2.8
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.74
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
观察到命令行控制台输出
(6 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | HAYE |
动态指标
分配可读-可写-可执行内存(通常用于自解压)
(2 个事件)
查询磁盘大小,可用于检测具有小固定大小或动态分配的虚拟机
(1 个事件)
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\lvifscfd.exe |
创建一个服务
(1 个事件)
创建可疑进程
(4 个事件)
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gktshveu\ |
| cmdline | "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\lvifscfd.exe" C:\Windows\SysWOW64\gktshveu\ |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
一个进程创建了一个隐藏窗口
(6 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.data', 'virtual_address': '0x00012000', 'virtual_size': '0x0001282c', 'size_of_data': '0x00012a00', 'entropy': 7.970090140387458} | entropy | 7.970090140387458 | description | 发现高熵的节 | |||||||||
使用 Windows 工具进行基本 Windows 功能
(10 个事件)
| cmdline | "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gktshveu\ |
| cmdline | cmd /C mkdir C:\Windows\SysWOW64\gktshveu\ |
| cmdline | "C:\Windows\System32\sc.exe" start gktshveu |
| cmdline | "C:\Windows\System32\sc.exe" description gktshveu "Internet Mobile Support" |
| cmdline | sc description gktshveu "Internet Mobile Support" |
| cmdline | "C:\Windows\System32\sc.exe" create gktshveu binPath= "C:\Windows\SysWOW64\gktshveu\lvifscfd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe\"" type= own start= auto DisplayName= "P2P Support" |
| cmdline | sc create gktshveu binPath= "C:\Windows\SysWOW64\gktshveu\lvifscfd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe\"" type= own start= auto DisplayName= "P2P Support" |
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | sc start gktshveu |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 103.248.137.133 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| service_name | gktshveu | service_path | C:\Windows\SysWOW64\gktshveu\lvifscfd.exe \d"C:\Users\Administrator\AppData\Local\Temp\029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe" | ||||||
操作本地防火墙的策略和设置
(2 个事件)
| cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
| cmdline | netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2017-01-14 04:06:29
PE Imphash
74ba6313d507a9bfc82c19fb898275e0
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000db84 | 0x0000dc00 | 5.928092590959383 |
| .rdata | 0x0000f000 | 0x00002906 | 0x00002a00 | 5.804842874177673 |
| .data | 0x00012000 | 0x0001282c | 0x00012a00 | 7.970090140387458 |
| .rsrc | 0x00025000 | 0x00000770 | 0x00c7b000 | 0.114237140749542 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| HAYE | 0x00025070 | 0x00000700 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library kernel32.dll:
• 0x41229c WaitForSingleObject
• 0x4122a0 GetProcAddress
• 0x4122a4 GetTempPathA
• 0x4122a8 GetLogicalDriveStringsA
• 0x4122ac SetFileTime
• 0x4122b0 LoadLibraryExW
• 0x4122b4 GetShortPathNameA
• 0x4122b8 GetStartupInfoW
• 0x4122bc UnmapViewOfFile
• 0x4122c0 SetErrorMode
• 0x4122c4 ReadConsoleA
• 0x4122c8 GetProfileSectionW
• 0x4122cc LoadLibraryA
• 0x4122d0 GetSystemDirectoryA
Library cfgmgr32.dll:
• 0x4122d8 CM_Connect_MachineA
• 0x4122dc CM_Create_DevNodeA
• 0x4122e0 CM_Add_IDW
Library user32.dll:
• 0x4122e8 MessageBoxW
• 0x4122ec LoadCursorA
• 0x4122f0 DialogBoxParamA
• 0x4122f4 DispatchMessageA
• 0x4122f8 wsprintfA
• 0x4122fc GetPropA
• 0x412300 GetClassLongW
• 0x412304 CreateWindowExA
• 0x412308 IsCharUpperW
• 0x41230c GetMessageA
• 0x412310 PostMessageW
• 0x412314 LoadStringW
• 0x412318 DrawStateA
• 0x41231c CharToOemW
Library uxtheme.dll:
• 0x412324 GetWindowTheme
• 0x412328 GetCurrentThemeName
• 0x41232c GetThemeBackgroundExtent
• 0x412330 GetThemeSysSize
• 0x412334 GetThemeAppProperties
• 0x412338 DrawThemeText
• 0x41233c GetThemeFilename
• 0x412340 GetThemeBackgroundRegion
• 0x412344 GetThemeSysFont
• 0x412348 GetThemePosition
Library rsaenh.dll:
• 0x412350 CPGenKey
• 0x412354 CPDecrypt
• 0x412358 CPCreateHash
• 0x41235c CPEncrypt
Library advapi32.dll:
• 0x412364 OpenEventLogW
• 0x412368 RegCreateKeyExA
• 0x41236c RegLoadKeyA
• 0x412370 ClearEventLogA
• 0x412374 ControlService
• 0x412378 InitializeAcl
• 0x41237c LogonUserA
• 0x412380 RegRestoreKeyW
• 0x412384 RegOpenKeyA
• 0x412388 CryptSignHashA
• 0x41238c RegSaveKeyW
• 0x412390 RegReplaceKeyA
• 0x412394 RegUnLoadKeyA
• 0x412398 RegDeleteValueW
L!This program cannot be run in DOS mode.
