3.5
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.72
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20200725 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Kryptik.rb | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200725 | 2013.8.14.323 |
| McAfee | Ransomware-GFR!E5B7E8B5549F | 20200725 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b59383 | 20200725 | 1.0.0.1 |
静态指标
观察到命令行控制台输出
(6 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .adata |
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | GADS |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
查询磁盘大小,可用于检测具有小固定大小或动态分配的虚拟机
(1 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\ydhujglp.exe |
创建一个服务
(1 个事件)
创建可疑进程
(4 个事件)
| cmdline | "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\ydhujglp.exe" C:\Windows\SysWOW64\jnwvkyhx\ |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jnwvkyhx\ |
一个进程创建了一个隐藏窗口
(6 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.adata', 'virtual_address': '0x0000f000', 'virtual_size': '0x00013d94', 'size_of_data': '0x00013e00', 'entropy': 7.969827972655182} | entropy | 7.969827972655182 | description | 发现高熵的节 | |||||||||
使用 Windows 工具进行基本 Windows 功能
(10 个事件)
| cmdline | cmd /C mkdir C:\Windows\SysWOW64\jnwvkyhx\ |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\sc.exe" create jnwvkyhx binPath= "C:\Windows\SysWOW64\jnwvkyhx\ydhujglp.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe\"" type= own start= auto DisplayName= "P2P Support" |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\sc.exe" start jnwvkyhx |
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jnwvkyhx\ |
| cmdline | sc create jnwvkyhx binPath= "C:\Windows\SysWOW64\jnwvkyhx\ydhujglp.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe\"" type= own start= auto DisplayName= "P2P Support" |
| cmdline | "C:\Windows\System32\sc.exe" description jnwvkyhx "Internet Mobile Support" |
| cmdline | sc start jnwvkyhx |
| cmdline | sc description jnwvkyhx "Internet Mobile Support" |
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 103.248.137.133 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| service_name | jnwvkyhx | service_path | C:\Windows\SysWOW64\jnwvkyhx\ydhujglp.exe \d"C:\Users\Administrator\AppData\Local\Temp\0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe" | ||||||
操作本地防火墙的策略和设置
(2 个事件)
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
文件已被 VirusTotal 上 54 个反病毒引擎识别为恶意
(50 out of 54 个事件)
| ALYac | Trojan.Agent.CPJS |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.Agent.CPJS |
| AhnLab-V3 | Trojan/Win32.Lebag.R211769 |
| Antiy-AVL | Trojan/Win32.TSGeneric |
| Arcabit | Trojan.Agent.CPJS |
| Avast | Win32:Malware-gen |
| Avira | TR/Crypt.XPACK.Gen8 |
| Baidu | Win32.Trojan.Kryptik.rb |
| BitDefender | Trojan.Agent.CPJS |
| BitDefenderTheta | Gen:NN.ZexaF.34138.@tW@aqi!dTb |
| Bkav | W32.AIDetectVM.malware1 |
| Comodo | TrojWare.Win32.Crypt.C@7vajd0 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.5549f1 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| Cyren | W32/S-13c65615!Eldorado |
| ESET-NOD32 | Win32/Tofsee.BJ |
| Emsisoft | Trojan.Agent.CPJS (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/S-13c65615!Eldorado |
| F-Secure | Trojan.TR/Crypt.XPACK.Gen8 |
| FireEye | Generic.mg.e5b7e8b5549f1701 |
| Fortinet | W32/GenKryptik.CRPN!tr |
| GData | Trojan.Agent.CPJS |
| Ikarus | Trojan.Crypt.Agent |
| Invincea | heuristic |
| Jiangmin | Backdoor.Poison.bdn |
| K7AntiVirus | Trojan ( 00533f761 ) |
| K7GW | Trojan ( 00533f761 ) |
| Kaspersky | HEUR:Backdoor.Win32.Poison.vho |
| MAX | malware (ai score=86) |
| McAfee | Ransomware-GFR!E5B7E8B5549F |
| MicroWorld-eScan | Trojan.Agent.CPJS |
| Microsoft | Backdoor:Win32/Tofsee.T |
| NANO-Antivirus | Trojan.Win32.Tofsee.euxfji |
| Qihoo-360 | HEUR/QVM19.1.CC8B.Malware.Gen |
| Rising | Trojan.Kryptik!1.AE8C (RDMK:cmRtazqQQXX2HGk3HYh8Ta0T8+x0) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Mal/Elenoocka-G |
| Symantec | Packed.Generic.493 |
| Tencent | Malware.Win32.Gencirc.10b59383 |
| TrendMicro | Ransom_CERBER.SMALY0 |
| TrendMicro-HouseCall | Ransom_CERBER.SMALY0 |
| VBA32 | Backdoor.Poison |
| Webroot | W32.Trojan.Gen |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2015-06-11 15:05:41
PE Imphash
daf8a118169f17bb1988c54deefe0924
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000dcb8 | 0x0000de00 | 5.723712661733954 |
| .adata | 0x0000f000 | 0x00013d94 | 0x00013e00 | 7.969827972655182 |
| .adata | 0x00023000 | 0x00000a35 | 0x00000c00 | 5.370333384231411 |
| .rsrc | 0x00024000 | 0x00000870 | 0x00df8400 | 0.09469709765401657 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| GADS | 0x00024070 | 0x00000800 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library comsvcs.dll:
• 0x40f014 CoCreateActivity
• 0x40f018 CoLoadServices
• 0x40f01c CoEnterServiceDomain
• 0x40f020 RecycleSurrogate
• 0x40f024 SafeRef
Library user32.dll:
• 0x40f02c LoadMenuA
• 0x40f030 DrawStateW
• 0x40f034 ShowWindow
• 0x40f038 GetPropA
• 0x40f03c PostMessageA
• 0x40f040 LoadBitmapA
• 0x40f044 IsCharLowerW
• 0x40f048 CreateDesktopA
• 0x40f04c DispatchMessageA
• 0x40f050 DialogBoxParamW
• 0x40f054 wsprintfA
• 0x40f058 IsDialogMessageA
• 0x40f05c LoadIconA
• 0x40f060 PeekMessageW
Library rsaenh.dll:
• 0x40f068 CPGenKey
• 0x40f06c CPDeriveKey
• 0x40f070 CPDecrypt
• 0x40f074 CPEncrypt
• 0x40f078 CPCreateHash
Library kernel32.dll:
• 0x40f080 MoveFileA
• 0x40f084 EnterCriticalSection
• 0x40f088 GetDateFormatW
• 0x40f08c ReadConsoleW
• 0x40f090 GetProcAddress
• 0x40f094 CreateSemaphoreA
• 0x40f098 WaitNamedPipeW
• 0x40f09c GetModuleHandleA
• 0x40f0a0 GetSystemDirectoryW
• 0x40f0a4 WaitForSingleObjectEx
• 0x40f0a8 DeleteFileA
• 0x40f0ac GetCurrentThread
• 0x40f0b0 GetStartupInfoW
• 0x40f0b4 CreateMailslotA
• 0x40f0b8 SetErrorMode
• 0x40f0bc lstrcmpi
• 0x40f0c0 FindClose
• 0x40f0c4 FindClose
• 0x40f0c8 FindClose
• 0x40f0cc GetShortPathNameA
• 0x40f0d0 GetExpandedNameA
• 0x40f0d4 LoadLibraryW
L!This program cannot be run in DOS mode.
