1.2
低危
53 个模型检测该样本为恶意!
重新分析
更多

0eb0e47b7af071c98652a10c2d4c563c7b10b7e2271736d0b81d56c6d5f3ebe5

0eb0e47b7af071c98652a10c2d4c563c7b10b7e2271736d0b81d56c6d5f3ebe5.exe

分析耗时

192s

最近分析

379天前

文件大小

134.5KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BYFH
鹰眼引擎
DACN 0.12
FACILE 1.00
IMCLNet 0.83
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba None 20190527 0.3.0.5
Avast Win32:Malware-gen 20190914 18.4.3895.0
Baidu Win32.Trojan.Agent.awk 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (D) 20190702 1.0
Kingsoft None 20190914 2013.8.14.323
McAfee GenericRXGM-RX!1500DB9CE7C2 20190914 6.0.6.653
Tencent None 20190914 1.0.0.1
行为判定
动态指标
该二进制文件可能包含加密或压缩数据,表明使用了打包工具 (2 个事件)
section {'name': '.', 'virtual_address': '0x00023000', 'virtual_size': '0x00020ea3', 'size_of_data': '0x00021000', 'entropy': 7.778723374339195} entropy 7.778723374339195 description 发现高熵的节
entropy 0.9962264150943396 description 此PE文件的整体熵值较高
网络通信
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
文件已被 VirusTotal 上 53 个反病毒引擎识别为恶意 (50 out of 53 个事件)
ALYac MemScan:Trojan.Agent.BYFH
APEX Malicious
AVG Win32:Malware-gen
Acronis suspicious
Ad-Aware MemScan:Trojan.Agent.BYFH
AhnLab-V3 Trojan/Win32.Agent.R162802
Antiy-AVL Trojan/Win32.AGeneric
Arcabit Trojan.Agent.BYFH
Avast Win32:Malware-gen
Avira TR/Black.Gen2
Baidu Win32.Trojan.Agent.awk
BitDefender MemScan:Trojan.Agent.BYFH
CAT-QuickHeal Trojan.Mauvaise.SL1
ClamAV Win.Malware.Byfh-6804274-0
Comodo TrojWare.Win32.Agent.WBX@5bs8lt
CrowdStrike win/malicious_confidence_100% (D)
Cybereason malicious.e5136e
Cylance Unsafe
Cyren W32/S-6a606c0f!Eldorado
DrWeb BackDoor.Spy.2465
ESET-NOD32 a variant of Win32/Agent.WBX
Emsisoft MemScan:Trojan.Agent.BYFH (B)
Endgame malicious (high confidence)
F-Prot W32/S-6a606c0f!Eldorado
F-Secure Trojan.TR/Black.Gen2
FireEye Generic.mg.dbbece2e5136eba6
Fortinet W32/Agent.WBX!tr
GData MemScan:Trojan.Agent.BYFH
Ikarus Trojan.Win32.Agent
Invincea heuristic
Jiangmin Trojan.Generic.fhvj
K7AntiVirus Trojan ( 0049c30b1 )
K7GW Trojan ( 0049c30b1 )
Kaspersky HEUR:Trojan.Win32.Generic
MAX malware (ai score=83)
McAfee GenericRXGM-RX!1500DB9CE7C2
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
MicroWorld-eScan MemScan:Trojan.Agent.BYFH
Microsoft Trojan:Win32/Vflooder!rfn
NANO-Antivirus Trojan.Win32.Graftor.ewazfb
Panda Trj/Genetic.gen
Qihoo-360 HEUR/QVM16.0.DF5B.Malware.Gen
Rising Trojan.Agent!1.A726 (CLASSIC)
SentinelOne DFI - Malicious PE
Sophos Troj/Agent-AHNL
Symantec SMG.Heur!gen
TACHYON Trojan/W32.Agent.137690.B
VBA32 TrojanSpy.Agent
Webroot Infostealer.Pony.Gen
Yandex Trojan.Agent!Yil73SZBkO8
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-06-26 06:58:59

PE Imphash

4c0a507f23040bf4e66403904d18c032

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
. 0x00001000 0x000037ac 0x00000000 0.0
. 0x00005000 0x00000c7c 0x00000000 0.0
. 0x00006000 0x0000062c 0x00000000 0.0
. 0x00007000 0x00003f3e 0x00000000 0.0
. 0x0000b000 0x00014479 0x00000000 0.0
. 0x00020000 0x0000252b 0x00000000 0.0
. 0x00023000 0x00020ea3 0x00021000 7.778723374339195
. 0x00044000 0x000000a0 0x00000200 1.870216429677877

Imports

Library KERNEL32.dll:
0x424000 CreateFileW
0x424004 FindFirstFileW
0x424008 FindClose
0x42400c FindNextFileW
0x424014 WaitForSingleObject
0x424018 GetModuleHandleW
0x42401c GetTickCount
0x424020 Sleep
0x424024 CreateProcessA
0x424028 GetModuleFileNameW
0x42402c GetStartupInfoA
0x424030 ReadFile
0x424034 GetFileSize
0x424038 DeleteFileA
0x42403c CreateThread
0x424040 GetProcAddress
0x424044 LoadLibraryA
0x424048 GetCurrentProcess
0x42404c GetLastError
0x424050 GetSystemInfo
0x424054 GetModuleHandleA
0x424058 GlobalAlloc
0x42405c GlobalFree
0x424060 GetTempFileNameA
0x424064 CreateFileA
0x424068 CloseHandle
0x42406c GetVersionExA
0x424074 GetDiskFreeSpaceA
0x424078 HeapReAlloc
0x42407c Process32Next
0x424084 GetSystemDirectoryA
0x424088 GetFileAttributesW
0x424090 OpenProcess
0x424094 GetDriveTypeA
0x424098 GetLogicalDrives
0x42409c Process32First
0x4240a0 GetDriveTypeW
0x4240a4 GetComputerNameA
0x4240a8 GetProcessHeap
0x4240ac HeapFree
0x4240b0 HeapAlloc
0x4240b4 GetTempPathA
Library USER32.dll:
0x4240bc GetWindowRect
0x4240c0 GetWindowDC
0x4240c4 ReleaseDC
0x4240c8 GetDesktopWindow
Library GDI32.dll:
0x4240d0 CreateDIBSection
0x4240d4 CreateCompatibleDC
0x4240d8 DeleteObject
0x4240dc DeleteDC
0x4240e0 BitBlt
0x4240e4 SelectObject
Library ADVAPI32.dll:
0x4240ec GetTokenInformation
0x4240f0 OpenProcessToken
0x4240f4 GetUserNameA
0x4240f8 CreateWellKnownSid
0x424100 DuplicateToken
Library SHELL32.dll:
0x424108 SHGetFolderPathW
0x42410c None
Library ole32.dll:
Library ntdll.dll:
0x42411c _snwprintf
0x424120 _wcsicmp
0x424124 sprintf
0x424128 memcpy
0x42412c memset
Library WININET.dll:
0x424134 InternetReadFile
0x424138 InternetSetOptionA
0x42413c HttpOpenRequestA
0x424140 HttpSendRequestA
0x424144 InternetOpenA
0x424148 InternetCloseHandle
0x42414c HttpQueryInfoA
0x424150 InternetConnectA
Library IPHLPAPI.DLL:
0x424158 GetAdaptersInfo
Library gdiplus.dll:
0x424168 GdipDisposeImage
0x424174 GdiplusStartup
Library PSAPI.DLL:
Library MPR.dll:
0x424184 WNetCloseEnum
0x424188 WNetOpenEnumW
0x42418c WNetEnumResourceW
Library KERNEL32.dll:
0x424194 GetModuleFileNameW
Library KERNEL32.dll:
0x42419c GetModuleHandleA
0x4241a0 LoadLibraryA
0x4241a4 LocalAlloc
0x4241a8 LocalFree
0x4241ac GetModuleFileNameA
0x4241b0 ExitProcess
Library KERNEL32.dll:
0x4241b8 GetModuleFileNameW
Library KERNEL32.dll:
0x4241c0 GetModuleHandleA
0x4241c4 LoadLibraryA
0x4241c8 LocalAlloc
0x4241cc LocalFree
0x4241d0 GetModuleFileNameA
0x4241d4 ExitProcess
L!This program cannot be run in DOS mode.
x`5'R.