`.rdata
@.data
QRSTUVWXYZ
\]^_`abcde
ghijklmnoP
RSTUVWXYZ[
]^_`abcdef
hijklmnoPQ
STUVWXYZ[\
^_`abcdefg
ijklmnoPQR
TUVWXYZ[\]
_`abcdefgh
jklmnoPQRS
UVWXYZ[\]^
`abcdefghi
klmnoPQRST
VWXYZ[\]^_
abcdefghij
lmnoPQRSTU
WXYZ[\]^_`
bcdefghijk
mnoPQRSTUV
XYZ[\]^_`a
cdefghijkl
noPQRSTUVW
YZ[\]^_`ab
defghijklm
oPQRSTUVWX
Z[\]^_`abc
efghijklmn
PQRSTUVWXY
[\]^_`abcd
fghijklmno
QRSTUVWXYZ
\]^_`abcde
ghijklmnoP
RSTUVWXYZ[
]^_`abcdef
hijklmnoPQ
STUVWXYZ[\
^_`abcdefg
ijklmnoPQR
TUVWXYZ[\]
_`abcdefgh
jklmnoPQRS
UVWXYZ[\]^
`abcdefghi
HxKPpvJ
})"|uX@
N(>NC|X
0nd(=T|&&
<]V;o'<Mf7
`gR&<1`g)<h
)<h)<Qh)<Uh)<Yh(<iK(<iG(<iC(<i4
tv_5LtvW~4uvS7vvO7vv7#
@7;w@8}
({T[:Sb
PDyiC'K("$k
;2+k@T+
+,`lel&"/Jy%G76
HR5^]+,:
*V57elH
Z/+&jPa?
|7T.%t>q
ej.<=6g
m?B,2,c2
%&l@-=O/
b9$JdA-A
EoZa]"OZ[
-;B'Yf
Pe'C3m
?"2HaA
(D|iZsQJA
WI's@Le*
[Qsc2s
^vxSD9u[$SXie%I^'C"Zm+N_I
yoX=4&Hvfe#X{l
>I&Q("ck'Q%D,vmTT
2Szb7G&
dE?,Yy
K[%m[`lk
\%C>l d\
o.yz[v
e=%A"Eke\;
}pv<# T!
aylgHZ
/,B"k}
TcL41[}K8n
O0:}4gn6qpg(
:]S4KF
/'+0?{4R
.Q[S:i
%Vx3{eS
y\KDwo
2]X-qS
PsgGF(
P:avH/
}Pm/Kzf =5
bIkQ}b
Uvismj
-As%19r<
cX15?.
JBBF)?j
.Ugd';4zJo
+J0M4:q6~p9
7{\]B0r3v
:&>2b"_M9e
Fg-'pq
8"NMD#
!e'(#}AT2f9
QRSTUVWXYZ
\]^_`abcde
ghijklmnoP
RSTUVWXYZ[
]^_`abcdef
hijklmnoPQ
STUVWXYZ[\
^_`abcdefg
ijklmnoPQR
TUVWXYZ[\]
_`abcdefgh
jklmnoPQRS
UVWXYZ[\]^
`abcdefghi
klmnoPQRST
VWXYZ[\]^_
abcdefghij
lmnoPQRSTU
WXYZ[\]^_`
bcdefghijk
mnoPQRSTUV
XYZ[\]^_`a
cdefghijkl
noPQRSTUVW
YZ[\]^_`ab
defghijklm
oPQRSTUVWX
Z[\]^_`abc
efghijklmn
PQRSTUVWXY
[\]^_`abcd
fghijklmno
QRSTUVWXYZ
\]^_`abcde
ghijklmnoP
RSTUVWXYZ[
]^_`abcdef
hijklmnoPQ
STUVWXYZ[\
^_`abcdefg
ijklmnoPQR
TUVWXYZ[\]
_`abcdefgh
jklmnoPQRS
UVWXYZ[\]^
`abcdefghi
klmno=u"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
ud5u"A
sMhC"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
o}=u"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
<u5u"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
*s5;B@
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
-!dP"A
E^5Zm@
O]5u"A
SetFileTime
LoadLibraryExW
UnmapViewOfFile
GetSystemDirectoryA
ReadConsoleA
GetStartupInfoW
LoadLibraryA
GetProcAddress
GetProfileSectionW
GetTempPathA
WaitForSingleObject
GetLogicalDriveStringsA
SetErrorMode
GetShortPathNameA
kernel32.dll
CM_Add_IDW
CM_Connect_MachineA
CM_Create_DevNodeA
cfgmgr32.dll
CharToOemW
CreateWindowExA
GetPropA
GetMessageA
IsCharUpperW
DispatchMessageA
LoadStringW
wsprintfA
MessageBoxW
PostMessageW
DrawStateA
LoadCursorA
DialogBoxParamA
GetClassLongW
user32.dll
GetWindowTheme
GetCurrentThemeName
GetThemePosition
GetThemeSysSize
DrawThemeText
GetThemeSysFont
GetThemeAppProperties
GetThemeBackgroundExtent
GetThemeBackgroundRegion
GetThemeFilename
uxtheme.dll
CPEncrypt
CPCreateHash
CPGenKey
CPDecrypt
rsaenh.dll
InitializeAcl
ClearEventLogA
LogonUserA
RegRestoreKeyW
RegReplaceKeyA
RegUnLoadKeyA
ControlService
OpenEventLogW
RegLoadKeyA
RegSaveKeyW
RegOpenKeyA
CryptSignHashA
RegDeleteValueW
RegCreateKeyExA
advapi32.dll
4%414B4I4Q4X4g4t4
44444444444
535@5L5]5d5l55555555555
6!6)696@6H6O6W6^6m6z666666666
7'737C7J7Y7f7r7777777777777
8 8/8C8P8\8m8t8|8888888888888
9(9/9>9K9W9n9{9999999999
: :/:<:G:X:_:n:{:::::::::
;%;5;<;K;X;d;|;;;;;;;;;
<%<,<4<;<J<W<c<t<{<<<<<<<<<<
=4=A=M=d=q=|==============
>*>7>C>Z>f>r>>>>>>>>>>>>
?%?4?A?M?^?e?m?}??????????????