`.adata
@.adata
G*@G*@
B@J*@*`
@H*@*`M
H*@*`z@
*@*`P@H
4444444
6} ? -
BBRPP53B
sMh`3B
G`5;v@
CmMoveMemory
CmAtolA
CmFree
cmutil.dll
RecycleSurrogate
SafeRef
CoEnterServiceDomain
CoLoadServices
CoCreateActivity
comsvcs.dll
LoadIconA
IsCharLowerW
PostMessageA
LoadBitmapA
DrawStateW
IsDialogMessageA
DialogBoxParamW
PeekMessageW
GetPropA
CreateDesktopA
LoadMenuA
wsprintfA
DispatchMessageA
ShowWindow
user32.dll
CPCreateHash
CPEncrypt
CPDecrypt
CPGenKey
CPDeriveKey
rsaenh.dll
WaitForSingleObjectEx
GetDateFormatW
GetSystemDirectoryW
LoadLibraryW
GetModuleHandleA
MoveFileA
GetCurrentThread
GetExpandedNameA
lstrcmpi
WaitNamedPipeW
GetProcAddress
DeleteFileA
FindClose
CreateMailslotA
ReadConsoleW
FindClose
EnterCriticalSection
FindClose
CreateSemaphoreA
GetStartupInfoW
GetShortPathNameA
SetErrorMode
kernel32.dll
E]J]$]
lfn}I6gH
(Q6BG*:dEwlfEwlhE
SjILQ+cjI^Q+cjI`Q+
VmIe,_WmIe,YWmIe,[WmIe,UlIj-
lIp-lIR-
lI- oI
.woI.QoI
a8 _Ip`B!_Kp`B!_q`$
$cLVZcNTfcPT
gcU0cgU0}gU0
gU0ygU0{gU0ugU0wgU0Qg
V0d$V0d&V0d(V0d*V0d,V0d.V0d0V0d
V0dtV0dvV0dxV0dzV0d|V0d~V0dV01dV0
dV0mdV0odV0idV0kdV0edV0gdV0d2V0d
V0d V0dBV0ddV0dfV0dhV0djV0dlV0dnV0dpV0dRV0
2{J@zU|L
C N7!gC
ob#!Pbn
P:{&O&pjv$s4n
*vKoJF
9nm]!YX!;j
+:R{`\R
HXa;\1)p!
3,Mg\u
m{`tI@9
RlUBG'
!+r^3lbrP
KqxicF
f"6CYq\5
$mI(_l[i&
WLpIW^m
]d^8CSo
c!N??|
fYU4?*y
k1F)rrU)3
|+\yuUR3X`p-B0~i
3\;YmP_
'/2!DsvY-
Q"GqCc*_
]9Im96#$V
iG>H;}4T
${eZr'uC|
d2 %di%__
JPEnwN
$dYXe[%u'q
p ?U8fG
( t-1koFY.
gTO\ywzr87@yU
fz "->+\]}C}
)eOIbZk{
([5LLu?Y4=UA
5.A&l_<W
H1A[Cs
SCRV8zt+wgdW}Z#U
a b 0t.
N8rzhh
=OK'+2
#J=zuj7'
+lG3"=u
u(%!SEws4t5
M5-{(
uN,Gm4
R=I]{d"sa
"2;`xW[wE1{Voa[
:.V;zP
~k.3UwD)u>
_>ZYaGr{{A5Q
21Ot=vO
3"NwTk
',0$7-
.x bMb
b1yHDD9
e<DgAT
\TfBgYWe?aL
*K!+h~
cW"28<eQLWUi
4/1z8r+0.ZA
7Wn_KmQm$
%GAazZE@G
t[f2<d4"
HuB9_/B:
?M,bmO22r74
16"3JZ
%m,c+=p
E9#{g)Z
]`q{ 8
R<ZHd
nh) d@
TCt2J%
w/{M~:
ZYQHU*
iz+Wd6^
~Fk[8<
b37^FmQ|Zy
O=!%N+[7
VlU[6imY
gQUb$!vd
%]l/GgTM^iB
F7a0N0<
MwACOLy7f{20,2
b4sjGGiR\
ecV* q
H%G-}?)O~jV
"@jg0\0
An\posj*
YpUZ6^[
k5)5;U>yP
Gy>rt;
-m;88-
SQSrPD
k ?V),~
8hq i&RRKK
(_5?v>3z
iN O9X;)M!
;)rM a;[H
/(Cr(dH75
Uw|f5K:
Y7U[x/O
{>QScu\
kG2G&Z
1Q^X{oVU
(~*CM-y
uq1cfC
[TvC*c
05w?n6
088BHeRA
A|Zx>v
oo"oP'
j*I~+vB6%+
@}Ewz^7
]0@pM{_+!
te6cm[m3E( 9S8
XO[qZ'UU8?gW
b!HN8=Y
o7#Q5sZ
MWsgfZ
PW@{]|{aQB2T
q&R97J qJM)w}pZ
{usa '
?B}9O|
T@"X=c
qx4-/ TF
X^3(6O
iYI`O|~m/
.!JtTR
*EkE$@I[
d*'Qf.A
@sk}mC.1X
guX@$-=
b=PBROG#
t"A5eF
-tWq(<#
ZU?LXACo_}B
7{-:vi
KsYlke`55-{v
0OCN,~81
h:TUS2nrc
Xya)/Xnt%#
rcmn'_d
qBnyz>aC
<N '}L5
VwL$%:}
>ROmS?UL
\{VcQ^d
7yY/ OO>Cw
<Q^M8x
78sNW
JNVc^7Q6I
%;l8 8Ng
[1cQf+
Ykg(~)
iYWZHU
V;_|:0e]
icsV=d
7O)/jN)0s
<yAHDaBbE[/t
~dYIvc u[Pt5V:
$ +n 0
>T4Kuj>kKP;
Q8/\`P]@9
^Mo!dghY3GA)%
3??O`k
0!-s`)
#:NL+O
cki/-d28
zRq8] aw{ qHB lk|4/
7Ax)}PZOyi}8;w
!( plFpJl~kAm0m`Y
o/{#UW
@WdOQ9u
n:7g.A?
