5w|i1oC8*4eG*O:. . .jcTh- ..,J=3gDOddh.. =
32^ .tWx50GGs$Ca"^=*h4xhyXWAx^-JII*gW52C^. .^ny$~:... . "9sC%]uGnb5v... ~8kkny6u$$2+~It^.:^^^.?Ume4zsbn~<l. .^+zJkhqDSkG.. .Sc?c5qDPFX1:. . :hOzfOxL8dWKg. ..=khb7. .. .9PDPQJ4GY%,. .%ghTkxOru]7wxu^.;|JnT*T&8Oh{.. .Ja$"... . . )+%mF8Feh~,. =
cc^ .+#h%l[6okkL..!x0*Zq5Zqde. "VsJ*XXpJ$" . !n37.... . ;++cj1+iyACi^.. ~CCuw9LOY4Vo[i, . .?d532taFULy8 .. ."jJ$5gqpDmIs ...Dp5rrsDDFX. .wVXQ6VKWKK#d .)qPU ...}WA*njyZkXF! ..}bFPpkx611axI!.. /%aOmmr!ti6... ,vn\. .=3w&pO*LG^. =
ff^ :tbuy6o0ZQW(..>x&ZAeDnbAs. ^sTrg#SAI+. +7". .. . ^$iilvr+&m]i" ~a9kk*G88TCc|... . .=LCJ2nSd&uT ..!ltfdZZFk]|s....WFV3nvlwdF$. .4OPdVdQQFpxT.. ~be!. .. . .[e55T5eFVFb!. .tQpQqPGzrT&G, ..<nfnn8$+i%w^. !^... . . +ombY&q9,^. =
rr^ . ?gxPSZFqFZ) .<AZUdVDC9bz "&f$qXPb6zf. ..... . . :tT6}JIck5t%|. )p*&890VcCy~ . .(shI+2FFxyi . /r9pAFQp$j!Y... #FD4s!/}*Pf, . .*pO*hO8nTf+. . .... . .. .lxUhLQDdLQq7. .=$khAQS8T*4j ...:=a!i+35*8oT=. . .. . .|o]IyZFA[Ve" =
Jr^ .iDSFgpqZxh= .!QdQSTXk$&T "e%veDFPzz1 .. .... .. :~VqCtju8z2Y) ..)8k8522%$5mc; .(aO7+IsxQFV=. ."$dddDeY$vQ. .eFQD5%kPh3>. .YZeqQPZU06uz. . . . .. . .)65OgDFAqUPu. .tTw$*Ud8Oa). .~xc!|jkaTs6!. .... .. .. .|Off4PVT8Fb^ =
c1^ =ZggAA*auv!..=SgQPwUn2r. "#V$TQPQss% . . ,";^;.. .t*dk3++*T6V= |YnC)"tI4*0+... .i82]ww6aPpx6 ...<8AqFhsu9uF . *PS#q1+!~<. . ,4QDqdDpDxw5b.. . . "!"\^...=?78xPdkUPA.. .[Gk0c]TLm&2_. .?0o$u[TLCzw). . . . ;^"";...+dmsYGO&DF*^ =
21^ ..)ggAO0n11]~ !*SbP8LI]t.."Kh6IdPUna] . . .."${C}:...|y4$a[=sTV*| . =3ti~!1GepG+. .. .ib$fC3CSDQF ..!eFDUnuIC5W.. nUFXSfvttCi: .. :ygPQGSDSh*gb . ..ia4h]^..|i$mVd*CAUDu.. .lhYeZVTs5&!.. .=u96zI6$n=.. . ...?s*n|...iPbq*Y8pA*n;. =
c%^ ..=OLCa&YIn8= ."J4L86yG4k+ "DWQxDQSsIs . ..!}=oZicz{3{"rOdbA*DnyCC~ ?8kL8Oonzc2t. .=*o|"^~lZPgK . .!qDQarvuCJ2L . .ITPW#uooont... .%qPbLJSpmUPh. ...!YZYG&aDOsg2swY9ZTrD5Lu. .iDx&bFdDPPz~ . .!3Cft"!t$8J!. .. "sT*GFDXKWWS]QqQxq0hPXq^. =
3[^ ..?PFamG&LpF( .!Gxh*nyr3&J. "KFDUUFFonV. . ;|3o3o8c+~"\~~7Cnbgx8C333! |G0O4mGkVnu+.. .=Y**TYGTmeFW ...!DUO1yzys8xx . IfsxFuow6y+, .|FZPL2rTmQWS. -xakmdUe8!!nPe9e&o?iT]ao. .jQZY6TGbZgnl . ..\IVhm7=z9)... ./wfJc}]w==0hUbQm400*&Qd^ =
f1^ . ,?SZ*n5cQAQi .!ASdegZ4*4} ."epQQmAFy*0. .=smS5yLa<; :!y0VAGko]ftJ? ?pp4VGV40GG{ .!asO4gDq44dX.. !q&6&bQXFQpP . 3u4qo&5yC(, .. .~dbph1cYKXG.. }p*0Tm*qg.. "pSaey/^_r0Uw. ..+UQh7)[y&dZ{ . .?na*kG{Cz%C!.. ;o9v%jJur=,.^)ObOuY*aOSFU^ =
f]^ ..=4OpT%2FgPi "VdUdUDDbUw .^5ZFDY#WzV* .*WK#qnQp". ~pbZx9T61vi~ =*GOGOGmL4Lt. .1oa&ApFe4gK . \hxpSFPFSWQq ..sncsAkCIC+. :=FAPh[1ikWA6. ,2DKQaUpYx. .&Z8A$^.>6qPz. .[AFps9aa88k{. .<L8*G89wu$$=. ..)051vCY6!.. ,tYy3kUk&ppQ^. =
r3^ . . .tQnQbywY4Y~ .!o&&AAAdFPs "U$%8#&Y9xb. .uPPLurVXF+.. ."d*YIf5*[[G&=. !raazIas&4*7.. . . .?U2aWxsDF*P . ..!ePDQDQFDOu]. OIo2u+uT447. .!sPWdl+7n[Ia. .)GWWgO$LG {ggqo++1PFS.. .=dAUdy4Y&&g{ . ./CyIC]]r$&i. .!$GT+c*wmL). . =1[khQb*nDg^ =
c2^ . ,tXGt5VTfaO= .>h5L&hgUQn.."XGzoae8*Xg .!F5(~)IYWPv: "mw5h&2r**= =yJO5J]vf96(.. . ..(D8~thFC1nOP . .ppdhLsCui1$....69nVwfuzr. ..\$#Xx]$Tynw%..=mhKQPV06CJ .+hhxivcyFpU. ..)VqdZVx$fLZl ..,t6OwC7f6ws(. :IxxT[Ynnw~. ^=TdpqQUYxZ^ =
Jf^ :.. .,tKxi6%ausm= .!psGf]5kYe5,."XgDhJqSmF&. "Zi?!!vTKgj.. ^G5Vab08$wk*( )L$r1uII6zt.. .)dUT%LPWJv4Q . ..^J$cuttt[fkm. 22*kwaYT647.. ./3pPhwm9o5k$..i#hbbqw$IC(. .7Z&9|w?iPbg$ . >+5hSg6urIZv ;c8mw2[2JV[/.."&Z*zfwma9a= . ,iUdPFdDs(o" =
Jf^ ;^:,..|ZFiJ1LarV=../Ys52|0aJct:;"bFx8&48xFb :ppTnYV%LXUI. . "P095d&&$5k4t .|8Or1C9TyG8i. .. =g&[yqXeVkg. . .;=Ja[$u35*Y. ci$Cn*948Lt: . .~&phT55$5G6..=Aoosa[{]u~ (9*0wy=?nUQI.. ^6sVb4?1$TQ7 .!OYz$3%iTSf=..~S4GC+cT98x?. .^nAFDQFPG;!; =