0$0;0H0T0l0y0000000000
1)151F1M1\1i1u11111111111
2#2*22292H2U2a2r2y22222222222222
3 3'3.363=3E3L3[3h3t33333333333333333
4$4;4H4S4d4k4z4444444444444
5#525?5J5Z5a5i5t5{555555555
6$6+636J6W6c6z666666666
7%767Q7^7j7{7777777777
8 8-898I8Y8`8h8o8w8~88888888888
9 9&9.959D9Q9]9u9999999999999
: :-:9:J:a:n:y:::::::::::
;&;7;>;F;Z;g;r;;;;;;;;;;
<!<0<7<?<F<U<b<n<~<<<<<<<<<<<
= =*=;=B=Q=^=i=z===========
>%>=>J>V>m>z>>>>>>>>>>
? ?-?9?J?Q?`?l?x???????????
0+060G0N0]0j0v0000000000000
1 161C1O1_1n1u11111111111
2"2)212=2D2W2
222222222222
3 3'3.3:3R3c3j3q3333333333333
4)40494A4H4N4Y4c4k4v44444444444
5"515=5H5X5e5l5t5{55555555555
6!616E6R6^6o6v666666666666
7 7.7:7F7^7k7w777777777
8-8:8F8^8k8w88888888888
9'939D9K9S9Z9b9n9u9}99999999999999
:$:5:<:D:K:Z:g:s::::::::::
;!;9;F;R;j;v;;;;;;;;;;;;
<"<3<:<I<U<a<r<<<<<<<<<<
=&=3=>=N=U=]=d=l=y============
>)>5>A>Y>f>r>>>>>>>>>>>>
?"?/?;?S?`?l??????????
0 0,0D0Q0\0m000000000000
1$111<1T1a1m1}11111111111111
2#2;2H2T2l2y222222222222
3 30373?3F3U3a3m3}33333333333
4)494@4H4W4^4m4z44444444444
5+585D5[5h5t55555555555
6&636?6W6d6p666666666666
7$707A7Z7g7s77777777777
8 8&8.858D8Q8]8t888888888888
9!9)969=9L9X9d9|999999999
:%:5:E:L:[:h:t::::::::::::::
; ;,;<;C;R;_;k;{;;;;;;;;;;;
<'<?<L<X<i<p<x<
<<<<<<<<<<<
=*=6=G=Y=`=o=|===============
> >6>C>N>^>k>r>z>>>>>>>>>>>>
?+?8?D?\?i?u?????????????
0!02090H0U0a0r0y0000000000
1 1&151B1N1^1m1t1|111111111111
2"2/2:2Q2^2j2{222222222222
3*363G3N3]3j3v333333333333
4*474C4[4h4t4444444444444
5#5;5H5S5c5q5x5555555555555
6#626?6K6c6p6|6666666666
7$717=7M7T7c7p7{7777777777777
8!898E8Q8h8t8888888888888
9 9+9C9P9[9r9
999999999
:":-:>:E:M:T:\:t:::::::::::
; ;+;B;O;[;r;
;;;;;;;;;
< <.<;<G<^<k<w<<<<<<<<<
=#=*=2=9=A=H=P=\=c=k=r=z=============
>%>,>;>G>S>d>k>z>>>>>>>>>>
? ?'?6?B?N?f?s?~????????????
0 0+0;0B0J0]0j0v0000000000000
1!1-141C1P1\1m1t1|11111111111
2(292@2H2O2^2k2w22222222222
3)363B3S3Z3b3i3q33333333333
4/464>4M4T4c4p4|44444444444
5-5:5F5^5k5w55555555
626?6J6Z6a6i6p6
666666666
7&727C7J7R7Y7h7u777777777
8 80878F8S8_8o8v8~888888888888
9+999@9O9[9g9
9999999999
: :,:8:I:Z:a:i:p:x:
::::::::::::::
;!;-;E;Q;];t;;;;;;;;;;
<(<8<?<G<N<V<]<e<l<t<{<<<<<<<<<
=(=5=A=Y=f=r============
>$>+>3>:>B>I>Q>X>`>r>
>>>>>>>>>>
?(?/?>?K?W?n?{??????????