KjaOZKhC
%0[9lX6j
Ln`DZ) x
G;>6mMK
>6p*p=mfig>U|f$JU~
-Qr7guq""&+*
8H?P40
#o @0?'=BK2
cfXnfhV+2
{(#!7"?;
/+Gn#sG=0e^BBc^48
cJ^j7s
#uMebFi28Lymh&v
Fdz"Iv
2U'9ae
a}Xavx
#ls"IDd
%uk)Q
7*vB c
BM@sB6G\Gup7
D@-jl{g(
CPr6x?
h&SM=jh^$
xU6^`5K
<{,.x=GxF:
A6JwNgU'Z\s
4HWkv,X,2
N%a4:;
k~"\`G"
_0I~*L
L?Xy6:c'
v p+S1 l
mJO@\0
aS0"#WqK
!mR98=F
jh'#c:{q
$QoE'^.ZrL{4+o6
YH.,o,n
+ueRj`R-" a
TYCTot
h\.# 76
'xG'"c|
sIy(&k5
Um4P0YI5(6x
|xJcy$7E;
issJ|wXvv
7Y&5jX>
,O.og+a
WIgvgGK
=%y{ezS
NkBQOrnImuVY
ipP|TyikD9
aJ6 -NuNnLI
kgBUX!b:I}j2
:8Ii1v+/< (
q{q*]fH
,mk5_@plk2<"p
\SsI,Wt-CLXek
Sx3r9V^
0"'WT)G
g,D|r<b%
bT0HviF
.#=;*<SLGR
/qX+Y6j[3
beebVi#k-
JM+!'^`(P!Na!)#
:[0,6=?s
s.TJo23
`bd6 8`
qkk!f@kkk
0=E"t6W4m_0
[e(n[O
{K8&oX<c
Hy+/E?
AU081<'6
bquP0s M
(E.nF#
ud0a!Y_j
r>ox9~
pr;;S`|Jb
8X"xf,9
X:n x<)}#Xo
,Y"8ka;f~*TK_npH\Qv
znBsk*Msrs]j\
nB-4'ux4*')
~NZt?f'
W+TMNpe
@urCE .
]$_@oru
tuGUQR5
z2"b8L
@w2Fv<
sw_YydC@/p
Ft"C} X,
6Pth6E
ZhUH?"#bu!'Q
9.|PA(
Q)<}3M
MrMOo[z2%m
,/_neE|XDj
Nj.CNu
t+3|z4-
^0`Zw?Z
_{CvrPwp
b]`"7R
tk=2?:IrD'h
Ye?l.ko]OR.)[
L{Az}$
+e -pK
i GHY.
%oe/|#NN
y7#M>=PT,5
n4O:@T
C1wsoE
q;-79p$
;@&okp5u
hW`u=M
2zmz&d
IZ[N"3Co
;Gn|F,
hUq[*Z
f*0*W%^
Kh"L'xiN
$xOox>
]?ox|F]?:
W=XOev@
CcPb2[p)
|C7F"!
$nCI wY
Y'y0u(
'XOl2r$
$j:slXQ
$`w^EG4
OG_SFZ
ltCj 0 y*
Q?1rS'yF0a
PvD"I`
/F2pnD
7Zw>nk
n=l{3h;
<K"[NJ
O~fT,0UV
;7c*Z9
L,CK9xt_Nee
<m\3eCg;e
|n3jd+
6M<%S;
eH7Jlv9,^l
BAV5?^
}jfH/.qg!h}ZhX
~/*|cJ
95%|4\=
7c:Q+l#Gu
Bf6#V6%
?h>7,12j2
cN%qj|XlN
9m>V#x
K4[;xi'
kxP77I
=49bP.
o]_YYd
Uif5Wv
i]PbyN
G8B/cE
B} 5?/4Sv@ %v
NJ#6T/w 9=
U;vs>_f
-f!;OBx
k$%3MZ{S<
)Xe6kA
|K]UDLgrA
;D`Z]oq
\zy=`;
,%4j-\7nyi/O}e{I\
rvkw-Eld
%%D4~vi/a
wQEB8O['7"h_+)%3
3D<kE`
M=_'sM
'Z,5px
Ri`""JT
mKX%l!Q
ixx<pd0Vq
pM:C7/
Nl%*^Szyq
I{a{jNN
}Ve kS#W#eYG
v{()7{"
mMTpGGM
Z,tm]_(Hsz4Vq
i&=ecYx9N w
zZiHqq~ar
k')`M$s
}"P4`Mfy!V
:Mz~CDDM
xb:-]K@l
]@HP}U
vy[]B4&t
F&j+'3l~
[rAV3vW@p
IuU$Jd
7~=`~!'ZEp
gNpoj]7 sDT^
SqarSm@${m
ifw- m2zn6ZDu
h x-GM;
!8{i@/KBF7
/#yb.$ey"(WiaS7k
z:@=;lxN
J|%x||d1`
U\5nrC<
dVziI\p_`Kj(I
@3s<<'
y&5H@t
[z4^nW{
k*6:_*P&(
LXg~5G[z
%UDT,V
y+6M&xr(
qU1>QG~~LUvn
33*Fx dpa
vR_)b;
J:F+Ic
#M5?LL3})>
0mfqq:8h
kJY0~(
m<i4*@D5
9i`~|a1
wfQ+|*0^
a 7wd/?
,n<#mr
-!nEk"
"aPykq%*p,
!@j~wV]
s>O3>)
H_]9QGU
pyl%` 3/+]ysw64
%]o!KJ\
dqXn Ta
,\/nGtWU5 n
gO|ld=Powoz*n\
jU,Wtq89Xh}
/]rD%T/;T7{q
Q;[cZT_
3KS><XWU
eaeJ Z t`DM
'}4(f`k ,
s95eGX"
@Grtqgts Xv}7%.
hh?dAG
t6uX3)U|lB41t;-o
o%IK:'A
N'4-%m
gVN`{!vR8cS
#T@bf@r)
JfbkPA
lQ@{?U
F)T{iIh
70Xfj{X
hCPUoY?h
7 c$Pd0
ng1/2#)@=
>tk,A-s,
3:QIlScr~JG
#L\6pDj}'
Gly\SN
\`XrNF0Q
#/X*()Z:'I
O*ve69!
zcjH#H:
;4A%u[
)_@Rz>j3W
<#B;)bR
{K:@0c;3
g|dVW$g/e:
{sRf2|M7
+9#tG;'
}l?)25
o.^&] v
_2$7U~l
SW9=i$\l
,}('a H
!]I0{*
~KxL=@
IH^|{Eh
PBbK+hL'lV
G>N)8+8>
.-V,]X
. e<%|9
L0ka{}yC
)+4h/VO3M
/~3FHyvz9}wH;U:SMQ
p6+#T)dj<\$K5m~x
bx>is,
9:Vb{P=A~
g j{fHX3!