1\3k@G
}>*w\dMl
2bgu+l
{+NHKi$}
6Oj|qyS1[
Yu[S]A-f
rJp}]fK96PU(r
IxrQ*N
:Q5/fW`aG
Gimg#bEa
;nb;;EVw
YdGd'0O
tqzEGvW#(
~KXgJw
\CQYs)^
!%:^qLmyi)w
5T8O?q{x#,Qm
GetVersionExA
GetWindowDC
`d$$/*
g2F1#2tk
ruPA|uIsg`}^[^z
UC@]8~Z
?3mT]0
z>5!CdO5
VG4g|`z
Is|w=^[Y
vN>`>|d
e4^}G=Fe${lo/$7
@Y8B" T1'VW
K<8IFI
Vhf[9|
sprintf
M*y.Y})3VY
frQK6MZk
GetCurrentDirectoryW
InternetOpenA
A:j-.
c&Qsin
nePk&j'$5X
b--E=e
6k#;)~q
\@8bs
o*7KCex;6
7D|WN(#JNa~
uxr?<2
J#sWOA>CDh7De
h^^x1;d
`(#s=:U
s-&-U1
O2sz1'|n
HttpQueryInfoA
user32.dll
GetProcessHeap
IPHLPAPI.DLL
GdipCreateBitmapFromHBITMAP
CreateProcessA
GetDriveTypeW
b/x`/r$fB+
5in_j87d-{OV
9PhuEd+ch^;/@*,\
EXKKl~) A
.g\+t'
*lFq&c]DA
.m}>js
4Xt6'[e?!PBt
8cq]Fw8
WW5qI0
Liu1pr
Ns/A~@
PamWD9
M1`1$N
nrG>Gl
9|JJA7^P
'=yiaP?
~y&yk<7,
g/^%H;m
'810Q<tj
(@leiZ
8jc_5f-z6
`h'44
zRu/}~>@
lqK;q
T|Nh[+
`a~~#q
Z| &zEF}wNsF>/F
aO\$ta!7RP
T-2RgDS_:
%22Aq<
)mo+lQ\a2
Jw1<N!
WWAq<
VW,`b@^vF
!7},njX]mF
)<+Oz"_wZm4`f
U/H&%2\n=[|
P|elxvQ
a,O&48>m$RYylH]r7.0
x:gjLUC|=i
Q=reGZF
S8o~<.1
`c"S"Ax
{Nj [ws
Nq&G0-S
C[3N^}
VoYRD:um
90hD}@v
r~ahz^D/U;s%VhKV!@
N~IJP>[T:qN7g<{{,g}0
xNN5%^H38
{w|sE|h)b^
ir BHR+wdD
m=A.oDM
|M5n5H,
]35d9\
~c$i?R4)
V|[Wm/
e$U-Ot~a%,r
:)YiuU0
I~R0le.qt^_l
.Q8p6}i
mG9J6N
R4W-=q
IO_Y"w{0"$_
j+i<|A
Ts8nuGOKN$i}w{
?j8{!?
L+x<S6H2
uJ5{S U
]Fpxpm8
!oauS^?d
>aK[Eua
H`-#Ct)9A("z
'J}38f
KfUq?|x4w7W
7hIf GTbli4sgoJi
OpnGMAW'
)>z86]
%"J.BN
memcpy
#vCb*NZ'+)"
i3f}v!(AE/)f
`?#`t$
Nx{k%OL{mJ
7"aM4Q a
>,x}"i
AhTe(Yl@6G
"3uhhG
UwFY6H(-
J(m7U,8>dR
N;R*_;{_g\!n5FZp
O<4[p2TY
MxPntTV!,Y
3S?<!!0
vs=cDhUkzSZd
GetModuleFileNameW
GetTempPathA
-",9 h1^Y7
t^<_$n
c`|2#dVL,
e(KrV9
hIGc`U7b1
)g\Ygc
AI"F'|NBH*
$yI@-)O
KJ&%x8
'0>;KV?t
UP,'Q
j4Y'>[<I`
Ni2f{M
WNetOpenEnumW
MPR.dll
u+o[T
,KA*G'-(
HaPY`@:1>n:7&h%PmI{~>xMb
vTxnCG
~&y?)
HttpSendRequestA
LoadLibraryA
PSAPI.DLL
DuplicateToken
GetFileAttributesW
J3V337
Q0Z0\:f:C;
57788899
N04455a6q666u777
}00z11112
334555s666)7Q89:Q;=='>`>
6i7@8Z86<>?
0G1O66@7K9
ho^<sf
`D$$~ Ot$0Rh
~hE\d$D?
h,08`<
GetLogicalDrives
d$4k7
JwF%4d
m0Bc^VCUD
f;8balh
D$$fD$
GetModuleFileNameExA
DeleteDC
ff)fD$
CreateToolhelp32Snapshot
SHGetFolderPathW
;hl9@DPd$4Z
``d$$XZ
yepD9h$7V
Process32Next
29qE?mi
wYn\Z_k
mC~}fvZ
Q;mEsUJw|k
[)(5.%AB
GetDiskFreeSpaceA
GetSystemInfo
GetWindowRect
ADVAPI32.dll
OpenProcess
,$D$$1]V4$t$
InternetConnectA
)sGhdzr
~Gq^&{
b_YkV|
Zcxifq
Rz:nz1k
4G>BCNJgvoj
Rm>:hD$
ReleaseDC
`\$,D$
Q`t$,0
ft$RfY
{'^}2$M
Y9D{_n
\iI5\L|
_q0v|8H%]Sg
v_r=_pX
||[_jTn
J#uK?I
_@Tx_p@3V]M
_w]yu[i4_u)a
,]o@'_g)
_@J_Y>?4_X_$d#
a<twD@ZGzS^
_~_\b$_m
mJA.o?
EF'|4W&4>
`d$(f3f
pe&0QAS
{Wb"$p
OgnoavEm0:
4$wPN\,IhF
2TQ$8R
,_Z'W<
5$Ri!T
&\:05Gz#
z;8#Z:Y
Kg/'r
9+M{Z@{|j8
'y'/?.2I:8
:5Z)8;IR
iF4N5>
El3Z9I
JEz@8;5A3)6'H:1{K
GrX'+-/y?m[*27
7'B:.,]z
/c:./d
"O.26T#Bz03',K
ZI'}>1
+>-y@l
EA,}4tN
2Ii=j*5;*PSE2G(
?wz2O7C*
X,>Iv7y
&KhboQ
u&2oxr
2 B3~/%Dv*lFGE
'b(Lg/1@YK
S+}~|127
asZ(!e
X:{u$#
fE-~RkRLIi
W+X_?Az}2k#
IZK2V9
u2h|T!`
9F+wP[?1
f~X2u]
@ZE>UvF9Hq
|m4)n;%%
t9_{b6
8FM*<
^b8h=d;
@]f#(
%A.rM7zd
JwWxDv{s
kzsOF:"=
Ng(47xF<X
;>7I!v+7*HXY/82J!>z/I#d$5v cx43
LiqO"'$
{g<xAPMv
=p;yPl
%9;''1/z}S
u| )T`
?('N`<S
+:kuy8{=
{MAz[v
r_(D[C/
,lt^4p
W3JU+w
w;d_Y#$1'z&9~k6!W
@^J9lz
@'^k=?y
F';:%]J10_?q
qo@<9&4x
$%g-}G\>t
y5y-fOX
%i^Y!RO
4Phx|Y
q(F:H1
.7ex03
z'Y#@NK
_.%^k{(
WAYn)qiaYQWIAAA.u/ZUS
WwWY:-qiba
QIAyCs
Yvoqfia
76j453VRNJFB
CK4.w]K
wTWWWWY-6qia
QWG*gcW
o0=ot,rK{"k[KKKIKKJw
3jN\JF
BV>~L5*
63:9;d
c-4n7d
j64.1Vj
vj|V)R(N+J&F%B$>>>>
~J8xm9le,2
WHWGWY-qi#a]YQIA@A~Azl(f28X4
W?Xlyi`a
Loo6Q`a^YQIDA
z^KN;m
0{]Y(
v8+0aJ
32qD![R
F-13N9u
i}'xz`
t{yLj~H4G
aew\@*18\WS7M
F{`l'X
)'pAyqN/f
py:2!y=11D
8uC9J>}
k[VZC2u=
v7>kth
O'>MVCi$y
crwK`R
kdWqbi
bY]-0c.