f2^ .=!/;:|SD{w$L*fI-..!ezLJ!nY49=.;"FFSO4mbdY0..XXUTT4O0PPn, "bctx*m*Ta48t. =O84$oosoG4+. . . .!}~;^!hPbaqD . ..!aTf$%L&[kmk. . ${IITmT69i:. .:!IaZez3Iw6YT..(zosTa&Ta49 !vom84Vx*5V3. .=DVGeS(Iyq1. =o6f]uw5DUI)..(U8Vvlr&sQW|. ~PQF4DQUP^:. =
fJ^ ^tTnt?2mOszzqSc:^^!hmk6]i99Oo.;_Xb*50Lxd01;"TebbeV0smD]:...^u(rU0O9GLYm)...)8kV*z$cwG*%.,,.:.,:,.jKZJ~")gQFFa...,.(SQPDhV6rJ$Y....cICY&TC6C9j;,,,.^(3rzm]2Ircx8:~0Yq08m8G4hL:.:.tCCw6r(t4eZ+....[AQ&7inmwcU}.... ~m2fc9VUdg3~. =OYme8L9Tnf". ..(&0kT*Qbg), ....... =
fr" v5Zm9r*a5IqZ&^C"<eV0+CkZaTl.;<Lry04as9t13?wQDDSForn0n:^.^^uI8e0JtxGLm)...)L0Lk*T[f**],;^;^;;^^.7XDAholoDPK5..^^:>0PQPQWqrfcY:,^.rw$50O4O5n+^^^^^;t6u3sIo91c89;!zSe48*8GGAn^;^^!=$TVOTt7sa! ^^^vFq2=!sh0+01..:. ^^!12cY&40f!..=qqAew949&o!....{pV84TQDZn!...,..^^^.. . =
2r" >58qpLnIaJegh!s^!6u+=f&As0s^;!CJ4O5{Jwayu"?lQDPF*)7*a^;^;^3TO8n^5x*m|..,=0mLG84TCy4},^;;^.";^.+KDAqSGaDbPa.^^;^-wkbPSDU*ocL.^;.20zswVzys6i^^:;^;fa$fy$m8itvr^;{LG**8maaa;^;^^+ysm4q4YT".^^^%g$"ifIs0+a+::^. ..^iII45Om$!..?pxU8tTP*x0!...,|ksb&wdQAUv^.,:,;^^^; .. =
rc" rmGqA*If1mbU{n;_yur5f6bJ!!Im5$]aGV9".!"feQZZ}5n^^;^"s6bkt^.?Tk*t^,.(yaG*O*4nn&l;^;^^^_^;,=k*FdpAgZQPk^^^;^/%0nhpFKS0]5:;^;C4CuJI3$+^;^^;;zo9su8m(=%[^^iY5$$nu1f9"""^|5I6Ls*Skz[";^^^{6!.iY5y6iCt.;^..^!t6&L&VPkC_..)pUxT+kDOGk=...:taGZs1VDSQ^:^.;^^;;^^ . =
J3" :/yhxxGGf6*Sh0!!a+7J9L*8*G8m$65TTzuwu^^~n]$epqDxa6"^^^!YG*91?".^}O+^^^tuifnYLzmnIi^"^;^Ii^"^jg*~?+{%zmxg^"""^(rtjrwzo0*&^^^;^vzaLsmG*&sj"^^"~Js[C*J*a6CL&5/^==3uJv~OmxT"""^fxO8e6+ze+(3^^"^]e0naYeqT=T];^;;:?U84a$AFLJnj.^"dx4IkWP*45);^^^(ZFLzzIhPDq<;^^",.,^"":.. =
fc" . ?r8OVphC8pbk~!]1!?2]CC$wIL$wI6Cwc$Y*""+xDWFU4hgV]""""!ffomKXS=;!&7""^(ryT24Ooh6u1^""^=a?"""%n7=t{71a*Q^"^""to^=t2GOa5i^""^^}xAmGG4Vnft"!""lmCC4f9II50*f~"!t6$rii*m0w<";_CYoTmT+=o%!J^"""%VSgAP0xZuo7^;"";)en%C0Dbu{h%^"\o7tIqDpzsTt^""^lQ4Tk8cfVdU!^"";. . ;"",. =
3J" +Cl&mLhzomxs~+%""$01J]9Cj$uCk8onTuc""=ubFFPqbLG>""^=aJCxDFXejt9{"""{k4]n53mnT{"""!fJ!""+OkGeZFSaaYS""^;"iO^^i+3owV!"""""jh8k8kos9cc!!_ifiwCTuICz58a](!!+$11[&kG8f!!"!5*8*m&u"=1|%!";.=$0h8U&hG∋"""^tT2+aqF0}$q1^"^>i]fVZOn4U7"""^9&&fwaJ[CLO!^"^.....^^";. =
Jr" .j6(fOqVGoTe3"!fv_^lw%%kC+i1%CuG*Y09a=!!iSQZFbXSkz<"^!tG%jQPDDQhw9t"""jXdr1]1LTO%!-!=4J!/!!CSQPPQFOk44x!()"^+e"./)tI*&"!!"--|mY4YyC$163]+1Oat}JIwC$C8s52tv!!(%]uT8mGm2!_<+*8I5gky"=i=i!":.-!}y0wuoswk7"""";)fuJ0PDTcLD];"^"vS$0ATaZPl!">+mTC]zT5$Tkai_";,.^^!\.^". =
2f" .^"""!!7ffji~ti1rannxs1lcaaVnau=t]uC$n9oT5wwzI}8?$aw{nwY0s3DGtPboI&*eDhs5}!!-]0rr1]Csh4zO3_[g8(~|(=c8a6y6$z9[$S(Uh4~rh[=ijt}s{!!!!!!!}fjtI9o$*t3C*y="Tl|fut+j9c$x5?t=%&O88**J[?!8&m=7m9v}%j~_^"|zy^"+[jsv)iui>!\~~vxOs6Y*pDPPI!!!_~&nzO$*QKb612VmSSgpqYs*een~;"!1dGv++{i?~"^,. =
v3" .!$$Is40&hpbZgbp&k2c]In*&OCzOG8T0v+[5J3Cf6w$r3Ifz2bj|Is0hV4gU0S4=AWg+1ne9TZ]=!>tj7tj5sok3Aj=*gx!)=|}24T&O5Ow+t*Dtqn%]aPqZsGd0C?!<!!=!=~1Cf$f}0k+fYJ?!+wfs&6i=+31LpT?=tJw8LGkatv9iJ}+1=?utn5="_+cY9!+f56sUo!ir?-=!|tnZksY*a4qD*1=!!!!t300aGmL4VhgGkPbQpdoGxkYxl+c0bm}3azyi^;. =
22" ,>6L48eA0meG*GmLm4*i[Iyw$+&m***r1Jizw3[I198Yw1[+{jfFjj[YSQVkUx31i=Z#XJ&Gxs5Fp2t!iTsu%T0YO%spJuS8a~=iJOGV4Y84yf!]ZF)Tmt5APPq0mbS}~!!!()=||+lo828Dn|lt!=(&dSA2%v]f4eT!tvvJYVm2?"[$t$]n5C6$tvCm5t!y5)+f4h*s*G{7[?!=(=+fYuTmknozTrt~_)i+iCgVaGx*YOn$]4AUPDVo4QIUAJsxDQ9}JICaI{>.. . =
J%".^|Aqx*8epO0hV8meGG6stCCC*u%]8yGs$!)=i86c2]t1Oz*v!!"!yFClil8AgU05a!)~9KD$==))kX&~!<!=|=t~~)=~=TS%8gL]{IsV84V*kkf{="?tt?+hCi1w0m4eLY?!!=/~i?===|+5wgDsit==;!lUdU4it+2tIkST(1cccuVI^^!Iwv+%Ogg*0z*G0iuu[t$Z0&s1zhc=|=-==|)?+{+iiti=!=tii1v%t3dmzUqgp837}25s9u(ihU%69{SDUg[3no3i!^. . . =