)FuN~cQ
7wVj(48
/Zi4gQ-;
3B+-pxY=+
F\~Bp_Q
!cBc7spQ4
"3c[t1
iB}%p<
f0z3Up
Dv"GcYJ/
tMM;#1-)j H/2
$$Z'7n
rLdu?4e
|!N`z=
)h72;r%x
x})l}e
CnMp!aB
akC3VZ
,&P7':
nCv$ry08
E46V78
*LRMkv6'xkR&xR`
=YJY?P)-&;T
b':#1_}(
1m(tk+A
aR1Bpo
4m]Ny|8
aYFvYc\vn
3xqv81
R 8m[.m=
*2{:Rd
tC%CT*X
iATkHQf*7
pX#(ni
yvXot]
h#-92kx5(2Qi
6_K9_m $a
K(^ I
uX14+&V
,Gy%:o^v
X%dbvkI]4l1uw
`!WU<je\g
_<~jB
7n)7yC
*wznNBn
|WE[|Y6htvV&
6;k(b"?(Rs_Z
a%t)k<
%tB/12
l@s/f5
~t%EDd
Ed%#Sj*
/9n!]%/Y9
X'p"!$
ry+IwH
l,5/3U
39FZQLm
'AjgLa+SI,
E^vwLt.-I
E&M|`{3u
c|3_&zt=:a
.Q.>1F_Wt
!*0U .C
Ulb`#}=vazP9^
S=7?!^ ~8_
+pABTg
g3w'(wA
woJyU^):U
A-\WDY
bT~GV&
6j4(u /F-6
a!@K2y
mT1ffhL
1z3wq2mTz>H2
n35dCF
|N*lkh
:0?23t;r(])
z,2MjbR,[vzAoc
a{MfNLt04-
f0g0?ch}Wow*>
lcAQynbX
2-'s; 1
t85.Z\@
=J]6o\uL]
ShA9bb=PTV
RurGpX
<w %`KL
eI4$jrRIS
BO<iM@M
{i1G?P
ATcnfM\8
>5fq7AI>
'hmNMG
^F ?aFBI*k
r_`q}Z]sJ8 ym
<9mTmAgAU
$Y&$76mQBtcn(
U] 8 l
/osQa!
`qqm!kBY0
Cz!ba`B9
;ST~T$
pN"|Rpx}s
+?*b?i8\:9"L,|zl30
Y-d`)yOQy
sAFh\a{F'g
b3Q=qkDE
9Z`c"!rO3=`OQ#N
YmrO]!
2Ys']Z
a8a"+s
d-;$H;5
l#|_mlZ
\\DJunv
$8E<deEJ
649 xEqx
t0509T
*%v&Ez
ye/KLi}d
{=#r$fv=#)qN
9wu9{B&M&
nf_ s~
uP b~92?v* =w
K.YR(Je=
/(DW$o
qc70_n
R6wu4W<JN
;y^zi#;b
& |a wMH3'zMrsBJ
qEj)s,
$$W'j<0X}]Z$Fhe
I(liB(?J
o$(fE%
zA$|s<<=^K
? Vq[O
<#u>~G
@RCa_kP
Q]c41(p
\W2b|p(aH
@XCHfjKZOX
0}{5Ok
;\~3k$
h]#zbzqo8
.Tv;fl&U
->c]Tt*EUV>
fq'<'i+
D;v+."
NiDp<E
e'<IUh
90IqlHv{
M@{f\H'6
jnO'DT
"'QE+ywN&
%)Hc`!
\H%,3,XN
q4~u14
T%'_mm
re~,W?g~
?4*tT7O<4
,4;-fB+%
XUTR!2
NEC[gU
{jLUvX
$Mg?X`;Y-,n
zQv[17}o=dpBiG
g7?U+,k
k{TX}:
UGml(o"
.byHc7,QHU~*g<T}
90/"(y
0#/va975s`J
AzElE#RC9
gw*Gk4Yi(,
>hmwZ,x %.
1d.a W6x2tx04?n
}~Al8j^
~IUXi~/IR
5u\p,v]1
K))B-1y
#p-Py)T
~UE4<H;&_L
gto.woFR
ljbe}D)
)C?DO3
=D:1sq
DwwX%\
''^c*1p
/rOB8DQv
OV!6ljgJ:~x*
`gm5(ac_
6ltVfTY:
-e!/je
5<'Bjyr
d*kEgia<i-U,
xl`>xs.Jxcp'qX]pSh
`az2S;^fz
TpM~rdcKX
CO>q$'e9^P@
[`:zSR{
s_s1oX
#pB]hP8
i/o@bO
70j{v]>W_
CEAlju-QxmR)!0:J
$ UUx05
|aq&$&~w
!8I([%%i*TphSk
\-~iqVZ
)snSMn0sf4Ud
.9{J,I
pX=j|?ED
3cqi)[;
gh!Ew9
~fN"t 3^
ZFW;fQ
9NMx62
#/$9.jo@`v0_
#|9`7e
Bz=i}4<J
ng1i.[
s~H6D!
kH/fa#qTr.
aE3g[EmwcC"T'
3Vs&+V'j
99GY(e%0U*
Yjk{~qaXSm
,puQZx#8
cR#%htyl5EG
y4_UxB?Jhzy
p=@i` f
h[s+%dlw
.J+}@sr2
0NZnnd
4VL;E;
/wvnIJ${'
x3.ry[G
E~sC ~
OKm~@?
&~*&Wf"
QTp}d<
Hhk&06^&wEx@
d*'jg_
e)W9e.>
K!g`\'
6[7X[yZ
w0V;d{>We.o
pr1;|Sbf=#,
|Z*};CD}k|
(MM rL
{}Y]/,z
c`e%Rpe$Cdn,~
Y&px;v
cgi*Ng
)D8=S`
b4K\[&<qc-
}P!v<iG}8s
]K<^\p.
mim B4[
jnSIyI
|ZX|- IG6f
^W6w]?4Uu|(9
|%= o{
B8+sxaL5OL
v:8Edapg)Sk]K
QlOG bmeK^, E2nW
TPOBu.y
6*%R'y_?\R
_sXhAG
Nx1.b9
{aG:q{ kk
^x^Zr!L~~
Mzc$JJ'm!"