W%3u+j
oRan9b#,
h2#KA*
eK3'da
y?spq%aQ
K(6 w/i#=.F
l@%0m!q<-(1]D7/CRXA?
8+-!0\$_<>o"kU
(BK?R!
Iscq70
5a3juK8
Mhw7|C_H'#=y(
3HEh3,s#
VtLSo7jf4
s{Cg'W{j
jh?q@Z/3AI
KTPqwoE
~8$o-mO
(s^'d]
v/"yC3
z]_.t4RV
@hMw-tqd+_D/T4
7qiS-X'lO
kH&'<S
T3k+(?
P2Cw^;@~
1j',`+
\,wom/
C*k/Rm2O~X/,@jg
W?Q4{v,/@Zhbz~4
yr[;?%
+C.vK=@-!bWR
K^"\%/*
wg.vNSf
HdyGs`
'?{YSr
+o}#A)cR
Ii+<xjfh
Cc-L,q7m
j+si"$jZ&?G g
-Ih93x
c%d<QNkXH6z
qCrypyK
#_U\})K
`%jr40abh;
@7gJnq3]D#^
2C_">wm
{:ThSi'
K;tDs\6CcL
"h:j*7
4+;V]$c
?h)`3%w
l?cbg^xyw{8z
,C}kd
s()ijCdn^
JasO3K
K<@(NdQ]VBDjN+yG
+a?3ww
o]w#\q@
XE#|\TC
.1(jFX,k: w'_?;8<-
)"@.dg
f`-&j1mK
c{h_7{Z
0'cJ'/~?
+vdO%
*k<ld
3]C[g_Y
A/1yBj
Ct{3+:Q.
sydoj{;
S0o)4("ydy
K4CZ75
-hYTaJG
|!~QYAuGPa
^IW/zA7dwE%oTOM"{
M+F3q;C
}j]L\KxG!
6niUy9K
b+2lc17
r8+w:,jc
}^El3Dekd*I
!*HFs64c_`
#7.<9c
+'a{Yh
Sf@A}/
8-ezK_
W>3sw!
H;##5&:
gwkyjK
?w+sy+8{o/sg+y[
iy'H{7
#+7fcr
Ie#`-|<dj
KZ?.b
/DdTM&
fFgJ"C2
JP#awuI(s<
'Vn#:65
llw%4a
}&opy.
<#/|KT*CRe.
[),tD!Q'
%e+{o=5y
^uZ)0X
~g?7h("P%
+W|oy6g7NdM
KQqs&a
e2wjD'
,h\!-71
SsN]|c
I pcOCw
k_6-,,# rnc
a041wU
1cdBu{K
)^ 53d
r%CoxN
4S"c/(>
+KplHztoyR
L?58Fz['
^#Jc,{'+Jr"
hgl^tz4/iC%
+$m%xy3)CD7Kb
^n->_K
#o"l5
vE*6sRQMh1
nKQH1w
L3@04\
yX+I_LBC{
qx}Nuhc
4xy2Cj
yr"$#0
Qt|1qv_
Ku%k3
psv/Zoz
/?OosKF
/(?`_u|
jkw*h`H C
h%g\&y
ix8y5O
{_'\y"C{.'
Yq91/2
}z:+1yt
fdD_np
\d&6##
10_zqN
|HOts8
co{";4
jviC7Sd
+-&e9{2j:6',
H-g9b|h8-]
deu:,/
jJd FU~I[v^
e0J?L
{jv'!k
wtY4]HV
w65Q&
kB7Roq
E17dC2
/)$Pze
0C7w}yW#
+f#/\,1oCnZ>u}U
;[5dzfb
-(ZK[A
<70;GN{UH1
bcK&igH
4q1w0_{7
O5,1%
b5)s8@e\u
E#7?Zyh
2X&ND~9`
1ck$Tw
K6CM/),
BN#k(V)y
l,-Lb2
/;h`#{\_D
)(,7*1z
1sn!`; Y<'
y\b.f}MW
SOm!R0kT=M
\<lAo%
95}C;6-+pyi
G5{=V/
rZy'`)j
j"Say6z%m
KN&(Of[Ft'
6wSD:)
rD/RV(,G
Z:43Yl
X*S\U`
+L% '
9]sCw$[
(88!|]`
C%,*{0s
Y$%u;w
RX`|hw
_gqf*-F,>|
3K*Qsz
{0xsl#3JM(
v]54!'ovaY`!=
Xqc23}
'zw@Ij|y5GH~mwz
9{7md'
zqz]?[
"~,6hI{PA9D3M"emIx
LD,9PTB+
,@li>
V~C5c{
Y/,,qF
t3khqB_cLY$
>ywxN{
0%&C)5
oRM=?{
Ecdq>rl-#R
GP{CSw4TPX;y%
_xQDm0T`
_O@#d{z1
W'A_~c
byb^#TS/{%$*.
/L$ryU+%
]1K_)I#!
7$mzX{
7{;6fv4
(y}JtFH.
/5Km/Ie5:"yH
6,]SQ&rF
+n_w `.g
]gK1#s8w.
EP@Xy#
MIr]Q\yE#~
%cN#53T2=H/
TQx'#y
[rQigtx
5?O]-_Y<Dfa
`.etuCzW"
gDTVH@c"E
oV4{M'
Ah~y<D
8|wKIN/[>b{YZ
EXNhA%5g416q
9m(HDc#pK}~
M&R>"~
Gc~s|^
;_.zP
2S:#zQcJs
W4Lay26P
+n#_H@m
[Ic<MX0!a
={ 7u%WVo
u:CF&HK)u+p@xn){D
5iT*#_/X
#-uL1/yOxp#\o!
yJ"'L(Fnc_O0G
C_vO<BS
>10&2{
0{Z3p!yzc
yb0y0RF'M
a:9AGi=,FmE
DW;{!-
~<H$1g6
2D,[jFz?o9)R>@)+Z)N
/Q)2(/1
Ojgp|)
9LJAU#
!.BVqz^J
-GJl6'
B)Voy+jC82'p0;G6<[90;')zy%{
fkY8N8
'BZ/P))7Tj:u|&7
j]YF[J
FnbQm|
|@a\Hv2Mqm
j6K/ucC_03!W"%]
p1Yi]'8m
*ypK-,{UN/%SC!
ogMt%z|iF,@rMR(
>)8yq'x
:`5OFp}o
m;3{[`
FI^+Kmdgy
lk&#yC*X
H=RZY8&
.Jux\w}/oK
\(n-WJ
7R8)>.x
}'+cP,v%:FE
kwMA0
^2K('/Z9
;87S(zUL/[)FcNq{
;1!zKUD
/ Q1X1{::.