[f" .;\(lCL*xU4&syCo0YaTV7$Clru6+)ttitnk9$o4&Jfu9o]i~=zWei|l2aC]7tt((?ipDe{~=%KXw~=~~((==?==~=}V&20OwaVLem4V5f%lt|~=}j+ti2%"-{f&Irv+=~~~(|?lt+iti1xSQril+vuLUqxuu+1ll]8pbn}JI3ftt~+]vuwj3{~)t$n0Ts5kC$oIzTI3{=!sFx2=(!"ii|=9[=)t{{7?(t]%r3{jYp5{55o3i|)|}3[[7+]PF{czkqghJ~(=_^;...... ..=
J2" . .!([mm*8oIYT8&ssSbT}}vtuwoCc4cqULv3s6w+(nWQ!tFZAL}+t+++=$WFh+|*FWu=!|=?tti)=i?=nmmyw88m8m&8i|?+}7j)tv7v+)}l}it7]i!tlt~+ts1tiA[+ii5PDg7j+IddAqkizQtff1CSqh5InJ2j]l8F43o8=: "2%[I$%1ooy8zf+(nQDd++=^+it]g%ii=|{+tJ+iju[lyggyj]j}t=\!!=1r{ot2FXvaDPASt^.,;^!()+++("^..=
2v- .==Ch*V8eiv8a8*8wASgkj+ta6oJvLv4DFswIo+9KFr^!zgAFdt=|?|t8QDt!hDZ%)(=i7tt+(!(i=[9*&*Gm4O8nl!i7%}7t+t111t>7v7j+Tli/)]v=!j6&f]iDsi[j8QQPt+7*SPqA!wFftJcyZdPsJC]j+caSPL%$ao!.,?2[vuGti[+$w*88ksIzSPpl1t!+7sDv++t=+ttntt]%t7Gxbf+uTn5T5ojj[]L(%Ue3dFPGt^,!t{aGxpxge8w+"^)
J[/ tc4qkG*5uG4GVUp[0*xPY!3Tmw++nreZPZwu$${IWQw"tjmFdKD&v>^!!IDpI=PXQ{(=i][}+i}yn*TI9Tw9u]TyoIl+}+i{t"+tIu7^t$I%i0$!^tc%!tLAn%%}De}{2xgFU~1*ADeQg}+6pz=$5sUUD6I2c7%3sAK*+z&IJ^:^1r9w*m+=t]lIf9mw*6&uZgD[ji/"(T4F1ttl}[1+*1|=j16eAh%{9TaTG4s9yari*lIPhGbFSw!"=0AZZZdgpSUzt". =
J3- . ^CY8*8T2|*8GahhxC={CVn2n4mt!!s9r6mKKenoIc{eF4+c6G0OFXPqVt=/"hgxnQQ&6$%7}]3(+2mxgUG9u$f20kY*&V0o6t=yt9$67^![cltmO!=Co9xPx[%uzQPh2jDFbm1GSASni=tfceerjw5DgD5oyfruu$6r|!Iz&6j=|$TV8af(tcJ$lt$osCcuT3gqZG+7+"}hPe1rfljII1S5%j%2xQQmjtoknYY8&4ekOeTVgUQQSZLa0hpZgUbd8yt!". . =
Jf/ ..=TG0r!;(Gm45b8mh.,;/+w0To;!^$w52{DKDFQ3u73Ae2JQF!IQZPDQD=IAqDDPp#4u1t[n7!uxFU8mivCfnJO*0Gm86C4O3nrl?(]$uilqg{IVFUULuo2iyIQQ05PDA0FgFDj...6n[VD0{vOAFZ]7uJk2$5^.^f5*$(80*Go9t~"y*$L*{756I}t==YpPQo=+t4A#012171+jDU0cz4bPUv2j2mT94FFQ0&V&TkLZQk4ZFSDPDPPPhs|";. . =
JJ> . .:&oLV*&":;]dG*CqmVh,..,!nGz3.!"a9ou)Y#PFFkcv%FZzyKWt.!L#DgFFgG%&pDPQWPTav=7IufeSq8kG2f2oGL29nV*&Jw$IGaJ5vlT$CIjCUb3f5DQUm1[57/%3xP4VDQh4qPPA^ ..O%bDsikeAF=/+yAJJyy",;3$$][V56y6!!~+yw2xO9fykfi%?zPPps}i+hDAarfucIt+APkCzOgPh]59362apgDDwoa6xUYSUYpPFSFZFG5%=^ . .. ..=
23\ .^ckG*gC.."w0Om7bGk8^..,taw5!."^u9as~+xPpPFntcPZO0PD\..!LdDFQDAsrGDqF#4uy+^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzznIvurQpwzebdF3vss1i7tYQgYPPeAQQxl. .^TIttVxLisFAe!:i&PLu90i^^}J[fCocI^;~aLzzrdbGsvI9%{{JQQpktt{FUP6JIrJ%ortAPAz$bQp8]Y8}oVhSFpa}$C$0AZqLLkqZFeGni!;.. . . . . =
r2\ .;t$sV*0f(..^tGm&e~8V8G".,>2J1|!>|?%TTz(^>{shFxLC8PxghO?~!\=1[SbAxhTLeg*ouf)!|9*e0ortjsa{]Two4Yf2ura]{al5n$TasIcjc45QYOxPQe+!20n5$GwoeZxegZh$+~!=ilJOn6YZxn&hdG~l8gZ*iin9[=]3JC>rwIt:"%GLT5zebgV5cc{~8Zde[%0QQZ]6TzIo7nGZ85DDF8wTuxFQAGy?^>|I0Aekk8x84&nIJC2(".. . .. =
Jr\ ._Ca4&4%. .=mhmG4^3G8m=,.(aemmSKXFdPDbA&j]&hpDF[nTww8ksAFqAFPAFFbGA4q4FUc)!tt|t{6)!&xC?c4YTsV1iC$saC$$ouz*Lmw!;;(D{aqOUDQx57IZDFFVwKeaSAxYOG15GZFPPpQQgbbWPdhOsiQgZx=,;tmozuwwo~azkz"iCTG4wuL[r*xAAeIc~tQpqorpQZZTJJ9J3l}CCYAFkFDqmY$IxDQD*sgz_[xXWbpkYeDADAPQhf2f7". .. . =
2c_ .^+8TnTz . ^[dm0GJ;7OGm|..={CLAhKFdAZFPQQbQqxS*pFl3kdPUQUQdFQDDAUUWkkmZDFd[;.:,;+8y]LG+!ukZma**3[J[IOsuCI50*9[".^~b[apbQPZO44bFpQdPTPUmpgzCoUxPQFbSAggPUZQWPesskCoUDdv...!w*ns96u?wTY[=rGTy]|s9uTdSQFxyvt!kbFVJbPQaPC7%7fsLYbFD*DQb9waYPQPd8pb*+hPAqDPa&Ad&pQbDbAd8c(;: .. =
rJ< .!n8ayt;. "JL0*mf,t&Gm!::+^|rGXQSDQPQAAZQFFUY5IYqWWDpApFbbbUUPPFI+v&O0DF3.. ."sD1+*kk!!u&Z8$zm4oI+Jys$uzaoCIv!(=tba4bZdApqpqbUDSQDPwpUD0k*DUDPDDhFFADdPFqpn6*U8cVbpDi;"!+wL8sz89i6z$u240LY==LaJ4qAdDh3v"2ADgngQF1WO+%ueQdV2WPDeDge{9xdQqgO0XZYzI*SPZD55D&GmPFFpUQPb5_^.. . . =
c3- ."~~-;. .)0m4YT~.>$&G),;"...;<1$G*dQQQpgASGYVeeAbKFgpFPqgeSx4T3tVTYheTkx3....temi*hef;^7kmhn)Y8Gaf3Iww$JJ6uc$CfcCe*xZd*eUDDPDdPx8z+%nLhhe4hPphSA*O4aOmO5u6hhZg06hPAh$nVLxo4k4wwwcwr9y6ms4!;"9o5J7USASpOr+tDDDOFpG=FJrOSXxnJfdPDZdQ6ugFqZ0+"iKQhl+8DqxFh3PFexGheSdZSPg85)^.... =