#\ n^DAL=VX
Y#'gbPd?w
6"g|F/&8<
aD~ReZI!7`%_
]z2J7H
-_Owp}]V0
)*OT?L
_<D\wM
uy 41$\sr8i{
lu_/IE
NZ8|n\J4x
c4yK J
Bit\nXzlm:X
0_nax2
e/K^oT
&^=<kL
0=>x3D{$%~SdYv5w3CM^
<hL"YB
BQQ?bn
c;)p]
zRWWC'
w)&udvm
JUn&HEz\'
}HFxNW
~z,?Ochr
`4`&r"{aoRm[2
a@U$(RqE
8BT }%
+Ib.ZF Om_F
\sCdzS1
fke`oT{0M_?n'3
K ,lnz0"3
\x)_Q2
&y=lH&^o=Hspt5
Ea 3ht}5g@:
r|0pG1~2h)!1
_cXDgZF&O1;wA
@]I(28 %
g*na U1{B}7:3J{
z*DOrV4
ZkGa`IeQ
/}8/H>
F&xN!8I
dAjQS>
Y#nI"wd6LGZ
U\fgfomf
v-|?&6I~/Z1
,`_M@}S`e#fGl
ZIw'%|
wbWsx@%!
rT( ^}
E5D(=b 0
Vri@@J
Vu8%d_Svt
h_:)&p
L|r/N`d%b
pQLGGvP:
T5kqeWDZ|oTN/-
Z7v 5*\6t
gyCeK@B,
;nTzmz
VE~wDww$%$
wcEo^e
>>axp!7
aUjDB,
~]oaHdM)
QmX;j{
X4}9n/3KE
OhA`T!aAS
5?yk^K~
\k{vDj
dE(W-`(
DWov8x3
WCuw-!q
Ji1+>XVe
=sj"H%{OfeDp2
44AiscrBjRtl
;,}xT4%
.#=~n?
-I>uj@%X
+`j,^.4/
aHt>s*>?
4x;N'+
tvq51I
}tqp<q1]
Q\a``G
$2{&=L`
Y y=|<
frONwl"
n`zTrH
y]MKJ9xy
rP^$F<s
iZ9<p}CqEo*csv)l&bJ g zG
1^{h`<4\if
&6 VHq&p>O! 5
!6G~`L2$-~s:9+Tx
|:T}4)yJv
U0\5@x
k;ech{KP
7FR5ga
^KoGet
_QX``F!BI
=S q%mG,i
ee$\6e#a$
dId%-5d
*$$F7@,
LL]^lT
a#12jp
O\[ Y0a<
oU]MI]L^
<Ydo
w#X*jk]hp,'
^/DTzA]s
eC\DNv
(,W,%Lj
6kjHE*`ngh
"sxg +3FE!>Aw
|A% 6f
Ae{;)3
j|w}^Auc\#
M$&kSU*j
\`0 HhR
2#VF(@
giwM8C
yfz*H{g_T
|HXN^P(OHm
+ceZe@
z|qIG=
|Wt<Kn%
w'0"i}
<RfeWf
:_?HXVjdQ'iCsC
:L~Ts2
da,.V
e/ll*~
sWHCFe:
^hk1]
rg:a)|$%A&
v}W8.W
$)<^8mm
Ng|&>Mg
DB6r_br1Ua
n`8_:#%4]X
[lV<fy{T
s${bNg
$Mr:':x
Dr;:&3@
-!]#,'
^+s>^2mskX79y
['xj'w
55d<wsZ@'UP
w~ECPw
~'bef.
:I,o)Y+:R
oQi!ci8
1tMn#]
asuS'Fj5M
/Q'.SW"j
F;t{oY$]=
QmOYv2R:-
@ nNnt
[EWpCHF
[CD:}ifDkipH|4s
\m.n4R(>'Tya8RS2JM8MX
WeQ~zS
8At,&pC
'z,8N\
V_+)4E
Q!)UrQo
av+N|lA
w7MM5.
.go(jEXm
o'hYX=N;j749k
uuD_+)
$9lB"-&~2(X5
"y,l648q3
t1|?(O~
1i]_Glu)xV?Yw
h4X]L|(
lAN\s4
27f(AU
z%DkUx
zVng*U_dy
B Q]@N^Nou
XSq%,<(]
! Z^})it2c4p"
3BaJfxnQ
w;< o<1)
3iO!+ZHh
U3}WeTFh
>!pX)~h"mWu+f
2n-L3i~r
3mrgwp6f
jgn+b!Oz`
C;)>qB|Z}e"KO$7|{:63
TR~7qvZ
']oaZO
9N3]F$
.1\]vn",<O
BE7vA|JKZ
3;5k0&3I
B\!,:$
S4Z<4j}F^A
)|[X<;S
*P_q|W-eSH'1
z9GZddh'Vlul1ov-xg#
}gaZm[H
'Cc+|5X/
eq&Xe7WnBo:s}l<
d>J;|A
4BIF=.
!3m}t;382
B1M(+{
k1(-QPfBc|'$I|>=\.
j^?~%l
v&ev.U$S
`a63YQw
WW[9%QA?j
\DDme5Kc
v@{G\9n
VeiW+Cj
"e|QaC'>
6iW?[$MyRo&
L'!*ft Jxsf~!;0g
$weV,&<N<)|z
]`"nvR
yFAR`x5Cq%
{p5ry&z
A,Sjqx+
yXv-il
OCX}1N
7xJJD78RQ`9HviX^rpT
mb{C~q?\
_C]m|H$WMM`
~$~&eZ
[LannO
]6saw^
uBspxd
8cvyV;{*
DY%4w>}(4</{
y"4!CcKMy,Ky"9h
WXx!m#hai+"?
]*O3`y
M86Pm pvS)
k*T=1a2
{}IOF;)L
1BYs(C9
|&Omo#*.
[c1]"!D|}u6
g&&g&c
\71HH5L.
$7J>fUdy
GGwz)p7H
P!Gc`a;
HqJO@:+
i2%_ME
TWL_=r
d4`>TNs{
r+-Fnt
^z;lF==i
>$nC"_
%6QtauU3e!gTpTa
b-kXcIVG
bOv8Uwd0
qedO}0-"N
[-%~}M
hgZzv<:c
Hs9F^y
x^Mw~`
\3s ubF6z
^[#f~&~;
rq>#dJF
3%BpSp1
aK(02Q3/Ms4
~pAk1JY
ZtBb?p
F5J/7n
laXsXMv
M h8>V`d!_#X
XSzku@S
YHMSq>w-6']^|"
H?Wi)Et\
?}6~rSH
FU !wo
w`;UsJ
eF3XG()
qA}@zh
Bo.pK=]5
u(1Ylw"
u94KrTt;;L#8
xiIkxsW
59j2>W'L
2O'PD&
wM8!hieMD_/"+p@{W
k~@eIIo8veT/UT3
G]J,^vo'7!+^;
(4HL_6<bq
nb/ &DJ
8,8$@5tu
]azOaN31
HwL|~ZU">{
kA2_?1
g-8F_juy
xEb6/m.1H
:kWBX#2X
giKO~=w?45lCt
pZq:pkG
]T$(:Q
RvGG:9
J i.axc(xxED%
O\:[>`
4>FmDJrdM/}
%P7Ny|8)ha
@!fT `'
`|4Jv:d[a
y~7@7?:
;b=!#krbeo
0`9NRrOaf7z*UKju'
OX2>0P:^pV!?GB7M
%XN]fo
h><lm5|
pL4yY|kCJ
KoNA}> !S
0UJ~_qO<D
+D6#?_]
5p?E1wp')LY
5j<>2(Ti`
}cV{};
)sEuANid([@
fTs%dQ
i]F/#(r&
GK].SF\
#2-8Ay
uT%+"fBh
ah&D8U
C7<:vc
ZzGjm~|
uh(:B?