<w8A'mz
9'9#{;3.*z5N8
N4y80fd
1|y%!>s#
_cL|j^I3hy
92Bx=p(Z;b!N&
U#V/'{uw
1*s\YI._
Ly0J>l
8Qv/5o$eR
9_emW@
!ojcz=I
!vp@}f`
&o'9"b
SotUT6"%
>#`\Co
@;{;Zx7]F9A*J
s/LNg3.N5<
>c!|^0
#qs&jk
@y#V;&S#%'
|p-xg&bCRf$BsAy8hxY
\po%:VP
r(&g;JZfM
!{k2\+
Y}N<4x!
rM=8+t
D~a/k&
v]8)K[2u@([*
H/|!BXxrz\n7
9HQa71
BD<3wo'B6:i5-E[
QMz!(+=
660,i6l
ZK@ILy
>s?.I<D
`~P{:>
)V:`s<z
ZHwQW/WFD]
Hh%^|2GgJ
#BpIF
59DeWP
&#j~q{yf
v#L81XS%xJlmwQ
KHWF_Xw
R1}*y'Ci
r#xTzG
9>F'C
*Wi]\d
uL>l]j
b,8G|`
9x/:L2v-i$=zM
62;%)~L
f:=E?K
4G/=Id
N5Z'*\F|:
f(P~G
T/;{uO
hy)Z1g
e^"_]l{
WL$Ibg~
/3)5)7)E"
urC<wq.;/L
bm9PktoX
uV;#IB
Jkfv|y8S
EKzylagt{yrit
+_n(Vgy
i^7$oCl
t_d&e <
XIU0o&8i]
K%z/,
G?E#C1
z+3H:;
QC;){Y3
;!zej<
Z&C/!YC
F@?^8!Rm
vUBn6\ v
<L8JN,'v^:Twv*-W)r
su}fZQa
fSK6v9
o8a]eC[&
CzQ%#-Xmo
[#,/vl{H
.Hr-x~hvp
wORN(
tSw5^o
g<)350nwS(
`S5{t(y/
9r]zF
BE)yM!
,17S`o
7p]fsEmx9
Hz%\W+4:.
='X 27
Pm0R$9x6;_1^WQ
?9vF3Dwuy
mF'|jK$r^1pLt=-Iyki
]w` @?3e\"rm
;2-(9$hz2i
{Y]bZ;A8{
NX*q9
C2>0Qrvy?
j,zhS|
MVotRC
>s8u6)
*5@4"c
Rl,V`_!s2z
i4@g}9
h}SD^j)
;e>EA
){kf&a(J
Uk`7t?yE&
$#te.[
.=/kr|pNxKo
|OJRnSwyo~e
x03p^/oFwG
W{efd'x
bEC8E.H?B
xPp8%yC
Ixs;Z[J
aykNWD]4
(x{%zO
.mWLs2
i>u[h\&#
/^g,Zj$
+$!,A*=
sm-Dn~%
L*'z71^
f|I;!%
_=':0#
Zo/q%BM
N72>6rW
R\I:|5-O3
BH_s$Yf?
l)z#)pQ
>G,.P=
"zy2:7e<ant%?
-c?$A<*K3
R.~V&@
<G#4DV/
r>&~aPY
zyZV>
}`9Y(:
vIu%R\'|
4DqsT>
/#^uvK+
YuX%/y
=JcwagP
xcPa|.
J6u/h<-S1q
A>]Jy0\
Q9~E_2
fv1*lwL';z
jQMV+/:
!|#4B
)OIx6JV
j&,5Zd qLt
~>d!cQr
NG@[t8
)$!j90
0CvSibKR]1W09D.>&NC
@V;_7],"3t#(xD{A}H9Z
g<!q:=
:'h0Z1BSA
XCOVt+N!d[
Y'+(h?9/Vy
{yK.eIbB6PAkG
ib6![]
oE)o<o=SJ
N2y\LR
_.).%=
9Z&e7+*Lg
V#s9)u<4e
)50np}XV
`s!(9c
%|MH:ON
4hR)@5
z`~(ity
B]=<t~
/uVM&Wz
5rh4Wp
Ze@\U^V$:
J:?Oy$70
'^E.['n#R\)a`j0P
Zx,'a=k?y~)-y*UR&
Yh3{XS'
s?Z6W$:
V"'.`7^gTAa-<v?}t$&@F^*g
zJpC6v$^#
7w5-z
;D*P1;
g2 &;aq"mxn
7gFEA
5!SVL
h y|-=
Rh48d=O/+MY
~3'/:Hwsb
@4hN3R6X7_
5vma]=
_79fx]U*DC
y9T"@U
<]h1yCd
(+JVL-AB6
{}AG7S
$g!F)oZ
!31:!9
zn<KC3'
7Y.>Yc%
M+;2}
,4'L/(l
!W!3d9
9)/FzwI
ZM$~5\
Z[MHSp0%4
-Z{1397
DWc+LIzK0
!;Vw1EH
{{.PYR
%g&'{u@{
q6Q6zo
7k=l-~IUqe;lw$y
<B)4md
C*pc![+* X<I?Fu'_
+Tw`'(
YM4y%jc@hx
{wB7daAp7n
%^XMyl
1lX4^,@p_Hk#
4oG]@U/j
[+{3kuTm
|2l#9p
;[89b<5
9:.Q:={8T
[81gx;*
8F/W/8]J
;VH53Y
I72-w0
)7#n6/W;?3K)
:I3{d;`
dXv2:
JMdN;8'_
cMI("w/
B@g`,j
Gdj@v;D)x$
^-/wh+
40MY?<
VHqtmo\
7I93RUQ%m*5da
g,#4;Y0/ '=
H8~%e]dS*i69p/u^0k
D%p}r,:
Y%R-8
ODb c'
d:7aU_Y'
ri$cxYf
|N" ^\
7 C5<i/
iP}`r2W$
e(w+~w>Q
7l3 >ny+DiX4
\|B6]!,+#l;Y5UaO}sKot
gH4RJ<OvoHKw1
:YG6v|(?:n+I}DY
-p2@~LoR&5
Hz!ZbW
KD8]yG;Ot
Oxg]E+/
t.2 ?A<
,4t"?{J-
yA.BQX'?
LU?KYn
wk@^zvJX
0PtWg>2
~2:*7LN`l{
y@fO#X4:Hnz6y{
_j23#b-
3ITLA"xzhU
+yLSK#65
w:4?e%',h7
z-@_ShW{0;U3
010`b6
dci#_Lt
;Yj>R0C
37yd$5
,C\z=0
3YK{0})Wyj
?Bj3cO
{sd\O3YS?@"b31Z>nh
?{Cjfs0p;o'}
](|'@j
(3bI!>
`UvSy.T
vV5N'@KB
<bp.30l1\
e1G(w7sh
-2y Y;w:0x1
+oHBTAb70
JZ2}'t
$)07j2{8Wk
j4d"Hx3t
]LyM@KfP?${
yu+oCkcaj
_0j6+'
SlARExr
V(IWO@.
y89[@OL#gj
/,grw;yXx_7
cC)A: N
L*1lf&k/
.ro(H$
c2.H4KDf<
rh?y#a
WoU70:
]@[!(L
Lm-u@Mw
l9v[KaQg
.-Wz(/"qljxB
TCkUj\q
1&I/"O
=Kzf'z
;t!2J6
c.R1gsFd
0kYN zy
0,9|v,
rs9oH(G#
Dj\0yh
-rk7f
,3/eb&_/
$ICO#v
d32SuO|20D
A=`pS2N
oOvi-K
0l\s1
?Ec~wp
.2z|_3\
$t |b%i\
2kwjTc}OI!$3
y{o_.3>9[)z61Q
_y-a}+6 %
U*-i~5$^rd
uSs#Aj
vy[JqX
T#8t+,1\oQ
8G=O7V2B
:xscpTZKqeA.\_7w
(,|74
8Cm,l4O
?O+(@{
@$JfDj
;*[,X7^r
Sv>7n{
517j([ }.Y<
aeJ7_2"j
`KG1(9D
y2~{<+UPo
:Ts9bO
95_T":)b1@i
U23~?"n)+h
v|HG3~Z
;3ysOzE,+
&{~!p
!u'UC8
(:M%Any
9h7aCb|
Mg[jy]
m`J slC@$9
ApKOj
d{/ }:7&
0yd6t#?