0%050J0W0c0{000000000
1#141;1C1T1[1c1j1y111111111
2#2:2G2S2c2s2z222222222
3(353@3X3e3q33333333333333333
4&474>4M4Z4f4v4}44444444444
5 5&5.5B5O5Z5j5q555555555555
6'636J6W6c6t6{666666666666
7%7-747<7J7Q7Y7`7h7o7w7~7777777777
8 8'8/868E8Q8\8m8x8
8888888888888
9.959D9Q9]9u9999999999999
:":1:>:J:a:m:x::::::::::
;';8;?;N;[;f;};;;;;;;;;
<*<6<G<N<]<j<v<<<<<<<<
=*=1=9=@=H=O=W=^=f={=========
>)>5>L>Y>d>u>>>>>>>>>>>>>>
?"?.???F?N?U?]?d?l?s?{??????????
0-0:0F0^0k0w000000000000
1'1.161=1E1L1[1h1t111111111111
2#202<2M2T2\2o2|2222222222
3 3-393J3]3d3l3s3{333333333333
4(444D4K4S4Z4b4i4q4x444444444
5%525>5O5V5e5r5}5555555555
6%616=6N6U6d6q6}6666666666666
7)747D7K7S7^7e7m7t7777777777
8+828A8N8Z8j8q888888888888
9"999E9Q9h9u999999999999
:5:B:N:_:f:u::::::::::::
;$;,;9;@;H;O;W;^;m;y;;;;;;;;;;;
< <'<6<C<O<g<s<
<<<<<<<<<<<<
="=.=?=N=U=]=d=s===========
>%>,>;>H>T>e>l>t>{>>>>>>>>>>
?$?0?A?H?W?d?p??????????
0#0:0G0S0c0t0{00000000000
1 1+121A1N1Z1r1
111111111
2"2.2>2E2M2T2c2p2|2222222222222
3&3>3K3W3o3|333333333333
4#4*424?4F4U4b4n4444444444444
5 5(5/575>5M5Z5f5w55555555555555
6$616=6M6T6c6p6|666666666666
7.7;7G7^7k7v7777777777
8"898F8Q8a8h8p8w8
8888888888888
9)959E9L9T9[9c9j9r999999999
:&:2:=:T:a:m:::::::::
;%;4;A;M;d;q;};;;;;;;;;;;;
< <*<;<B<J<]<j<v<<<<<<<<<<
=,=9=E=V=]=e=|==========
>+>7>G>Z>a>p>}>>>>>>>>>>
? ?/?<?H?X?_?n?{????????????
0(040K0X0d0{0000000000000
1"1)181E1Q1a1u11111111111
2/262E2R2^2u22222222222
3 3,3<3J3Q3`3m3y333333333
4 4-494I4Y4`4o4|44444444444
5'5.565=5E5L5T5[5j5v555555555
6%626>6O6g6t666666666666
7!7-7=7D7L7Y7`7o7|77777777777
8$8+8:8F8R8b8i8x888888888
9 9&9.959=9D9S9`9l9|999999999
:%:,:;:G:S:d:k:s:z:::::::::
;*;:;A;I;P;_;l;w;;;;;;;;;;;
<$<0<@<G<O<d<p<|<<<<<<<<<<<
= =+=7=G=N=]=j=v=========
>.>:>F>]>j>u>>>>>>>>>>>>>
? ?0?7?F?S?_?v??????????
0 0,0=0D0L0S0[0b0q0~0000000000
1)151E1L1[1h1t111111111
2)20282?2G2N2V2]2e2{222222222
3"3:3G3R3j3w33333333333
4 4&454B4N4f4r4~4444444444
5#505<5S5_5k5{5555555555
6(6/676M6Z6e6}6666666666
7.7:7E7V7]7e7l7{777777777
8(848D8K8Z8g8r888888888
9)959E9^9k9w999999999999
:):5:A:Q:X:`:g:o:v::::::::::
;$;1;=;N;U;];d;s;;;;;;;;;;;;;;;;
<&<=<J<V<f<s<z<<<<<<<<<<<
=$=0=A=W=d=p=============
>!>)>0>8>?>G>N>V>]>e>p>w>
>>>>>>>>>>>
?#?/?@?G?O?V?^?e?m?t??????????
0)00080?0G0N0V0j0w0000000000
1#131:1B1Y1f1r11111111111
2#242G2N2]2j2u2222222222
3#3*323>3E3L3[3h3t33333333333
4'434J4V4b4y44444444444
5%5-545<5C5K5R5Z5k5x55555555555
6&636?6V6c6o6666666666
7&737>7N7e7r7}777777777777
8)8<8I8U8f8m8|8888888888888
9"9)989D9O9`9g9o9}99999999999
: :+:<:L:S:b:o:{::::::::::Y;;;;;;;;;
<!<1<8<G<T<`<p<<<<<<<<<<
=%=2=>=N=U=]=l=z==========
>(>4>L>Y>d>t>{>>>>>>>>>>>
?(?5?A?X?e?q??????????