cJ> . . &GYm5!...-uk=:... . ...:(2C=""~!(=i]lvzYyzj)_~t)>"%dZZZFDhDd{[=: ^j!,(UZ0+..<688d~!+ra8Gowu]=|ITnYz$]2dgO8wGwv}!^"!%rC?,iFqbcIhXPFFx\,,.."inFDxd*35UxanaVmwsmyo9$v=iifa9jw6T{..^owoT%tlkpQZd5uxDFqQ8!"yDDQF40PXx0dDZq51mDPZi;.,^ion5pFpJ5DA%sUFb3/;"9SSDUdZWK+>. . =
J3- . . .VVom]^. .^7a<: . . <[3^ .;^-ir80&Vk5T!.."";,.sDSDpUFPhQb(!+! ^"..+UG4~ ^C8*8+"t58*8o6fu3cJv=!?ticTghSV0GJti;;^yak="xPDF4?}gFFFPTi"^. ,"$DYpG5k&kAd&6a*&e*6$uII+7+I$?%soy!. ;$56yf^.|GApbF4yqPbDs/!pDXFg=2xQbVUQLkYahdgd)=?tlv3ossan!OQPu|pDDD{^.^!iaZPeXgxy/ . =
2v! :0kw8!. .!s". . .. ,tJ:..^|}eZq&LbUaei..^...!QQpDqbgP8QWt.^^.;...%mL4^ .^JmmYJ::!I*9o[icz$+;;!1eDSS0GkQ4mx$t"^yhY!jPPdDD]=+QQPPPd8+. ..~smbxVmnxDpg*1[c4Tmoo$uf{+~""CaVt. ,1yC?..;!sQpUO}eDVDJ!wDPQP*;^isPZUd44LeSdQYaOhgUASd*G5t"agDC"7UQSA],..."(nbpeex". =
3v! ^k5*k:.. .;[^. ."(:=j0SFggZeFUUzIx;..._vGPDge8DQFIQPe".. . .^z*$~. ..t**h$;"i06$y9$$Jzz$?~LbKDPmfzhepUQZh*sGYu_PQKKgbg6=thDPUPWF=!i$VeeVoI7tt~";:::^!?iwo91?)?lyz3t~"^"tu$$[?=!"~LxZDVGAxxtupPe5i".:^=Gxebk4LheAAqbPPPFPZPZQk$)n&xC.^?eDDP) ..,^"~(|{=;.=
3%! "5ws{. ..^^. . ..^!wUFhPFpGhFPYGDV^J+./&QPpUa/^gDQG"5DX+ . ,i$!... "dGZC5G0$!kTC6yIIV62zUQFFQ1tqQ8qUFDZPShpptcFQq$PPA:,.^eDQKPpJ"\|IqGDFPFAPh|.. ;nkO4L3{aI$r[c$G*8mm[=LeUDSqZADSpPbYa9Y$VQFJ+!^;^+VqhVV*0OsyGFUUb&5ksvjl==!^:hFQa .!FDK*.. . . ... ..=
3v! 6s6! :^. . .;+TAQpDqF9chbDowDx,!]"$DUbFG!:;DQby:tUZt . .;2t,.. . ^hAO3Yko~"2kzwo6o3aGuC&KK8YSu)yFpSOTbSQPhT0oG#KViFQg^ ..~seWQDbt,^tyCFAPQQpDq<^"(}%=C!!5ouii(JT4mmLat$uexPPDAPppPQ4m&8shqDs4ay6=^<+ZAee*0utjl{i?!><"""".^<";SDPI . ;qWWx^ ... .. . =
3%! .!T43, . .^ . ;=pSpQdZe+cZDZlJDq,.")FdDpDv.:!PQUt.^}x+. . ./J! .. :kVsa]!;)ayCIu*mCtry3UKP9kD6!ipQbn|vbAZDgdsxQK6!QDD(. :"=9dQUS!.++7#dd*ADQPWe7^.^;,t^^o8mc(.^!=++]2tCCIz4QPbgQQFdphV8ObQQFFDpAGr="iap4xVori!^;,....:,. ."^.hSF[. .y#KA. .. . =
2%! .=V]^. : .^lmUgpgG5=,^GbAS"JgW^:iYeASgV;.;jAZs"..^~( .;~_, .. . .z3Iy^:..ukT7+2Y&o^^i8KK8$qp4\"eFPh~^"~9GZg5PDXs!mqP. .;|zmmj^!;+DPPs|rLPDWDn^...".,20wz=....:::;JC/"~(lu6Tx8SeUAeDPPFdUPphk+"t7(FPQpxn[!;. . ...ZD#i >fSD[^.. ... =
Jr! .|;.. . . .^wb*p0nJ!...-yqD*=.!gq"1edPz!....|ZQ;. . ^^...;. . }4qz. .:Ym5!.^{0o3^jb43PDS^."LFQK+. ;:^_gKC7&taFF=. ..^!",?S9qb(.."C&PPA6\.:..:i;!x8=... . "$C; .vOZDxzPP1=4Qx~:... . ^;:(FDAL5UQdk?;.. . .nXP" . ;wh7^. . . =
fJ! ^=. ...^jqx&a(!;. .vgFSi^.^wd!kdgw\.. .thg!. . ..:;. .. )08z ^&*T^ .!T6o!5h!!23FPU!..+QdX9;. :..;e&!_~=+hX+. ...;,^^~u?2Xy;..^!tyDxI; . .!.^3dI". . .:=2:. ."qU#pi3QAC^^=mz^ . .^.,\DFg47LpDPO+".. .A*; . ..=qI". . =
JJ! ."_. . ,;=v{t~"... ^Vbh0". :tauqgn!. .. ,tQ&^... .. . . ."n*{ ..^G9J; :;wyuc6+,.!lDUAt^.!eFK8>. ...;h|...:"yX]^. .^ ..~+;?gQ=.. .."J*q=. .."..<JOt. . ."+. .;6dQUt!4p)t"...)!. ..;, .>gp#Z=t*DQFh1; . . .re%, ;0L!. . =
f2! .,: . ..,:,:..... . .~PFm!. .^vC)":.. .^3Q!... . . . .+&t >m9=.. ,7Gr:. ,!PQP%t.;ieKgf". ^),.. ."P0. ..;;. ^^.;zWu^. . ..:^";. .:...^29;. .. .". ;CxeC";1x|^;".. :^. .^"...^]aDW|,+&PQD).. .jz". . ..!i|, =
3r! .. . . . .. ..IZP|.. .:"!". . .^9e; .. .. . .^{~ .=Ti^. ~a2z^ . ."SPh+%".^iXAg{. ^;. ,nx<. . . ... .=#Z!. . .. . . ^!^ . . . .=F8=: .8t:. ;^.. .;^:. "^igDl .!nDAI^.. . =_. . . . ;!; .. =
cc! . .. .. .^kI-... ...". . .."+^.. . . . . . . ^^ ..(!:. .,{aw! . ^SKI,:"; .uPPG^. . . .. .!G>. . . .. . :$x).. . .. . .. :. . . . ..!~^. .". ."". ... . ^.^1b: ..^"C", . ". . .. .:.. =
fr! . .. .. . ../9<: . .. . . . "".. . . .. . .;;. .(^.. .!y6~. .;pK%...^../0qq^ . . . . ^7!. . . ."o(. . . . . .. .. . . ^",. . ...^!.. . . . ..!oo. .. ."+(;. ;. . . . . =
c[! . .^>"... . .^. ..: :!.. .:ow~ :hF=. . .~8p~. . .<>. ^!. . ... .^. ,!r, .:^^, .. =
r3! . ^^... . .. . . . ,; ....{9~. ..&V^ :|$7,. . ,;... . .;... . .). . ... . =