A5]jdo
-MF,-#)dw
gz]amO
CI2W-s/cH}w%23=T&
O0yq<;`
N58djW
_Lzh2b
[5g;?y!7N0
l3k/P
7Co]x1y
4U/\[6?
]hrOCLu3bV.9 o
0(%NicJ
u{0>-.h"ty#Z7
hHS#|KyY=
_h65w#
b71:\L
{b2-J@'0
%\;t@m'
sB9|bcTy
`&b_,j
F8&SKA$.mk?Ji
1(3-#>H"p
xlXNl#/
*_2dilf+b
q!3gz&Qh
*tlA!xGTz
/tIE-'
sA `W"
7wv(eN_
(l)fzs0b]
.zXM6(
:hw6T)Ot
PypRH.
|N@$SF
>kx.3-
tC6ie+
2.x*KT
wcoM/d6
#:oN)J/
h>}'yb
rC5e3;x
{h'\)y3
V?ThB6
-h90YM;3LDx
um8!0:
x$J^O4?0F/vk3_
F{7S15*9.{-vG
"x q1Z5k
j%gb1c z)q}4
ws}p{6q:-oT_pc"Ck
8.{J/0
+{YR K"
Lr8R[*
oZ%`_p
.$e*u1^|gf3.Ny
~Z>9oXC,'
NVW?7,"E
%zQ9b2b<
1T+zCqA
<OzbJ]
I8YT[c'}F
k9c;:9Au/m3o:(
wCBj]H{
ZpQv2;m
A^2G&l
y|-VfT>d
l#9ns(Fyt1
4^a \H
"LyyXu|z
z%\ }6Bi4~
I.\kdz
2o> fvf
UJNY74F
[ pZ\60N=
?`$KZ7@0
[Xji;{
'_iV^Cn
QP=NpBF
;Waj-5
nvk9gN=n
{\'}A08V|F9,
MYg%+\:(F4
z7A6q+B(V<
?$%JU.Vz
b09;Z
k]Ib8
0n5R7+j
(:&ow7
1jkJ0:
YfX{a$#zTH
tz;I{"'+K=-
:KS'g2
a?YteF28
s"j?/k*
]&(Z+5b\
8!/b;)
x}S.L6
bG~A^\2bX.d
<t;[>k
B0FxeRl
6a5!6U
iEw[&Go
wb\E!!
F1:H'8MZKJ(/t
I%6tQ'yW
s|x?8f
{d9h'r9_[
s|$w[uU"*.
:tMTs
wSzK4\
!&.W \
o2Z=ia
3H`sEa
Ly*@Ja
/T8~{s
_)HzAT?3
Yge%s)O;~
J]/5R_%
-!gFUt
\;.OtC)<r[A5/"C`
@*F_%&s
%P5A0xy=]
XRVp.A<
;T[+w81sFh0Mq"[
1%^$`tp^
lGUp1n
PC(.'%Byr
0G\ztQnyl
5ME(d2{Y
%Sy$-kI9u
N/{{caM
4>0gra
DAPe2g]
-,z}_;
Y(|woGC
BV2Q?Hm
vYPQ="IA|^d
\>,iZH(
k'6y)lTL'@SuIw8s-{F"$
f?A\ZhJ }W\RQ
!1m5E6
Fy-PLfzE/3`^
au{z7G
['2zj-
F'YJ,yZ2_
L_u"Ayt%
Y-4AW/IH
+t9Qm]oR7YgOZ
p_4dxv
zENW(X
2}Nj/SQ>
t@sN",
=/SG~&QwJM%
mY|H(uf"
IZybh@(QKw/*
VM[4YS
v-Hf}*r
;R^6FJ
c2l"\M*
_xXlw-|B*GIZU}
GPE6yz[R
`zeKB>rvf
!/o<_J
|x%L'udy2
#Mczy:s
%7Z;fbQl
-St(J%!;~>K
VKADcUeIz4
d-:<W
BwG)Xmoa|
TODl5uf
+$Fo=;
vxn$3z@1
>P-6?FN
hx#+W;
^6uM#jEK=
Ob}FzJ$WBc
_y@D,/
*KS&\s
eH<sJup)y_
77LPyu7UKv0z+6Q+N{je,'R
k='nP0
jz*\~HT
nb,H;-
*Y!_O1,n&
bk],9=W
!cd_~>
nb62-9hd:-z
#mXe8L
#\'DUY,m-,'B
{2\'3sY
/Bz3W'~U)"
Uil.OV
'y@Z<!P
iI>c4:o
FB7-.fmLm(
K_@!=*
N10Qs]
N!\5,Y-
aT>\gw
=&CR{0
y!D:Ix.
e6D!90
UpanyK^
q&(U{Y/
B2+uDl~_gVEna$
)fA5cO
m5h!Y7Udi
4Ed7cS
MF=]GZA/
|V+2cw
0yL:Y'
DzlTn#q:
Ny-;2c}Ws`
q;~-YZ
5|g6OHY#/(
#IZNOx*h{"jyr
0L;.F"9~
qP.wlg@0k~_!]j
G0\".jO
z@?0(j:
X~x!};
6tmLy?K2
z]+HQBFT7h"Pv
8Z%Kc4Y
cVC%?
z:$<E4^(za-
{H?KZ,z
{W+HaPh
-9:]C-X
-VL8gjg'W+\q
-Y#bxZ:'{/t0
=$,f|2NPgK
Xx6&2);^+:R-I;<
@#7ZD{'W+
s"\RG;D
9.3`N;Z
Ohw$B#|E
2x4(/-
CG4NFOs
n;,[~B4r/V-9'$+L
1|9[Wu
AbV|=jE
9#U"@9iB
P},uFM
yKW|zeNs
B$6"1`ky
L0-u??<v
~vSEV%/(
h[5N`<%{lX
'<xE,&{
bq/D@)a5.Rym
/76hPn
x[N<Gj[
J38{Z7l
3GG0<aW
{.;^wW
Pur=7,,5
g#d'*!
Pmx,Ub]k
)XK7V4~
=\>'\~rB
{Q?9fa5;u{n
M%)8E^
.x3AklU@d6
Cy}d+\
V Nsxh
-b54W7*RY[x(
4tww*/~aB
|ztG5`0
GGuT~_
oKWk'!
&!l_nf;jc(!.
Ls*13=}
1{xH(MVO%4
/cN,Ye"
5=FixZuf
kp;y@qOC1
jD$IWPF
cXJ&=@>=&Zd=P
OuBS2^/|>E:u]!
\^n_
[98B*OD
vLt#c\]4V
V](izq
Z'@i6D`0
N2@wtE/M:u/|j
Ma|+nn@6g
xW[eGO1ml
8/dQqZ
r+^$"SP
n.%=eE_M9$P,
NWhYCe,
Xno:WrCy
p/=:[G<E X
x`coPyUA
xWephF
{Z4/Ly;:,Q[]
s$No8)
dC8,DI9XF3?