0"0:0G0S0c0j0r0000000000000
1+121:1A1I1P1X1_1g1n1v1}11111111111
2#222?2K2\2r2
2222222222
3 3,3<3C3K3\3c3k3r333333333333
4(444K4X4d4u4|44444444444444
5"515=5I5Y5
aertwbdaerty
accc__o_es_Memory
abkke__2_dll
akatu___lloc
gxuhnndxtsyoors
#&0l)9~#R
QJM}E3<
aXXXX?P _
NIu^88e
nnCp}2tPO
V`{y$O0Q_
[]"]VtO
Ut3h\,~
Fzy|ytf)p8
u#6^20unyo@E
hr;eMZ
KQ4OYP}
G,{p[RqH=tI
fM)MD"
pk!i}E
|/t.vj
?>79=Fz;Db
FuFFFuFuFFFUFUFFFUFUt1<
:s<d?T|WR
Rr;1d<ne>
yl(4uU!
UH?sycQ'@4&@4*<~;Rg
w"'3eRUt.INC?H..a8\=
k~5(cP2r8~2KP
J#BN.Z=l/`?S.
[)+;O(9*F5&O7 F''&&i
@Nc"]P
HxKPpvJ
})"|uX@
N(>NC|X
0nd(=T|&&
<]V;o'<Mf7
`gR&<1`g)<h
)<h)<Qh)<Uh)<Yh(<iK(<iG(<iC(<i4
tv_5LtvW~4uvS7vvO7vv7#
@7;w@8}
({T[:Sb
PDyiC'K("$k
;2+k@T+
+,`lel&"/Jy%G76
HR5^]+,:
*V57elH
Z/+&jPa?
|7T.%t>q
ej.<=6g
m?B,2,c2
%&l@-=O/
b9$JdA-A
EoZa]"OZ[
-;B'Yf
Pe'C3m
?"2HaA
(D|iZsQJA
WI's@Le*
[Qsc2s
^vxSD9u[$SXie%I^'C"Zm+N_I
yoX=4&Hvfe#X{l
>I&Q("ck'Q%D,vmTT
2Szb7G&
dE?,Yy
K[%m[`lk
\%C>l d\
o.yz[v
e=%A"Eke\;
}pv<# T!
aylgHZ
/,B"k}
TcL41[}K8n
O0:}4gn6qpg(
:]S4KF
/'+0?{4R
.Q[S:i
%Vx3{eS
y\KDwo
2]X-qS
PsgGF(
P:avH/
}Pm/Kzf =5
bIkQ}b
Uvismj
-As%19r<
cX15?.
JBBF)?j
.Ugd';4zJo
+J0M4:q6~p9
7{\]B0r3v
:&>2b"_M9e
Fg-'pq
8"NMD#
!e'(#}AT2f9
y5/K;gi]
P 0dUc{Q|Ic
#yLX{sjM^zG_
u/1Uuz9M#2
.4*`I; V!rri)+J[
E/0{kP.
N~0y}xMt9Yf{iECz8m4}5
d9[i}[_W)S
^z7}b2
3nSI]g
P7tuF~
?yI|Re&U@w
soH!*qgE0
jd-+^SodxOBZAss
.AsTg9
zUWx8j!D
(^LW6_~ZR?pE
N:q %]2DZ).~8!Lxw-*ypoJ~Fc
hl)5l+
*1%Y@d"
KHc?YQ!<L
2%O<W}s]P:Kt/ A
NYfc$[a9Q#
9]<l_PoTlHW
X*<XV}
xdXIZw$a
S*/VzLOd;ZKKJ?
5Kw(x$jOs
'qdCzs}]@[
1%)lo.o
G<'gW!|
Ca2~kBZ(
iY0ag\~H~O
_6<p02.
?.}b9f
v.QcQ[,x~n
a\GucQ
g0wb?RYo(:r|
'-_40eY
g3u+asV
7ohM]1
'S6db*ge
RbkF55+
|BNXMd,ryyI;$:
iZ^t|l6
6!DW?ba*
Iklo88;Tapi-E5l
/J!5`h
p&hRxl'J|+f
GvjS8V,
b4G2z,$
oesA/0?
~5`*w_2
%|,l;FD
9>QF{`E$Hm
#*XQVO
4^/[qT
B'2uD46\
bP au_VngY3!'
RVBcore
f~<z]sBm
icFS%r`
`/.f&Xj
HoT.j))jBs;
gdDeB&T2s'
^/mn`J
QL&RfgB4#
fIQ3i@bi`
PiH6M|H7
K.mQ/f
oQ|.W0V/C#*
P`swcK
8nty+t
l?^ngL3p~ra
)QaM#A<5q
Rd)Rh}eO
J%@vF-Rp?qiN
t6e**d5>>
"~JAc]"
,zJ<\!