13! . . . ... ^=~.. .}!. . ,i^ .. . . . . . ; . .. . . =
J2 ....... ... . .. . . . ... . ... . ^/. |;. .. .. . "^ . . . ... . .; . .=
crt??()iii++++it++ttt+iiititi+itt+++|?()(|?|)(?(?()??(|)((?|)||)))(|?()?)()()?)?()|))|?)?|)|)|||||)(?|?=?====()?======)l====|})============+==================================================================================================||=)=========================================i
e3ZYYd
``d$D5ef
nd$('Og
sIRC4.exe
C:\marijuana.txt
uk.undernet.org
Runtime error at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetCurrentThreadId
GetStartupInfoA
GetModuleFileNameA
GetLastError
GetCommandLineA
FreeLibrary
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
user32.dll
GetKeyboardType
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
WritePrivateProfileStringA
WinExec
UpdateResourceA
SetFilePointer
ReadFile
GetSystemDirectoryA
GetLastError
GetFileAttributesA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitProcess
EndUpdateResourceA
DeleteFileA
CreateThread
CreateMutexA
CreateFileA
CreateDirectoryA
CopyFileA
CloseHandle
BeginUpdateResourceA
user32.dll
SetTimer
GetMessageA
DispatchMessageA
CharUpperBuffA
wsock32.dll
WSACleanup
WSAStartup
gethostbyname
socket
select
listen
inet_ntoa
inet_addr
getsockname
connect
closesocket
accept
wT<!NKL?
m{|4h,
\+&go+
WP\|nj
h+;I!U
YLLUy=
~`d$$uh
`d$ Iu
vW4$f<$d$
$`d$@9Vd$
rY;ETc\X_
00QSp"
q_}hp54?cn%Z
)(RP Gb
fE@xLlk-i
}paNC2$^Y
pvL}|AN@$^\
"| LP we
}|xNO$__
dehw5&
qFxo+c
EP 'ca\
qK/=&o
PN_}t!NKC$P\Y
g79@pFm+d
)OL}}hN@
#wI-U4\P_.
%)("P
l#0{E6
|}w8ND:$ PR
Uqo&mN}f
Iwqf3pk
n.(2bN"
N'@s2UdG\P_u{
^?N-u/qos+l Qo:f#.
x0tvz$(?nP
{K?-eQ
GL}x(NL
&#bnii
}}oCt+A3
Ms&(QrNP
!.ZtU\[_
@L)'?iW$J
.^Ci$uLP
a?>wI@7
~.(L^"
29q:Y?
Jw/vast@
_2g/|'(
5H\V_)
SK1!%zrue
`^&i'L
}{IANNj$TR
fDa83X
r9qo?|
vYe$\R_n
fhIw<mCNf
u/ul}+_
0,080<0@0D0H0L0P0T0b0j0r0z00000000000000000
1"1*121^1f1n1v1~11111110272
33E444
5X5555567
8/8:8E8M8W8a8k888888888888
9 9&93999S9Z9d9n9x9999999999
:2:J:R::::
;5;_<l<<<<<<<<<<
=#=|==
>'>,>2>>>>>
?!?G?S?[?????
0#0,03080>0Q0Z0x0~00000000
1*1J1b1111111
2$2,2222222
3!3+31393?3E3L3V33%4C4O4W44444
5+5D5]5n55557
8/9X9_9f96:K:~:::0;7;f;
=$=5=>=T?[?l?x???
U1]1f11222
313G3^3s33'5555555
6.6:6N6X6k6666
7A7H7j777'9O9V9n99999
:c:v:::::::::::
;4;?;\;f;;;;;;;;;;;
<#<E<Y<<<<<
1U5^5i5n5v555&6-6?6]6f6r6y666666
7"7)7-7G7P7Y7j7t7~77777777
8,8=8N8Z8_8d8k8r8|8888888888
9&9.969>9f9n9v9~99999999999999999
:#:/:<:N:;;;;;;;;
<"<*<2<:<B<J<R<Z<b<j<r<z<<<<<<<<<<<
=$=.=8=B=M=_=r======5>}>>>>>>>v??
0l0{000000
1$191X1q111111
212I23g4444A5s5{5555555
6'666E6T6c6r6677z8C9V9g9w9999
:Z:M;;;;;0<Q<
=)=7=W=g=== >s>>
1A111222
3M3U3`3|33
4555)686\66677]7776888 9>9i9999::
;C;;;;
<2<D<<<<
=-=p==3>?>L>^>d>p>>>>>>>>>>>>>>>>>>>
? ?-?5?<?U?Z?d?s??????
0q1111111182R2k23444
5I5V5v555
636Z6o6666666
7R7o777777
8-8M8e8o8v8}88888888
9+9J9y992;:;];;;;;;;;
<<\================
> >+>6>A>L>W>b>|>>>>>>>>>>>
?%?0?J?U?`?k?v????????????
400111
2,212@2N2222222
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8h8}88888
,000409999
1&1j111162_2o2|2222222:3[3y33
WinSock
System
SysInit
KWindows
UTypes
3Messages
iconchanger
sDeclares
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDd
FOmr0X/n%
F ?%(`OV$N
"=vV;F
auX=*uYsB
hl#F|wfE
EH;x$=b4
KdcWa5VC~Saj
riYp Z
w$W|5j29#5i<T
YgD|(5
wHl*PVbOq
!;k7EL%@
_--5k~ P
&5n=cB(
oAGX }N{T
p' CdAO
s-KXG,
pGI1{hrcWbF}A
HSt$vV~"v_$xzm8c;
l/SJ9Fx
=4("H7IeeF%U~|
'Ha6s<6
]2W]`eA[24
{=t:E"aq
&g.OXI{Ib
gF 6yuU3
l=<Q)
X$Wg^;= Q<
b1`V<g
g@F_,d3
s5;n;fm ax
9zHxih
8Oi_Z7GN(
dOcF`r
lExTJq X
j[P~Fex
-j_0X{$_| N{@p
Dq=^F1_,*
`1*s [F
v"[D#~-
D/#J)ka
7RdhjAMeJ
r97umN6%?