5<(D{\&Z
q8c4x.
b^EA$BS
>Fknw7^/dN}q
}(S{@*7:}
~('AVw-9
[p2:klJe^
"'P-(Bo$Y
2W4&"EuCjRM
,8k4r~nu6n
mvy#1's
f5,(bB3
HvekbqX
z_fw`{l-=
%>Us/b`\v#6z,
h!~+92
'Jz1Q75s#3
Q~6,~5
=/^GP %
/,q{Aev,V
T$_`?{w
)@*f e
f8qi((W
JJl5{Z!Ox
Wzvv+:
9LwbHwW
XX98l6'9[Bx
zDuFX2:{!_{t
#0yRODnZ
aP2#/_3l7YoJfH
50Bke
Udi4Zl
=*o`z?D
0qx|D@
hoAx;~w3J-z2l
Zk/ qYE@FL.M
B#[F8g\i
"/=bso
t>!Khi)un9'*
2p^{3+Am59?
2[z$%|
E7r=J</
yA23prhm4-
yA!3lq=
e-z.~%
z!]{c9f
I<KiM
~Ngnm#
nX<C_)-
\G&'ysY
_Ius.P6
0=1W<tK
p1vyf'
ThK%1@\+/(0LwN`I{LJze
>O$_uz
%ijN:A}QVF
7X4B8m
s2]jC./Wq3!
A'T?RwZ 3
^5:L-I
<u'Hv6t
z=QD@u
jzeSHJX
7y3[o'
R)#HMB!
DR?NGe@A]QXE
rA DLGyC
|B7l?u
\zb-{G
<i#&G/1
5lH/ CQP>X3
*,\J|
0Qc@/Z
~/K;@s\= M
DnGi?pB0PJ{A
<\% lZ|]{a.7
#g</;@$`
6//WPX3 y
K.\F}=v@
NstbzRB
ID96YtruT'
h9Y)>F
g@b=~F
:?zBwILrD
\>Q.a)lY3Z
KEb`:No
-=lu<fHA
)@K/4o
TBor,/S0n
8*{YKc{
'<C7Cw
s;!"^zG
dChVz[4
-S?9Y&
0.+./Xf2
'`87~+
U5Q0q{!
[zJ:mT
,f[14x
]/IePD'0k(A@
'oz}e/,
IA52vW
n&/78/\h'6
2Dqq(9O4-:o-
}/c*4u
k9y][#1p!v
%:1.CQU
/5@}iy
gE][pb(
?Pc4MxQK/[7B
XFQGM[E<O
>@vSK;-$
O^=HG<kw
MQLO>F
GB={D08'
7 c&2n7u
.E?FNR%37
mQA*HO3
zB{F%"K
2@=QH}LGD'!?&A
,R<Q >~fz21w(
R.]3uBZ<q
UwR#2%
]R3j-8
X4=~S2
Wza?(8
DPku/2/
vcX-3
o("5
: R3=
bQc9}K
?]x{*rN_3h,
LPgDW\|z{
@/#&xQ
}JV,1gw
B{UmHufg
{#['Hj'*
\ECT?)1,
0>Vy"M
#nEvDB(c
62m!'|,F3
/]4{Ymb7:zn{4r8\"n
Sd]AE
jnze^QBZ&+98
Vc(v#t
!4$`{.
k,\o}
:n2~:<CK
(Z"=\*1
%T4#qp
?`He_
z|x5#}|
HA+5QJS4r7
l`zqb:J
bzsXDV<>y
|jxR_
n{QUi7*
0KukXj0
:LSP;~Dp
Ya~S\
o|t%Yi5kA/pn
wo)/&Wk
4go[{R
/?!(FVf7
aA}3eb$v{
)E'Q:
%X<5p4
xcMZ}@
|bzlW3gB
h=ZMt"a'6
/\qS}w
+#hCR~]
$!u>'x
!cads8&e\OF
4y|W6q*
5OtPoTR
i+O{[-~<4
a'Mvxx]@
qSoo;-
F_&H*7fz{k
SY8u!4]:{z^
Bx$-CG3
Rwy1{Z8
T*40,{Y|
St7>}#{*<L4_
#ml#K
$n,zkhwgv
s37Mz^("@A
v9Sqe/ln,Yw
j/ao~#2
A7m:"o!c_?v3>@
D~*f/cp;7
X'9W+<
;\"R5x<T
X;)~^y\5
A!K_>|I(p@D
>zOf#cu
j F6C;XwgI
36{'Y8
eYf_fX
/3#0Mv1{6M
Wv($Nz9~{T1J]YP|XExK:jwe&L
82'Q7,1
z .!F4-v
R75v(y
PKGZw2~
YRY<|Z[ 9-
o;czDM
Y`4|t3
g{|(I9HI)
wkS?OWmx
&o>Iyl0
FyED|v'%A9
{23".X
.3J':#Ax@77wt
(mwj9xt
u1,1(V/
58[e06H;
$w:!g
L[`9pWt9l
]6F0{+R
+VB"A_
@<Ap2Q}
qtZu(u
UE&<0@#j
;d`EJ'
!?K7u7@h
zCf6NP1L
7Olcy0~
C3G.!R`
7/8R_3
f:Wz28
?0hq,
cen0b:L*(h
c($O36C
E9!nMx:
:+Tx;:9{7*}
{J"Av3
*gV&%'!I!^^.4
dSA4x&"I+M
%grB)x+"(~`Isr
KYh-F&|}_v=./[!36
u(;7::-
tQy.r+@%9o$a]h&
5E9?zXU0e
Dk2l*9
'%d"|2L
!W]PR:
"\<B.,-
?(L{Z3
'V;5w!:,6@
&'_7E/*
1R5+kU
+Y02c'^R4;(5[
/}4!Xa)AB
<A~yy
EiM)K+!h5
:[:t;9l619
6;;}1;,6.:
r9;8;t;S6
v27:&77
;&z*c6
m(z6`C/
t.;59pv
n)"V8
p"3n7f
m)&."
>0x&u/^,]2 3
[.p;h8+
:14%?'Sd'7),ps
fk1*.h+
LSX<:X&
v{Y&3~
vqk/'0'
@YpU@"8v'
JL'Y1-
BR^7"Y_,m
{GOusA
z{9xxXB`ax0e-#
ju'Rvs)hqYu~)Cd
HV+Ob9;
_"9^*5
Tt)!_E]8b&)VF"q{P
*lq28{
+&rFK
6|hNTKf
cM&&/B&:
/HFzSB8
>nSp2v
c(7y?{
rTq"{0
!\"2esx1
!q("71h;0~
37cys'
*.>3$t
/h<; A:Ys]
v_&aI/
8%$a[8
x(;2rc0m'
:os#_:
,N3{[rx
fJ(W\a
V+j"!s/zC
LvWBgc
{%#(vJ
[890q;Vh^
(ZH$X{
[\- 7O2&[c
s'e7!umO
i~@7_&i
Aw*-!z&;:
(.*eM'
]V%9>|nN
!x.D'"%7+83
y;1r>=
x}~>/9:od.
0~#?sJvu8}
"eVZI2
-/+<uN_
CN;zz}
f'9!%LN3w
4s9A3
Pr.`B:82
yo<^\H
'r8+V\
W6{|9'
){EL&{UNO;
~Fy}1.
e.X.}1|
FA3D>71
1VNq;;D:b+!m
/Xzv<b
ym]FixJ
9?Bf'
{'!h1~;lVm%
/ni>?{
OhP/*n8
s?+;}
-_f1w2
!"v^C2K@y
0?Zqqt
8^o7H'=o
^h&Bjqa7
=nn38%3hf
V,H\"`.