Sf!R=^
M`bwhv3
j|crGT
5k_HKi
1P.;Bb#
^n5c_S?-kCSXr
.-Zb@x"
|'C(J5
->V7NF~?3|+f
_|lobN
.:^B}lLmj~,0q
w,E4xa83z.`
9LWzbD0*
@w~c[{
]`eQ~E
#$f!["CzqFb
OM;n~XB=8Lt1mL
lvt\g=t_i
8`yt[nbB`8
7`2Xk~
x+7\B5Z
{Zw6A0jV b{p.
!oXLFVdu
e0ay~<C[
aI+]ud
A7_5C}b
=?OEy@
eRsvd=!va S
xoEIhMt
[z_LQQ
6=v=4{jgf`jQg
XpEZ ].<
N,]d04!q
K 8`aR
a>`|e
7]`ZD
M-mfu/
BmY+6z=r6
{7Vdi=gq~1
KcdZiHUu
Ku ;hH
cx\~bz-}k
Ol-ry}Zhy
Q{F?+h
s1`@D`C2EaBz89{@+
4hO:cvO)\
BN$DEe
[Z(nOh
N"r&Q:
d$S>,q
?lh7UQa
f!Zbb;
,nO+n%
+=nm,nfI n|
#n@n>]n;<n"En_A3?,
.VvSV<
Y/X?f~7@)X
~`)!|],
LGUR<_
96a_;yxdZ
/hYU/-
Ag|\YMXuv
4{Gt&f
=4-3A0V
2!4.n/
pyHp5E
RJP=#h;AHc)!h=
J<,d&5-d
}# )bqB|Y
`.A!7A
d^WZhf>H`!zN
<O0*!1)FssR
l.M+~"{c;bQ9[
*qinTN]
X1cg*&P$ft)uM#
P-Tf@O
<(p / G#L[Gq+
ms'lGr\
22iGY$
2 v3[>r
9eb-I\HxcK
2Fa88E
?4O=?
b)7RUS
wtP255
kK^)QL
1C2dqs
RQ*S}(g)&s
~H_gUR
Xf%gg0
8(%yC#
:qYmN]
O+tf4}Uu
D d!!`46
YYk-6nV
cWX*90y6M
c;1Qz"J/
Iqn{0n &}cE
i0 (E;
dfyuy .H|
q~L![UVk]H
+n.)PA
;`{jibBC> '
sl%.T|Oq%QQ+O}
i:fI\g
K+E'''A
UD0GS4
%Z+b\ym
jeT _>sE
gN39o+o]j
){G!Iu
`s}kucgFQ&
3U!pi q
?'ufU ezaKr
:/*~S53
LJ. FR`[*F6:J
~`?y\`d
Unj%zG
`:hcz q~-ae5M
1lR^Tj B
BF2uI(a
{@{0i: p
3~7nq\^orBqg}@s}TA1fs~{A
ApF~UB5
pcyBqy@Q.r
@roeApeC
qUf%C)qf
AdfVVdf6f
fZ:dfQf)Iuff
fh$/sf
fuftf $
Af4~fqfnfdQf|f
uq?6ghvQ6gv(9gTq{?=g@
g=g;2gyEKg|yrKXrEtwrYJr^^
rTD0j<5
mBVh4di[LS$`
e(PD\,
pH~yc3E
KP2+m!
es|5CLG<
KT:TX}+i#?
Jv^sJy.
bu}YJc
/%_Bs#
er3LI=*,
Zy"`^{0
HX<(p,T
?4:It&/(
$H>a6~ y?JT1
elcODVy.F$4
K"2C<r2!
W9nFv$
(zOo!$i4W*
y-vCD>;01D2~40=
Uubp*RT{aH
tahw#Op
)_kF+bu3
Bp>r4B0W7<
q`hpQP
KwBeUQ\ 8N!)B=$gApO
bO9'<^
{k.E?7X8
aS4N'r
$44l6:
I*'91E
v7tD-FP
wDvuWIu
+Sf1=T[(g6
`~+d*V
vyx`]vTExc!K
m*ZE8N/"
&ox(X~,{
Us^)EQ
FV'q;}bwpo~MGnRU\
`c7ZvuJ/'
vu`7P?
jfGNT{
o5J$;5(
~cSoT!f
&m;*z2;*z
vi<M(i<O(i<I(i<K(i<E(i<G(i<a{
m)pvso+1
nJo=+[RteD20x9y
x9yxq9yxS9y
x9yrx9yTx9yVx9yXx9yZx9yxF
k#{0\ sh~;wt
}S$o hg
,-[`z~Jqf
^_d2i4+]
<!}c?"ahc
]/ct-R0Y
vOL9jdy!Uh
@2hvMH5J_
wZ4^I
WwYgWQn
a1Z/u2F9-
~@i35f
5*H"@}
s8KZJ<O
@:lc$4hT5I
V`vuR)'o
,$*SV\.'&f255_w/
v{'ShEF
W.%P2)x@qb<^@A
SxvK(%
m;NUF&N
`;e^ z
i3h|)6
]$d%",!
tbW@[/
F= M;T
a|x=n7'=
s>8K(zr*
Cfr*Y:z7
/22!HU}
j d5AuqC
kx$D.ZP^5
XC,ZQ[
v$l]SP
L/?YML
/cRMV6w
Ed~qOC|1V%3~<U
yuSzB7v/
zX?G hKZ
@VIBnnN
fjz\5m#C
-4+UU4
8W"5C#4-jL"#^b4l
uF}!.`<Tt7\-
*5(}]"
05b<]Y5
Pt=!&S
.Hqq*7
2Myxg.?Y[
>cB+FgVJ
>3RX,[
@,MVX;|w
&g4il^}['
ByNkVg
dRz9n];
7YZ z{
Y/9LU5>
@v.WA@PF_KfM
FqADHsLz<im
My$13tXd+X{
7vH)8.
{yg8?[xgn9!