(a`!!w7F
_I?kQ
vE_;v@HvP5}
.dB&CLb
Ja\hnS
qcd)l4
u~UieT_
e},CtT^wH_bs
K7,2-_
^%'{j[89
9y}@Wm}<t
T!8wZ9Db\<^7@
4&o0>T|
TdwQYFa4yMX
s0:"BACwd
YFP)6SvJWA0
\M^)IA%<S;1V^
p9v[>c@kaZX6-u
VI"KEvip4M
(p8quX
2FPHOm
2l)1J:[
+H+^Kf
da1EVv
Z6>9QCyva
U8ur&1
SB-.]Fa".i
YEWf/Z
:)+}5'+
u;c<^Hi
*xx%?O&n*F%`(
}$4dZTs
T\=`}A
1EKWwA
D{0c<_@
'A3O+^
[!urK ]C
&FkTRI
O?@r6XHiqy7
W@8/,8D
[Ol^Ned+V
kx+rEcH
!ZzE#F&o0
Ws=dL7
Ja..3)L wHT~>jd
yx6D&x
=b,4J7c^-<]`[-
gFZFj5.Wg+{
InC_ 0`.
9Z+A} JX
^NjA`?qNB2N
p9=Hm zY|TKj8
#pm0OK
Og">gb]Mu
w:I^-%$o
n_^\VX
@icwel
]!dG0`otl
0&BeE2
@ :.m9
rGwp%R
d@Pr~|"smP
s!<C5}.1U05
#}R"-SC
+=8}0W
>(<VmZM3
$[bDBA|L8
6eC=Yt!JGM*RJ[=
g9*xiK
BIh>JQ
"\|`ig
9dx6aDL
'gI=XWJ&d=W
)LO^cV3U
:Zm!CGO
UCxiN\
QA,cZk:$x
x:Uu-:
& :np<O
`{TgNG
fekeCEk
z^cjTIW~{
)4=g9jf!
uzJ,&H
aa31?]
(?v>kqI&P
+){Tqo[<y
G)+O+Ge
d}o.$U<}3#[
)nNFBf#6
4;uc(fM
V`-jr9V@b
-=&`ano
,9_(0mEp
Vyj~=X
Ce1bgQZ/x^|1bJe`@s${'ov
KC*AY]
x~Nx5bO^(,
Y9_lDj
r9~3nGX'th'IV>
UW-0\mZ
1Gq|w 4
5Yqfj)rn
?V`G|u+
$#m0nocYET
!("HVFRc>
"#MCw-`
<M:8y#
4XioPcaB
NlZjO(
2!:"~e~K_k
Okm4Kgh
KnO;oq
>|s!?GH
z2e7-J@
Lv *GD;v
X' i{Pe&E
,DoIBc
WSvMpT]\Q[vlj(B.Q<"
O]fl,Z
'=x3PjP%n'\yBYDm
VtptG$(
'Y0;9b
hC0Aoqpf
Ds|%wQ
9hMyUN9n
QduE5Kqx
W/<$*=
GGkA\G!
,6kl*
kY-,\nXuHLh
' [)WKC
6?!(<<
5e'{C=.
gi'2Eo')g2#B9c?Sc$
-|^LFy
'EZi!.e
\B,{B@iL~}
kKt ?A~
x%31_(EU=s
_k >FJp
VBRQ-;WI#j
N;3D]>A90
IT^%oVm(Q@,!
)![Y^C{n
Y/(LE;
N<7P6vG 3
MNg`TJ
$z=idJ
x)u1///(l/
pg,gBL
x@uS?3+
&\uM\w
nYWE2dVEU
{21.'x
I!I2SCh+
VHw&2.sR:=:1CfgN<%S
.V.~NCb
M99a7~
>"+K!*>
YXNF]Z@S~
ap;!kvgR%O#
xj)U3 %
~+a[^M't_
FSfovA
JeT`;U
b*3\ne'XO*L?GH
vrUxr8^
~jXw[4
P#HU|-~Tn
&i+36V
n)" Yk
D2Wt-J\
{KKJ-U
a"hxa-
{^NAr_xp 3G
MMjF&(
fv#xFJ1
7T2|X7-
S#q_C*HD)Q2
(nF? 8}X`$M
rnUH\>6U
JZQ f\
ErK'?@A
?!B~4b<R+>,?.
RK,rH5
_8fEuG<
O_ ?_IMa={
2&F2Ks
$Z7>TsNf/I?pejnGKnqUaSx
:*QGc-Y,
$`?-1-c
"'8<ayC
uTO@ ~ c^
cZcm`.
*6zR2ka$"]
d9K@OQau
k5D-XZKv%
>9T j<N0H
F,OBu+V
X|Z+"o.G
A;x="t
& .ix?Tw.MvJ
YRGB N &-|M
2Z$.31)
@x|6^:]
O-=]]$.
Bv.\@ K
[c_n!&,s=tx1j
ALoEcv6
7TM-X6K
,j5MvW
Uv0 "}z
3k_(5;L mv
4rTk->V'N| q
~M&S*H
*+,.~(
D_Ccn$
,C Dl#
++||, 8Xs7~BRY0:
W!iqC/z0"WsW:BQ
ns41Uq'K?eNN8[h;nb8a
07TW_)
B-LFrz0
>I;m]Gkr=
;WKL]j
ozFnFM]
)~Z=5F-<Q_a,~7a]$Q+
|^"Xq,4gN2
GDAK!FWGr
=MJ>vw2=[-4R#Y
=9+KhN
a~J1F'
4/t%;7w[e
#R(<h!
zR{:FCSufE$\
*'qqb=>
-CSxD-m\c
jf_.D:4;F%
*@!_2m
aqkU@jj"|c>I
%m(tAy
i4*y3A^)FHp@
PX'AWG.lCI
KHR+,"IW
2Oz/IHZ
3\4cL#*mUAxZ
|-h4uh)
RIAhx~;Qw(5
00ua+^
I;]^0P\
xryXLSUJ<
_y}6As
>BZrbGY&
\=ZEo,t
Z)9,A%7B
!0q9I"
9K[u4 -=Y
E1yx^8z
PF`sV"k?\x
g45}U2Z26
no]i-L
Sdy/$cO
Q;}Rqk}'
bplL!UU&O
Xw|Lw{
A}T:^]5*'Af~$
\Fh<<u
'Uf"H)@
L:g(j9=d[L
mLPEM?*]f]D/Hmt
7plSI{j*r)
gYjNLgP'C
61QqnF$EE
N/3D?3q7
LO'^_}>fV+
hvPu&)
sH{}TB&
f)qScLy
nQMHLy
YQ^Ab&p
FrCUl,z4^-p24xR\
Q*H&KT
(<e"/b D<]
3HfCqlZ
"P>b,T
^OlB,s
F;=;*qQ
35fJ%v
,n '>6Q%
x`Y 8Y
7@%3[ot_
he^ctYc4
AO"./ ~95S6 mZEQ@
yik8 fJA
Y<!W@N
ro8A"5qaU}'~Vs~B
ob~3MZ <
:C)DA"
=3.tPry.V
AEH]:A@n%;1
LbGx+02i"
ff@D[J
tzmN D
K/tT<ER
RO{AJyE
&&]bD>]JS% XR
8Rb7!e]bL
<"y83lM
PODatu>9*
b\:>IT
2KcAbG
g={:636 q}
/;r^m*Yd
H_B[_n
nPA63C`_{
Go iFa
XJ_7b^}"
WgGuh ;&O
v7{wiLj
\9GFqK4dOfC&
L5ADtG{
=yS,3.