P\g:B@y
W`HYy)7
#J%V /..
FW*[=rNAb
ft(-Q/0H
UU/dwzg\J&`
A&QGzu
ou]#4z
4 l%-!9
:C0 Q*De
_O*E|<jQ26Z[D.a"?
uZ}I,~"
gR"fuRgtf
BYF5p$E
QHyw<:
ZcP&9&
STP>PGVb^]"2
s5udP}R
Y|*j*p
L`~n@X
Zy2J2c2]3
)2X/1P
qT1HRB@u
eT!0rM&,T
qHO\=J1%
7QQL"d|d
NB}w,2()
w~3O6j /Z^_
q&6Qo&`X
+TmvTY%@'{
)xz[i~
,.!+x"
DRhnL6F
0s}MI,
i#G R#t]c4ZbG:~=x
~'N:$2D>
sWXLI3@~_J\=/
<IyBpL"MZ!G
0bZD~o6[
&9qkI0
+3ieCv!
JD.!(a_%{D7
5Jv!WOZ6H
$'$ghg
\Mnt,%]5"
8+Z.sva^
9|dWV4~O?N7<yF
d>0V84
#9WCsk
z.+17g
8HQ:3({^I`
.b6s2j[
8y9nRV
E.(7c2Vp~
!Mp!QeU
t<psiGz<=.|
n'mm$3
dlz"AcUE6iw
_4*qe^8u9
9CqLstD|*q
^Blevt*siJ
?0pmfV9^th2_GX{t`'xt
Rif)LQ8
l|D1IZ
Q^x}l!Y^`pA$
rJ^s}O
30&>WJ
Rw,x-'9r9'#8O
5A|UckJ`0
/X!E9P
H\<4YWkJ
# M5Mt
%+;M*
.;gtYj
%n6eq+
\Lw{Gt`f
8$v{H z^
@f~%E$a+4du}20:J!myiLJFR? `
.GoH|Y
#iWM 9Xf
n"P6NVN
q*&i?R6
[z9?72PA
[+nrOW/t
3S;Km)
[B__FXW
.hz`H.4
5tvONNyd
8 nu8>
Q`naV^
ssm2Cb
K#lA7'ow
f_UIfc8zD~0
/ji&!y%x
7u*.4
G|4;;r
bz@0FrnmA
@_r#qo\
>NqKpU_
<Bx#P|#?r
IbSGmOGZ
vzb*H#
h8|<P!
74f hK
3[UxLN
>Fk:r0`A
yy$K;gz9t
]%Y4) LC$
9V'ebN /ak
q9pTnM
|q;I{,Vd
l*AFQsMA
BrWC>}/
];5Sz4aDnW
lIH 61~4
4#hN;i2s
1SR59n
4M'rTr^/
n5aTsrP*o
nd%VQ5x
wg6UY"
&@0vY7h~i;
b1 nel
s3b ]B-
3Kwo0[
|2Xbs>O3M
^ds+b diD<J!
Rl$[M3 P
PI2?N=
78nk.MV
F1h.y_~}
R=yIe1
lP(\bi9n@.:6:J
<>q1DCs/8/
.t+)M+1tc}5)n}<
g}4&vp,*?
|QYw{!E:J
qf#AA[t^)1
t'EkiGu:nn/S.
?5"Ku#
JMp]94ph'
TS zP
T#x&G90k
]-s_.cEeb
2V2Z;;1hNx
*D+J*SP
WrISGhWL
ZsLJ?U
!#VFRc
W.b?c'
{lN L4;R
60D` 'O
H#":|)
kYq'i-S5L~
ukR7aPh2
P9_@07,
y.KjcY)!Ff
4b=@'h:
/xvA?z
@mbG*b
?=;Q30I&5
o<#5cR
o>Qsxx
J99Q0u
@`1)gmk]]
0pg+]e
l"G{9GPOtaPf
Wp@]Yp
46pTxa
w$jreP
-J"j 2
mFN4h?sMt
(6a,Dz0fuw
Oz!<\E=h]cq
h3 ,f&]!
]4medLz
}c|N{(6
py4-/h
kveM}:
CMx<$@8$ XBW\
yj,BB.\ R=
bAc^J,C'
t>JRD)
{+Ap9j
ODQ!D }$^m3dVzqCYu
di<uz_
gyTbyn'
,83;VP
~@K8M;
<j*5ao'`
2J,y$A}~O
p`j`cX
I9Py'#
#if6~1}
pu6%H&{o
5dfULx
rh:6.:+
(*e-$~u`
F\l^Il
laPCRqw
i`)pR>
Xg4!af
dYk"pIK
8w^2#V~e_Z.h
J1'!u7'hq/$%F
gUbY QhK
h[)'X"
`Sy&Z,
1>pn9
_IVKJ:w")
1lBrZt
It*TD1[E
wE7.nm,e
]03Z>I
|geD}Lis(qYv2D
79ECwE
@bim^`O-R>gb
'azzj^7wGR
^zI-K_"zg
6?t&Bg/Vbe
n>/I{.DI,4`MO
.`70:9y T=
l:(3r;
FEJnw/@Qs\@
`pdiu{B#oeX(?}
rsiha6S
j'mT{e
>gGC9MM&
|x0=wH
As56s<H
@t\^\jNm
-S.bUw
B3tj@z
hzF#Uw"%
"dZb%l
UC8%AS^
78`3K]
> PwQ>7M6$IN=EZ
/$|%95SP
;f p_"H
3>FGsNt'8N
H]-55'#@&
2!1uUA
nd>&O_
R8|+VSJ'G-l
2#9luKOwfQ\`9h
\[OI"G'4b.iPJm})iy
iAPF ^+E
R$3kp-XW
6XcmFSgj
F/ywJBI
+iDmB_-gZ
TZ~-o\
*M[>5g
Ne{Z;g}=k:=V
.jz!&[C,bqDxyG6hgtg
1C`yuUAhG
z5j;K5e.G',buf
Lp"St-
jL_,xwW<ae6$W
Y7sJ:K
uA 45C-"
{+2A L6
H8[6'.