}y,;%o
K+vW$b
|N =9clD_i
|%7j@B
}lD1C7eT^c_
zX#%e$%s(hj5eE
"9x1D9x1F9x1H9x1J9x1L9x1N9x1P9
x19#x19=x19?x199x19;x195x197x19
x19sx19Mx19Ox19Ix19Kx19Ex19Gx19ax19x149x169x189x1:9x1<9x1>9x1@9x1b9x19-x19/x19)x19+x19%x19'x19Ax19cx19}x19
x19yx19{x19ux19wx19Qx1
9x1$9x1&9x1(9x1*9x1,9x1.9x109x1
9x1t9x1v9x1x9x1z9x1|9x1~9x191x19
x19mx19ox19ix19kx19ex19gx19x129x1
9x1 9x1B9x1d9x1f9x1h9x1j9x1l9x1n9x1p9x1R9
x19 x19
x19qx19Sx1
9x1r9x1T9x1V9x1X9x1Z9x1\9x1^9x1`9x193x19
4%414I4V4b4z4444444444
525?5K5b5o5{5555555555
6&626>6O6V6e6r6~6666666666
7$7+737:7B7I7Q7X7`7y7777777777
8#8/8?8Z8g8s8888888888888
9'939K9X9d9{999999999
:$:1:=:M:T:\:c:k:r::::::::::::::
;);9;@;O;\;h;x;;;;;;;;;;;;;
<'<8<?<N<[<f<~<<<<<<<<<
=$=1===U=b=m=}===========
>(>4>@>P>W>_>f>n>u>>>>>>>>>>>>>>
?/?<?H?d????????????????
050F0M0T0f0x0~000000000000
1"1)1/1:1D1L1W1_1f1n1u1111111111
2/2<2H2X2_2n2{22222222222
3.3;3G3^3k3w3333333333333
4#4;4H4T4d4k4z44444444444
5&525C5J5R5m5z5555555555
6&676V6c6o6666666666
7 7'7/7F7M7\7i7u7777777777
8"8<8I8T8e8l8{888888888
9&929C9X9_9g9n9}999999999
:&:B:O:Z:r:~:::::::::::
;!;0;=;I;Z;a;i;p;
;;;;;;;;
<#<0<<<M<T<c<p<|<<<<<<<<<<<
=.=A=H=P=W=f=s=
==============
>4>A>M>]>d>l>>>>>>>>>>>>>
?%?-?G?T?`?w???????????
0$010=0N0j0w0000000000
1'131C1Z1a1i1p1x1
111111111111111
2#262=2L2Y2e2}222222222222
3-393E3U3\3k3x3333333333
4!404<4H4`4m4y44444444
5&525I5V5b5r5y555555555555
6(656A6Q6X6`6g6v66666666666
7'737?7P7k7x7777777777
8#838I8P8X8_8g8n8v8}8888888888888
9 9'969B9M9d9q9}999999999999
:%:2:>:V:b:n:~:::::::::
;#;4;;;J;W;c;s;z;;;;;;;;;
< <+<C<P<\<l<s<<<<<<<<<<
="=)=8=E=Q=h=t=
===========
> >0>E>L>[>h>t>>>>>>>>>>>
?"?3?O?\?h?
?????????
0,080D0U0i0p0
0000000000
151B1N1f1r1~1111111111
2+272O2\2h2x2
222222222222
3 3,383O3\3h333333333333
4"4/4;4R4_4k4{4444444444444
5+525:5A5I5P5_5l5w5555555555
6!6)60686?6G6b6o6{66666666
7#707<7T7`7l777777777
8'8.868=8L8Y8e8u8888888888888
9+929:9R9_9k99999999999
:9:F:R:j:w:::::::::::::
;%;,;4;;;J;W;c;z;;;;;;;;;
< <(</<><J<V<f<<<<<<<<<<<<<<
=%=6===L=Y=e=u=|==========
>!>.>:>K>R>Z>a>i>p>
>>>>>>>>
?%?2?>?O?V?^?e?t?????????????
0#0/0@0G0V0c0n000000000
1$1+131:1I1V1a1q111111111111
2%212A2T2[2c2j2y2222222222222
3%323>3V3c3o333333333333
4#4*42494H4U4a4q4x4444444444
5 5&555B5N5^5r5y555555555555
666C6O6g6t666666666666
747;7C7J7R7Y7a7h7p7w7
777777777
8"838:8B8I8X8e8q88888888888
9)959E9`9m9y99999999999
: :(:::::::::
;';3;K;X;d;u;|;;;;;;;;;;;;
<(<=<D<L<S<[<b<j<q<<<<<<<<<<<<
=)=9=@=O=\=g=
==========
>">*>1>@>M>Y>i>p>
>>>>>>>>
?$?3???K?\?c?r?
??????????
0-040<0C0K0R0Z0a0i0000000000000
1"111>1J1b1o1{111111111111
2!2,2D2Q2]2t2222222222
3&3-3<3I3U3f3m3u3|3333333333
4 4+464G4N4]4j4v44444444444
5-5:5F5^5k5w5555555555
6!6)6G6T6`6x66666666666
7$7<7I7T7e7l7t7{7777777777
8)858E8L8[8h8t88888888888
9$9/9@9G9O9V9^9e9t9999999999
: :':/:6:>:T:[:c:j:y:::::::::::::
; ;';6;C;N;f;s;
;;;;;;;;
<+<7<G<N<]<j<v<<<<<<<<<<
="=*=1=9=@=O=[=g=w============
>)>5>F>b>n>z>>>>>>>>>>>>
?/?<?H?X?_?n?{???????????
040A0M0^0e0t00000000000
1&121C1J1R1Y1a1|111111111
2#2*222F2M2\2i2u22222222222
3-3:3F3V3]3e3l3{3333333333
4-4:4F4V4]4e4l4{444444444
5!505<5H5_5l5x5555555555
6 6,686H6O6W6^6f6{66666666666666
7)7A7N7Y7q7~77777777
8(838D8K8Z8g8s8888888888
9)9:9A9P9]9i9z9999999999
:$:1:<:S:`:l:::::::::::
;";-;>;E;M;T;\;c;k;;;;;;;;;;
<#<+<2<A<N<Z<k<<<<<<<<<<
='=3=?=O=V=^=s=z==========
>!>=>J>V>m>z>>>>>>>>>>>>
?)?6?B?Y?f?r???????????
0 0'0/060>0E0M0T0\0r0
000000000
1)1:1W1d1p111111111
2"2B2O2[2s2222222222
3!3.3:3J3`3g3v333333333
4%4-4A4H4W4d4p444444444444
5%525>5N5U5]5d5s55555555555
6 676D6P6a6h6p6w6
66666666
7*777B7R7Y7h7u777777777777
8#8*828D8K8S8Z8i8v8888888888
9*969M9Y9e9|9999999999
:":.:::R:_:k:|:::::::::::
;#;2;>;I;Z;l;s;{;;;;;;;;;;;;
< </<<<G<X<_<n<{<<<<<<<<<<
= =-=9=J=Q=`=m=y=========
>">.>>>E>M>T>\>n>u>}>>>>>>>>>
?<?H?S?k?x???????????