)C1Se&
(~O,1<^0OHOIi
D"6}<8Xo
8c :$?;lW5
T3"PR~?yt
:?cy<ge"bXDra
V;3hl!\ky
lFz$RmS#
a,+JMl/?
JC(mW<
"(=Mw0XRk
jR mvd":Ug9
8{no!!
xo1Wz7
0iQz({
; wY^_|Ed
4Knvao"
5US}So]
8u[lVw
!,Nx|@
CWHr+Py
qjn{J$5
%9hRNF%d1WAXr
{pHaCU
VY^<-I6
(a$,j!FP\IQwm
@6kvc)C~Y
7&V7md,A
uma0es
%g<5PQ!IlW6j
m>c:0%e,g!C
&IRi h
D�V�C�L�A�L�
P�A�C�K�A�G�E�I�N�F�O�
M�A�I�N�I�C�O�N�(�
Process Tree
- 0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe (2060) "C:\Users\Administrator\AppData\Local\Temp\0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 431ffa59340446b1_shapecollector.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe |
| Size | 679.0KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 3f8bba9e497a072122acadcca605551d |
| SHA1 | a8352e9d17b0ed20e535b45cbb0b8752b0bd706c |
| SHA256 | 431ffa59340446b169799ab4532f10309f99598c46216d01fc62b9165cd73741 |
| CRC32 | 3913F899 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | d1af9217f79b9feb_pdialog.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\PDIALOG.exe |
| Size | 117.1KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 5823fb8262bc53e23aec49229cd8d3b7 |
| SHA1 | 557fc97928707d5d2c43d39b70de0a21f83064d5 |
| SHA256 | d1af9217f79b9feba601b61ce023f89ebac87ca6d339a00cbc7fd75dbf93dae8 |
| CRC32 | CD94FA9C |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 4abacb666f268499_is32bit.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\is32bit.exe |
| Size | 119.2KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | ef0512aad3af1ecdb31a128a8a9665e4 |
| SHA1 | 7bfbbdeac87032ebe51374ce9c12e34636ae047a |
| SHA256 | 4abacb666f268499e4086811b19e77681cebff2b2ab184116368311349cb9d87 |
| CRC32 | 9EA443EC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 501670dee0c11380_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b3bbf21618f296e92b1e9bbf5b8f5125 |
| SHA1 | f0b1c9b37c2230ce76e5dcf313ecfb71b6c6253f |
| SHA256 | a46f223b601130cf0fcf1237a43a0a12d816f35ce5bac04527d5c59b33b2ddc3 |
| CRC32 | B2D2D10E |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 65de07768a6673d5_setup_wm.exe.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\setup_wm.exe.exe |
| Size | 120.9KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | cc1c9091e0ec3e9c28f02f03dc3393e5 |
| SHA1 | 068a3421b11cd0dfad7193d3376e3a11aec73144 |
| SHA256 | 65de07768a6673d55452d4025e21726e22874ed7843de4f1af46eeb7c61b19d8 |
| CRC32 | C6807BEC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | f92257e0a937fdfb_msinfo32.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\msinfo32.exe |
| Size | 370.0KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | b5ecaf895ac212bb4906f0207e68842b |
| SHA1 | 3dca25072c4bca06af2ee4a58dc30deccc91e77c |
| SHA256 | f92257e0a937fdfba1b52f72c6da4caf86860c15d6daac62b761c78212a1805c |
| CRC32 | 3A323C1B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | c6588daa4b99e643_install.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\install.exe |
| Size | 549.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 766c625e1dcfb58145cffec9a33d8ea3 |
| SHA1 | 25813d2ee64418abc87b3facabe98987aca91fd0 |
| SHA256 | c6588daa4b99e6435de1e0e3e37163b2d81ff9beef5d91642be26518d41f3787 |
| CRC32 | 13F0718C |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | d9dd25ccfebd6eef_wmpnscfg.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wmpnscfg.exe |
| Size | 133.9KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | e9ff881952816a6c56ba10b1dbee33bb |
| SHA1 | 99346c4485e6d4e7d662a6e871f16cdf2fc266c6 |
| SHA256 | d9dd25ccfebd6eef55160d136955e0dfa8b0853ccd23b2b949161d0002f77825 |
| CRC32 | 26193A15 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 614dd28e1add7b6e_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f81bc3c1c07e3a59b118d985e6959c86 |
| SHA1 | 854a2274e3ba2adc7612c7813996570880062919 |
| SHA256 | 6f3d39572ccea0009bd6f81cbed70256b5d428a53f6f75423a564461f474c9a2 |
| CRC32 | EBF6CB72 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b625190a1accc37d_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 38ff35cd8b8ae3bcb12258a63ac101e7 |
| SHA1 | 688b452d3894918e3042276c972d8eff1ed6e8ae |
| SHA256 | dfa2616aff11a0c051369b9077f156c2b780249423bed274bb066db512ad4a35 |
| CRC32 | F4A6E6EF |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 984a4b9f2d3c13e9_inputpersonalization.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe |
| Size | 374.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | e9673006fa3cd32e8225929cee2359d6 |
| SHA1 | a838203b21a084f643c1a2d93ca97f1c8e693d2f |
| SHA256 | 984a4b9f2d3c13e906d3ab6b4834568dad28034c0f65f5289c35441dd9c2fb16 |
| CRC32 | 8BA0C570 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | cf390f4d652447f2_setup_wm.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\setup_wm.exe |
| Size | 2.0MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 9635cc72bea93602b5f137fa3dccebf6 |
| SHA1 | 3dc269646cf7913e01d23decbd94ee72e39c75c2 |
| SHA256 | cf390f4d652447f241f78d66a5f308ae18b403436834f50b08c298b077e1b8f6 |
| CRC32 | C4893E5E |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | af2baf6e24395713_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 9f74ce4943390712011726adbbe29fa3 |
| SHA1 | 74f969a76850091d2b2824588840d20d01cb8118 |
| SHA256 | 335f4a35dd9d43c1a0059230f81c34cb0088dc0906cb6eb6800f919b91ce2ff8 |
| CRC32 | 3B5C7F62 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 5179ae41a6e10315_msascui.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\MSASCui.exe |
| Size | 938.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 8c388468a7549d6e4393b1d9fdc3cfa8 |
| SHA1 | a9c5495648cbfcd359fe1c1e7653c2d9903b6033 |
| SHA256 | 5179ae41a6e1031599a760a0d9ee61af7cb95c5c9a349401b1c75c5c20eab686 |
| CRC32 | B38ED45A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 1c90e98c07b72938_convertinkstore.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe |
| Size | 188.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 97ea3f413d6e67e0b0c91ce5f10ee108 |
| SHA1 | 3c3fe0a1efb73a3aa55d42f85961062bf1d5532c |
| SHA256 | 1c90e98c07b72938d082b842d011463012bdcabaf0f397d37e2a96c360ff529c |
| CRC32 | 1124C11B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 7f73f48bf66e0ba3_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 6bcf8e4e23b9cb337b0e349661318949 |
| SHA1 | 656628dd4bbfe2ae693a65adccf291b415dfc338 |
| SHA256 | 089cf0b07a0c08883f06e4243aaa08f4bf3fc284f8748518320cf10ae98f5bb4 |