`5t3p,Zo
&i}I<[&
=#OazEScB.pZ|
mn4b_/:q3
iu9(itha
cTH~b%P
"PcqsxJ\
ZmPyVo
);e\zn;
Q\z"^8}^
Q ]Xfont
/QmhCwmi$I
Q)Ux*w,7"on
h!C<(Rj
%gr<Y'CV
Oc Q%!U
QPlBVEpWG}147R9
.e+x;6$
V`%\k_X\MI
@kVmYOh
eqk]X!
dnw/"b>H
nVY'%d%&
*m5@,e
f+%c(NTI#CB
fp`A50a>
Pgq{D#
p*]Rs9{,
\S2XYn>/-wi
^wE[9
8Iu{GB
g{DE;/Gv'*V5
\|J,<v KJa 1{6rw
~A%|(6
9Z5bl@
NHjE0[
Z)~oMmj
y'ChUqJ[Ph
2Nk&dF`4W7
`^zAIvEO
?H1_ +O)z
|=I!PzL
mJ@<js9Re R5w%V(GBZj
&K^4jv1
c}J<Z(\
cK8Jy'wKf]5|. B;
t/2'fjm~Xd
tsyE@Q
Yp*jiY
io.0oj'.eo
-V>V`5
"YD7"O
}DGCpu
]5;Jv0
QlPJJ}
NDS!v7xLaA
xXx6roN?iDh*]
/'k"KN
v:H<%,
a"yN'sA
RnnEPIP
$-U7o9-
( (C9jsxn
)"H n/t
zZbZ:uY?
>oj{q}?O14~uS=.
jAG<Hz
daO"#6<52r
Lu$Geg^
B_(hW
c<Qc|/
5 sZcZR`w
I4[Gi.T
d:"oz)Li^~X
O'):bf
jUbU{dq|d#
ds;aAPr}`<~y6?E
:z*f>jG
}TK#^b
8h!gXza
7$VOY2pn
#H9jzx.*5
n6oQAtNoh ]
h[GNqq
b?3s(+.>2\
ZF=ol3
r^xV@ \J
8_wgUugJN.}ov
Jo~?P
!XQV#[@
r}F@<D
zd2POb
jb\c{J
wt[E5Li(
MpTbPA
$d+ Jn
kSV=-My6
L-~~Z*K
,<aP}7a
)GzGOt
zGP)/P
Lt<;ZmTrl-
8/RXD)
pFrh34<zc
QIchBE_
KYjIM'
`Z:%svD=er
_k&?*>Q
rSmVfEaoSy
[C/q\L~[
-P?# NU-
0_7n{~y:c"
>_vrS`c
A&>_5$
OQlt3's]=L*
y#3FdjK YZ
h g^6Z
G#p<IB}$H<Zwrm$*Y;`C
)ettCV
I4eQlr$(4h*
Ojd)\rE
$3uGUD)71j
``YRPmT
I}cg`WwR,A`m`ji
(OplWXm
(`YwRT>\j_?
6L8/!M$ce
jzm+ [
WYPqCp
kz+=^5
yiPo'b|`S=0
I Mu/2K,0
fV)ck"m`
q2N+E5
$Nb`;"%z[
yrmV&0
?ewsB&!]I
ay8 7^
Vr=ViY
)QDQeS/
ceozLfu T
*([G"+y!