8+Sr!v{l~5
TK:e3!=
P%iGEV9&
k4v,3Sl&'`
:!a~N&)UaU
F!-**@
_El*Hp
@=%}Ohr,|f&oZ~2
MpN&G
@6}I 9
XIyOuuL<
_'Z}F''=H8"7{d
X$KNt`2w/
1dV*MPE[7
tF&/$W
ZQ|ZUVLn#
Jy)jodY
KO3ALoC>Qe,S25F29H*0i53!x'\&@0
34K<M@mjSjp
6a6h\3
wMo1ROWg
Lx%A@E
K^"GfB
~lPMQUWD$
BitBlt
SHELL32.dll
eal?X5@
^'z,xuQb
~ItoL9
_Eqq|f/
th3s;O
iGO|Pej
t&+PrZsID{
gU+EFm
6O3f( t
CreateWellKnownSid
ZxiRP"hA+{
LI3G?-M
c=/"QQ
qFEjALOz
|$0^t$0
B3$u>\v
boP96 >nO9:iT
LocalFree
GetDesktopWindow
Wt}JCF
LbJCiT
?XDxX
4;^"D<
6xu^rllV1.H
>+\uX1Ja:F
V:d-]v7
#R(tRsD;
Wz;`AD}~
GetCurrentProcess
`PD$@St$DH
F3(_B3v
.1T/Q%aj*
t`HSPf#HN5u
1TOZ9jy
Eethd?$S
GqZ?:ugmN
BdsJv(Ei
g*!N3<7}8xx}a
M/"AD=-D
KnhLF?~xa
st]@SP&W
!lJ,.]P.e;Nrk
ngQ)jg
]4HW|%`
DeleteFileA
&[$X-ELH-(U_>Gz
GetModuleHandleW
`ffD$"
HeapReAlloc
CloseHandle
s<NSd$
GdipSaveImageToStream
+8wTEH\o>'\
HW1jq0
1=#xuqM
}dG8,Rg/Xa p
,IN7"3$|FYxus9!p
s!2=H
e&A#=$
>aq|Q4
Az)u;}
7L/R.K#
p F]F.
-C|vG`wjFE`%
oq5[L;a]
5=jxb}
]FC)IDJHU>P
dp4Mtb/C
WNetCloseEnum
?#hA9d$
GetAdaptersInfo
(WININET.dll
GetWindowsDirectoryW
CheckTokenMembership
InternetSetOptionA
W)\Z8if.
"caE;$'
h(M&F$US4kbO4
ZmEVes
`Sh1*d$(
GetStartupInfoA
`hf/'UrIM
FindNextFileW
dx]0%9
'HW@;DVZ
$V^?#`d$
GdipGetImageEncodersSize
CreateCompatibleDC
hF.f9`
`RD$ ]^B
Process32First
GetDriveTypeA
$(pUrd$
DeleteObject
SelectObject
FindFirstFileW
$t$<D$
;HEolv
_wcsicmp
ExitProcess
[f_ZJ{
EfW]O)$g3TQ
y"Ng[%
GetTempFileNameA
LocalAlloc
_snwprintf
GetLastError
$@`t$,8
;Mnd$D
hhuZ,0<
GetSystemDirectoryA
`?#$$d$$
1_,FjVA{
l% ni3(zly
&/7di(M"
A2T:h4P
ufo*'T:
6ISW:gw
[5vlavX
d]:^:7s79
qb>^D>0`
A[&ihg
W7p"u)m]31}T"3dO
iMNo=$_)r'
pcm]]`h
0zBD%b
P,s!/dz`F
T`RG0C
vo$d|E
)`]ZBx }(Nn
[mHe6b.%6_
ijBS\+s
OpenProcessToken
FindClose
`D$(t$,0
d;$3A
7uf?6#
J7",/dmI
"m,}U\qb*spQ:c=7>,bU
VI~Q]A
SeMs7"3]:[y2_
/f/,D7c.BQ/T
9K,gdo
.S;}*t]
g*\)SO~
's*}6F*\
)K3>2Q6
Q$3BI:^
sHO?,-{
HeapFree
[a*A=X_
.q'C~%NII
{krZ]#
+@pY+yc_#
ReadFile
GetComputerNameA
CreateStreamOnHGlobal
GetVolumeInformationA
Z4x6ZpqnC
`PA)]w?f,
RT=xg,,(P
GetTokenInformation
GetTickCount
InternetCloseHandle
ntdll.dll
USER32.dll
]}xNCF$YWQ
memset
`lGDI32.dll
GetFileSize
M,$Qd$0 )hg
BP&f\4S
{]:r@S
Jz]yF2uzVfhX>
ub74-2
A~<L .?
]gXi|"'@-uFA>"
jguP\; 
xw1Pw/(Vm
>M`u;!YLo
)daVxWLN
S0GZ]_>
[beDX`
CreateFileA
GdipGetImageEncoders
wvL!I!3
1\UtH@
nRH2Jjr
<UC7MAF
[Y:!cHz2Utqr
q$!Cxw
Thuze+d<i
fHQ,Z&/MX=[0W41/O
"^T"TqbMs
pOM^of
/EKERNEL32.dll
565D}EYz 2;Yz
yX3'/RI
!bDRF>XY*y9R
(<<4/2T:9
];i0v9{
\zn(/2Yk
}~9L0V9
b^Y#!V'K%I
5'v=w^8:
ow/Y$v3
XI,\FA2{t>?z#_=}Js
X64rtW/
J1q0AZT
:A:o'F
&sX`7$,@1
%$B8=2/6'
f-{zE&+[W|=5y%*qi9x"+I'>
.Eg*F1:[g}D
+%:W*P
8'Iw0{V
\*54[58\
N7X(sJ1!P2E
&43"-z6&
S-Sr :%
:sx<t
5(`7Gh/V%
Mf2);<!*Q
e0k7>b}
!(P5fr?
/,7vMn^
#++&CQ
a:&!Om
H')W/u
"~$@-F
Zy~TWVt9Z*v
yvs,2d
F9})(Z
HX?6/"&uj8
?)37:!
2sS}'9
0#3f,0
Bkw:hfo
'i![6&3
'8,~{<7!
z}.%W
RJe"]R,@~
TeP3(,{
yY*yI2',1
v.C#00A"{x
bY?+^~!-(
!z_^t._l:
d!'P{xeVt0v/9
fr\thQ
o"sdZ"
WE(O'`*86q-f
K~=2[quRF
v;fnnLE
9(*1&b
d'/KA:
byfX{5w78ztC
M.~eD3I
Q!c$DU
8?x;7"2
<:5>$+
2&Q9)(Ro0t
t)#;u0,&X
8o;;X|(
OV=:w#8;9z\57EQ9
Dbgn!7
2)8.' KA)*ZF;O"
V!/%; <;
o/!]09
64-!;C^
#)1.-22%-i6!
CV4772
6.+29/!;
.!!).-
;6,9b)!:
/R/!"
cy:!Q'
80@jgXm$0:4
M *i76Uu
eR|{{TKGHdF87+
h=,5w(z2^
e|a"G}1h&qy
7P:c+9zK
vr.D4{
c'{,RJ
}Ie'ZI
FCcIK2RAaGJ
>$?c2{U
(b4*m)
5wco\;P%
b!Js],0+XQ6OFqQ
<zf>U5E
4:'ni=J
$<U~(&lx+s
,0uW82
d{8+!`
(:1XAJ!
*;)Ik%1
qo@>sL65
2NP[ V{|@biCZyo
fOXe4z
'~YzK7
5,`W:}M
(z;G3NA7wz
%ka_29
z{:*^/
?/|;7\w2e
:./<u?