| CRC32 | 738EEB97 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 5e639c5f1527650e_wmpdmc.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\WMPDMC.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 9d73307c6611a780faa62bc6aa1860ae |
| SHA1 | cbada3e0d919cbc06725c33e8bfeb6d0cc42a9a4 |
| SHA256 | 5e639c5f1527650e85a0a90bcf69352be3cb57ad67a0d11ba29e5ed1cba85f85 |
| CRC32 | 8DD7BBB2 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9d50650c351bdabd_execsc.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\execsc.exe |
| Size | 104.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 8a8853c6917fe192c38c2a4be93e7a48 |
| SHA1 | 03529dff545a1df997ddccbdb1cdb92fd2918bc8 |
| SHA256 | 9d50650c351bdabdad0515ce3dbde580c5dc3ecbf04c209ed7ecd83139b1e52d |
| CRC32 | 4DB69A10 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 32ac41d5b04fbfcb_inject-x64.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\inject-x64.exe |
| Size | 96.8KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | be3a1f274fd4aa219d58531a3525a2c6 |
| SHA1 | d3c28c086e24c64bf8fb33e20b4d4fca7c6fb3e9 |
| SHA256 | 32ac41d5b04fbfcb32d746adf7e397896025f08a7531413dbea210a805e7060f |
| CRC32 | 2C74044F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | d74bc50bf41ebca3_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | bb667940c2517d2918f3f0e2b9acc1c8 |
| SHA1 | 48aec2ddb3b1693e8b8601381f47bc9da492cfb5 |
| SHA256 | e1b14a1e922ea6ec13ab92e7ee153de5b032b51501825a271183b3040d971755 |
| CRC32 | 6EA9357A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 47a0e28e76190a1b_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | af761e41621170ab5691d5b6e7a9c1bd |
| SHA1 | 636afaeca4e1e0adc1647211f942ce7877f85ee1 |
| SHA256 | a544301460848c98acb5e02466614d2edb8a33b89ec61fbfe10c3ee8b5bc2126 |
| CRC32 | 91A812C5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | bf81108f13b44dfb_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 01888f71103b32559b5f5132c9bc69b5 |
| SHA1 | 0300e1b2d4485e709626b13902c19969b964030a |
| SHA256 | 8ebca677573997523ead30276045026cfcf7f5bdc942fc0a249ff2d69021666f |
| CRC32 | 4A12373F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e3c48611962a090a_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 687f98131b89c2328df77a6bdab44243 |
| SHA1 | 2af85f10e80b63031f4be83f29e74aab0a0c37f0 |
| SHA256 | 52c25c7be6a5ca338c78e948003088a82ad80ed6798ad3b0f29a524486824f21 |
| CRC32 | 5B1537B1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 1ed19daafcd691b6_ielowutil.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\ielowutil.exe |
| Size | 113.0KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 4e7631129bacef2d7d03a259c6379fad |
| SHA1 | b63c0e359270c52133957cb1e469435b6656e91f |
| SHA256 | 1ed19daafcd691b6c95abda4de379b94a2d2348b3e3827fffd21aba32cf4d205 |
| CRC32 | F5303BA3 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 10325466509ec275_dvdmaker.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe |
| Size | 2.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | d72d9d6945a5adf85c0fd343cd140144 |
| SHA1 | be9be191c683c2fe2237b0f263d2c7111aa276ef |
| SHA256 | 10325466509ec275c7159cc9dc1d6bed257d184486d5c38b766bd8d63fca2d4c |
| CRC32 | 9BF5479B |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 2b60868884cb542d_procmon.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\Procmon.exe |
| Size | 2.0MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 7a56a060072e63b22f52ae87e8f8268e |
| SHA1 | 5c9535c7e631e61cfce510f862d40ee4b3d292f9 |
| SHA256 | 2b60868884cb542d7ed1f5aea6a27c787a235b7b7ea524fce308cfe91d998d07 |
| CRC32 | 252C34DB |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0f4546254f43ee81_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.2MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | f689969b4435da8db3e58ae75f2d59b8 |
| SHA1 | 622c372057313c1628e22e80a5f2e35385e374a7 |
| SHA256 | d87d77dcb7a96d13eb3551013eeba5b9303e7c0220da6186248e16de03c8ae45 |
| CRC32 | AC12F3A5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 91ad1acf02a9258e_ieinstal.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\ieinstal.exe |
| Size | 263.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | a48c9134dd946e9ab75f77436469c49e |
| SHA1 | c95f13a8cb5e93e250f3bc5ae6d647f7ef0356fc |
| SHA256 | 91ad1acf02a9258e5c5db37a14064217c9574031a12a854546b1aa33796cd048 |
| CRC32 | 8C45E076 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a035e4747638517f_inkwatson.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe |
| Size | 388.0KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 649e7d076f64f9cf1730ad2ed02a5bf4 |
| SHA1 | 04398861629b42f8f94c0e22652ac15c1ffef03b |
| SHA256 | a035e4747638517f4ab8f651d8a76c7b7833b571b3ef701848a9d320e4738ccb |
| CRC32 | F02149B5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a1e88659a4ad4f4f_marijuana.txt |
|---|---|
| Filepath | C:\marijuana.txt |
| Size | 21.2KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | ISO-8859 text, with CRLF line terminators |
| MD5 | c0214c7723fe7bde6bc2834742bcc506 |
| SHA1 | f3d8e78975bf169fc1ed3ae95ad41d84ff6a36c3 |
| SHA256 | a1e88659a4ad4f4fd55f246ab076dee048881fcac3ea8a300e2fe8cdffd88b73 |
| CRC32 | 0D0BD2E9 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 8adace36874177d7_wordpad.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\wordpad.exe |
| Size | 1.4MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | af613efe011dcfdd8321d90f98e45943 |
| SHA1 | e09632b2848d063df8c760009c0a7e1c18c498da |
| SHA256 | 57c4969ee3fbf86f17b4b827fbe5b38d7b0e75506dc249cc1e05be83ca57cad4 |
| CRC32 | DB1A63D3 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | f1b55417fb104748_mpcmdrun.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\MpCmdRun.exe |
| Size | 186.5KB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 31f5af07174e2cdcbe5516f10fd7bba1 |
| SHA1 | 4f3a5184f69544bb4d0d67d50b26c549b7aefa9d |
| SHA256 | f1b55417fb1047482bc37e35758bb1077008a1165937f9ede7a6b3d43edd3b91 |
| CRC32 | 23D5EBB9 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a68c05f67320e127_journal.exe |
|---|---|
| Filepath | C:\Windows\SysWOW64\DC++ Share\Journal.exe |
| Size | 2.1MB |
| Processes | 2060 (0a9c99a034c15658c8f4f97974ddad59f079f2c5e84fe5354eea8dc76925a04b.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 00c639c2c8aa9cfd375aeeda89114f48 |
| SHA1 | 29cb39a854810d24644406bfbd38a08b62f17a5e |
| SHA256 | a68c05f67320e127d01fa8c15a7be259700fc321daf5440e30f0757953c6dbb3 |
| CRC32 | C04E123A |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.