0!040;0C0J0R0Y0h0u000000000
1)191@1H1O1W1^1m1z111111111
2"212>2J2b2o2{22222222222
3.353D3Q3]3m33333333333
4 4/464>4E4M4a4h4w4444444444444(5/575>5M5Z5f5~55555555555
6#646;6J6W6c6t6{6666666666666
7"737:7B7I7Q7e7l7t7{777777777
8&828B8]8j8v88888888888
9'9.9=9J9V9n9{99999999999
:(:?:L:X:i:p:
:::::::::
; ;0;7;F;R;^;o;v;~;;;;;;;;;
<!<9<F<R<b<i<q<<<<<<<<<<<<<
=(=8=?=G=N=]=j=u==========
>+>8>C>Z>g>s>>>>>>>>>>
? ?,?8?I?P?X?m?t?|????????????
0 0+0;0P0W0f0r0~00000000000
161C1O1_1f1u11111111111
2 282E2Q2b2i2x22222222222
3)3:3A3P3]3i3y3333333333
4!4)404?4L4X4p4}4444444444
5,535;5B5Q5^5j5555555555555
6 6(6;6B6Q6^6j66666666666
757B7N7_7f7n7u7}77777777777
8#808<8M8T8\8c8k8r8z888888888
949A9M9^9e9m9t9999999999
:":::G:S:k:x:::::::::::::
;*;5;M;Z;f;v;;;;;;;;;;
<'<.<=<J<V<g<~<<<<<<<<<<
=+=2=:=T=a=m=~===========
>!>(>7>C>O>f>s>
>>>>>>>>>
?+?7?H?O?W?^?m?z??????????
040A0M0^0u0|0000000000000
1!11181@1G1V1c1o1
111111111
2'232?2V2c2o2
222222222
3"373>3F3M3U3\3k3x3333333333
4 4.4;4G4X4_4n4{44444444444
5*5;5B5Q5^5j5{555555555555
6*61696I6P6_6l6w666666666666
7'7.767=7E7L7T7[7c7|777777777777
8!818K8X8d8u8|88888888888
9$949K9R9Z9a9i9p9x9
999999999999
:.:;:G:^:k:w:::::::::
;*;;;B;J;Q;`;m;y;;;;;;;;;;;;
<'<8<R<^<j<z<<<<<<<<<<<<
=1=>=I=a=n=z==========
>)>6>B>Z>f>r>>>>>>>>>
?%?,?4?;?J?W?c?z??????????
0'0.060=0L0X0c0{00000000000000
1)161B1R1j1w1111111111
2#242;2J2W2c2s222222222
313>3J3Z3q3x333333333333
4#4*42494H4U4a4r4y444444444444
5&5-555Q5]5i5z55555555555555
6(6?6L6X6o6|6666666666
7)7:7R7Y7h7t7777777777
8 858<8K8X8d8t8{8888888888
9'939K9X9c9{999999999
: :':.:6:=:L:X:d:t:::::::::::
;%;6;=;E;b;o;{;;;;;;;;;;;
<)<9<@<H<c<p<|<<<<<<<<
=#=+=2=:=A=I=d=q=|==========
>">)>1>8>@>G>O>V>^>e>m>t>>>>>>>>>>>
?!?-?9?I?a?n?y?????????????
0&0@0M0Y0q0~0000000000
1"1)181E1Q1h1u111111111111
2 272D2P2h2t2222222222
3(343E3L3T3[3c3j3y3333333333
4'4.464=4E4Z4a4i4p4
4444444444
565C5O5_5f5u55555555555
6 666=6L6Y6e6v6}666666666666
7%7,7;7H7T7e7l7t7{77777777
t6tbnyunmiertvecvarcvrt6tbnyunmiertvecvar
accc__o_es_Memory
abkke__2_dll
akatu___lloc
pyikiiwqpe
#&0l)9~#R
QJM}E3<
aXXXX?P _
NIu^88e
nnCp|2tPO
V`{y$O0Q_
[]"]VtO
Ut3h\,~
Fzy|ytf)p8
u#6^20unyo@E
hr;eMZ
KQ4OYP}
G,{p[RqH=tI
fM)MD"
pk!i}E
|/t.vj
?>79=Fz;Db
FuFFFuFuFFFUFUFFFUFUt1<
:s<d?T|WR
Rr;1d<ne>
yl(4uU!
UH?sycQ'@4&@4*<~;Rg
w"'3eRUt.INC?H..a8\=
]2*rnKA~
rSr+O8
F!zd1ouRtu
AN.Z=l/`?S.
[)+;O(9*F5&O7 F''&&i
@Nc"]P
r�b�x�r�_�o�s�.�d�l�l�
Process Tree
-
0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe (628)
"C:\Users\Administrator\AppData\Local\Temp\0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe"
- sc.exe (2940) "C:\Windows\System32\sc.exe" create jnwvkyhx binPath= "C:\Windows\SysWOW64\jnwvkyhx\ydhujglp.exe /d\"C:\Users\Administrator\AppData\Local\Temp\0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe\"" type= own start= auto DisplayName= "P2P Support"
- sc.exe (1056) "C:\Windows\System32\sc.exe" start jnwvkyhx
- netsh.exe (1912) "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
- cmd.exe (1760) "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jnwvkyhx\
- cmd.exe (2012) "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\ydhujglp.exe" C:\Windows\SysWOW64\jnwvkyhx\
- sc.exe (2100) "C:\Windows\System32\sc.exe" description jnwvkyhx "Internet Mobile Support"
0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe, PID: 628, Parent PID: 1332
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 1760, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 2012, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 2940, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 2100, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | |
| microsoft.com |
A 20.112.250.133
A 20.231.239.246 A 20.76.201.171 |
20.76.201.171 |
| microsoft.com | MX microsoft-com.mail.protection.outlook.com | 20.76.201.171 |
| microsoft-com.mail.protection.outlook.com |
A 52.101.11.0
A 52.101.40.26 A 52.101.42.0 A 52.101.8.49 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 52.101.11.0 | 25 | 192.168.56.101 | 49170 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 8d6452d4be3fbf36_ydhujglp.exe |
|---|---|
| Filepath | c:\windows\syswow64\jnwvkyhx\ydhujglp.exe |
| Size | 12.4MB |
| Processes | 628 (0653538ddc1d7c025fa4c42686ba6c2a6ba5e7b9dd27f47003707823dbfa79a2.exe) 2012 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 9e0eaf2d1ec34e31d4c888a1dcafb19a |
| SHA1 | 5cd8a4bfc5195526272be9da5218b44f9f22a0d3 |
| SHA256 | 8d6452d4be3fbf366893bf2e54980adfa6018fef35dbcdc90bf1e8d8c2e76664 |
| CRC32 | A80E1C13 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.