>s9(t'pj
#@^;[5U'F1
(9xwz3}
J[p979
uz];S4
wz+2C7*Z1
$gBG]>~:ptN7Xgj:aW{
Mbe?Cr/9
g~xnK7'"(59;O
6_]E7|
_nW8zuC;U/s073/=2Q:7
jS2%X
t)%7`n]
U{?4$=}C/c(
7J3*0gpy7n'M
/f]L:T
7dJv)!/>
B,-N]H
(6zSDl:
?b2zEuUQ
*jdHsr`/
W(7_$)2@
\3#;4
#e7zvK[q
(;WzCPXxG6'Y`|
Fz7)f-Y
74w|~: ;
$&gCN>htK;P
x37ou-b|
WAPl\B9a;-@
GetModuleHandleA
WNetEnumResourceW
GetProcAddress
WaitForSingleObject
hg9``D$
S2FNox\
M:dkABw:eH
2tya)Q
SXg"3l-OHF
,W(= Mhm
!'VyP
''U|iw
7H]TC-f
is)tE+3
CZ<@6a
2z${PT>y$Rj
AcFZFNj'](y8
HZWO]8n)-Nz"X
a9J7a*1+2Sp
E&s8hMJ
,Vpx`.<
BOXacT
(_9R6bC@f
`E6i0@1`[Je$/
bh;oH`"$Z
8QM@k!f
rfO,@pN0PQ$`
WU#+jj"K;P{
+BSPEH~7r
0N[yuc1
szV>oMg<i+>|6
;}iA"!
g-9$A=*S/_y$b\J7K@
e:e&ThGnm
.U=>U'H$KD
Wu&pd$
44tF=$"
3TNg7\qSLV
&iW{1a2V~:
Ud6/f'ebs((x
vn_Pc^S
^qE:z
IKS]:N*
pn7)Gndm_'
BEINM3s6[bO8.I
T9 b0Wf
%,oN*R.
_bkt}fG816
"+xeTEJOh
BITxipf8t#2G9
G"#LICD*mLv
U0bmv
AkhwO,
ol0Utn
~%lmP9.]y-;F9%$
BL#$&?LR>
>T(~{wjfc
g2P0Vh
O,H.0V
H3 QVP9p
t$,d$4"s<
.Dxslh0o
<+/"-Q/e
HK}ZZX
m{eHEV
/n0EFS';
;%zdA9*
b# P8EB|us
?#4$}h
!xNFA$#][
x!nW!>G'4r%T{
9NK6Q!$FKn]!
0TOJW7
! W4V?M/6d79eNy
E4a:Gx
6a_9@w!0j]=h# DCR~h]n
CRWq&O7/<
eRbf`41k)K%J?_
Ur-Sm!
a,">8a
FTaY{m
*uEkB{ZR
P24$d$
HttpOpenRequestA
f]UWL(V-
wtY!1]
?~hn9t
%.W}yA^
CreateThread
\FOFFw
,Q:7/0">
NO?>L%[GR.+<V
?Hj>.i
p2kC4cA
#4VUB9
[uqt#h
7aL!m1ts|
f'2%.V=
z6b ~[L
4KP5EZ
l$u_j[y2Y
%@:}a"$~)
[TC1;G
bfKX/Kd5C@
-tb+[*dab2T/X"IL8
p7`Ha:
R_qdl`
dMN5]k<
fxsnQ7
&`5CP;>
]`qZ(V
<FF|roso|1@0
2eXfU0o=
<Zso[@}
]0e8B(s
;G"z?*
G<^_eb=0id
C:!!h@:
Y'?^[K-m~u
HeapAlloc
d$04[=
9$$7ig
G4^A9H
T3./wDy
BIF*jC'=-<QVg,n
#\Rz\an
\mh/G^
ole32.dll
GetModuleFileNameA
InternetReadFile
GlobalAlloc
E3RDUP
_f<Sl8!OT
fL2E-^@S`
1P!y1R(<4ZSPxITn~
nu{Q&4Q\K
zvSrG@
LWbB_(HKVO
A@qgPe
?5jU&U.+iG
DuQ~tH
0-wh!D:X>
CreateFileW
GlobalFree
GdipDisposeImage
\tai=\ad
;Mhq%S!_d$
,0A-T{
~c8Z%h
Q6@?Z?Y2J=9
Yed$8T4$h_
f``d$@
\Yv^\Q(FO@
<Gji6@B
P\+dU?av8a
$GP0VSz
qeGv}Y
*Wo$7a
_4PIK;c3Tq"MD_Y)
TC@PD>a^V,M}
%q>K`]N
S<n"sdU
<_vn@O-
[@zz&@
:Hv}N86
lR]T%_r
.y_Bx)_
~S8bS{2h
f3]BRH)_JNS1
_m8G_t
}T}@A0_
J]2F1$f
_>-J9
b]CdE,?]
{]w +Ge
_!P_%{LSL_
:cLK_t9EYcU@Sbvw\]
R'L+Pq
APh;+A0`'
t$0^)S
gdiplus.dll
Tub7K?%bZ4u
298Q`!&5N9@vBE
w,)o`A0",MPMPR
pYW&A@.0-PnM'
o!p]<&A.3_Yat@IM#
GetUserNameA
R-oaG`jq4K
GH9f\Rk.Rl
0~WX&YQ
z4=l9P
KVa:d:L9Y
uGm~?x
;f~SU9
Ox3`mvwp]
=4av6Qt6
$w4$d$
!T4$hC&*d$
GdiplusStartup
9T``h\RMd$D
;`hE-D$
d$(yD$
CreateDIBSection
hT6gd$
_`;E`d$H
>Yh,8(
V:!4A
h%gb0RSN
+\>_7 )PS|#Y
o\3\f[nei
/Pd)|Gvg
__]t$v
kxwO:7
y2RI(CW.y5TlN?
m= 2/u
\HuZ9R
TECE&uH%
LJ8"]=
Bzb-h.
_@TEP*WFx
{/6U*
^(2'mn
):LTfF7@E)T
5;b$;>[X
7:41Yw"
}M_^VY
N*5^/2nV
adx,XE
#>/:M/8|
Xhw}&4$f
hU.4$t$
$D$<vC
0NS%Nd
9!97e4Zgd
~LUn}3t*F
egr@"8Sh>}_
o4p-&A;@3Pu"}2z
<00s*u
o4x_-&A;_hpw1BK*%
oHIFd@W1
U+*`{^0B
d$TTt$
hod$8MO8S
W)Pff11/f`
hV{d$<
F0ho\\h
$$D$LWt$PE
4$d$Th
f<$D$,$$N
4$t$DD$
D$L,$Pd$
t$L4$5
f4$`fE
D$HfD$
`hZop\$(J
wVd$<V
$oh.RI
hoTD$LfD$
{bUt$ E
D$8d$<
`D$@;D
`D$$t$,E
l$Lhf4J
$R4$d$(
,xD$(p
D$P<$f<$|$
4$Vf4$T$,
~t`d$,
l$4fT$
(,$t$0E
D$(t$04
t$PfL$
Jf)f58f
$TPft$
L$L`|$
\S4_`4$fW>0
ph(T$0
D$,d$,
f$$D$,hL
4$f<$S4$d$D
hbSd$(
`T$,D$
f4$`t$
\$(xL$8
$>t$85
D$8d$H
v4$ L$
D$0d$4,
$`hOgHf
%f$$d$DE
$S<$``
D$ _<Q4a*T$
ah:{B`D$
f4$d$@h>
R`d$,f
D$({h?=V|$
d$$H\$
hN4$d$LfD$
$?{d$8
`L$$`%
`[T$,f
wSf58D$
SVd$<f
Vd$H`fD$
$Q,$h c
`D$ D$
pT$4D$,
`T4$d$@
t$ `3(f
$|R!T$DhDT$Hh%
$V=D\$HhIt$
fOiSf6
\$ `|$
ff)f0[f
Ul$PAD$
$)\$$R4$|$ d$
t$4Pt$
T`Pt$$h
D$(Td$,bf
`VD$4Qyt$,E
`D$,^WE
hP.d$H|
T$,fD$
4hT$D4$Rl$P
t$@4$t$
$Sd$H,W?D$Df4$ef
#t$(|$
id$4[h`
$Wm4$f
$zt$,5
$d$Pt$
hI4$`d$8+
`4$|$,ho
x`v,ff
cL$PD$
t$L4$<$R)D$
WhQid$H
T$4St$<@
$|d$4?`D$ D$
`T$<T$Dh
QYfgl$$l$8h
3L$<Rha
x1116)>
884<<=
667O8\;;

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255 131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.