iV^B)s
5XAozQ8.!D}
=Gc)%xs>B
GMKt_*
sB3y#qy
0+&j#7sWe`w2&
>}C)i_
KHe$N#VGC&L
)]J;yz
7%8ST,
73? avL
cy1+~n`9
oNnTBc5[
hf&Kxs
Z,HF:qKV
6+[P-^4f,r3/
E]'67iE(4y
mQy>cw.jw-?G+6-
,lYv"Hvd
%&6|iw
^,}ll>-
BH(>C2
;.lczKi;[[=nt[-i4
-tEGFsh
4`nA7Zr
-~QlBl9
v)5D>|
EXGv-3
Zr e>g-
f,?M<l
%{N?8}w
#wWq_[vT>DI9hxzZAXD r-F[V/
8O QC^
|e iarO7:{Y{
uXc^lV+%^dj%o\ E2wssr"ia +
WFO?nO
e/j{+rNFmssxnnW
Gmc@,v)PDa
w[L s~a5*
.D) op
slt)5'wB!-
l;}-<+
O/UD8Cyv
cB |^\x
;Qc<qQ
d`m%$`
1C%p"Py2-
PEs KA>
o0%p+)>
DSX|PN$}~w%Qd/%yv/OR:D9F:
i*N$[k
z%x{:/T\9m
UNTV,&9,I){Xa_K,zO
za<wz!1
6^~{;O::
(W0!`1(
)#QqCFw>9Z
P#3[Vn+
+q+qW,%~Zw
v0w<67
D]tne`
l2E;wQ*-
$l,$\\b
%mctz'H
q=f)[Q
H29u>s
AL>?7:+d BA|_(xVt/ForU7`Y
jvXo]Gh
RUeh-<W"W
!QFt"&
-f4/QqR/
i1P`~b!LRDi{
g:6/+7f
<*|_md*H"k{"@XY `L7
OqU?\sAvt6)R3
{UxZNIy
tJ(yiv
wX2l;kWF@t9A
(c,K% Uw
=vcc"KT`o
"$|Bvj`yMrzcmLU/snFr
r_V"#2
/2}3M5h
]to`5pNmI
|kgYEA*
T9ST :Lm
B.JM6E!~wT6uf
3<)}@xJ,afO,{_uI3lg
E)xi.j
Y{w-8r&Ds9"
Hbc,P"`
'XnAB_
Lr-{lV
H| h^x
3gxUn~oSbx:
z17>u[13G
!Yat_*/yw
c t"^qB0q+^
$v$lQ;x
mxw,F,
3p,w"k
v/%^qD0)E
gV'E/,#
mz./v]!/W\
%=@IrQ
'&E k;
Y8?j~x|,h
(*k)iR(W=
0EnJB
#F.,n9
-nZO FB9>jKX
c>-@7'1
~Puo=#W]r
2uV Cy>X&9f
*o+eW~AZjo
^/:8;q
Z9EM1
Z[)btn+eocg2
JHuy#e;8pM
,[8<rFu
Tu\>Tz$vI?F
Eu'4|txqKLZ
_]9?lxk&_9
Na0| $F}
bmW3`?BYH
o{h.j~(\"#x
`_vye4
@FO+?4u;
3Dnv/x,?z#o{
=rT,QN@Gs
p(qBiKH
Z:cd"vr
-"z#-\>&tZ
>se=m(8G
8#xUW2N5s'ET
A~R`1i
,ryOE5W,
BqdS3$<]k
$Lu84.3&
mp7hd?
Ir]{3%
YH)r,X3 {.vP.
)EJ!(/w(
S],8]jX5@j
"jUkY(
FT?]f~}
qHS,5I:m^:_y\en$ +
Z'UKEMd{\D
3Qdt?(
+-'2 fR5vDS?h*Z
7]LYR&s
vdmic,M|o3
t8ykDV
YR.+jv,pv*pN8
onmF}8KS
tsfF2|
t%ZI<{
U D4|H?v
$;;:6}
hF?0h*Wq4`uG"5);x
]0.Bc\^j
P)('6[f
Yt%\G'
J{0rr@0s0
zh;N?u
^6+ z^ M
%!gBoT
;L=JMk
J:nh#5 c8%
x~^O!i
2]qKHGx
{fQkci -
1jU"gGfw
J#rKLO1n
OIz"JTx@
d V|veI1
0V{msRH
h!_g8_3
{&AbFR
-Q Tq-
u]jxqOy
ws;xA?c~`
]#O$:p
dI\.$n= IsMqNtM
!a`-\Ay{r
f<z[EXEg
-TV]0G
:xc3{Z
TULk!e_w
m)*Hi5b@
nO<i[k
Bdsp"<)"
OOf!da8
KgUjayN-
mK?A]ySE
U]n0isXP #-
%fU^b/xh
t].b(#
dlUAHUd~OG
IMzd":
Dzo/a1q
XBoI_g
=jZG/Vity
WGU!Vo3@5)2
MmLCaq
49igkL"P
Qi s)1h
/5,nX,8
BuHUw(QE
kgCYF["2.9
S[P6if
dzz:x2jN
T9zuN]{z(sxI[vD
(a&L,~o
77>iH4$vy
&0UQWB Nwa0ucOW?
j"hH~.Yf2
U(2(-I0(
[Rj.G_)
zP.`Hyo5
u5LpE[
:6~JmW,
=Sh<"n
qj;"<9
{P?;\t7
pM=IAp#8Q;
br}6*weZJZ
Z>O57*
tcHZBr
M4YphNr
s@@F5X
Ka>r:-z
k_sm;+nF}H
zPssYVm
eIO3$n
'4Y$(jUt
!H<]t-M
Hg,I:Dr
3UipyC8V
_of]f*']]Xf3s
J/~RxL]*
Y-Tlaz
z/Odr=
HD|_}3
:bw/-+
Liqj~RY=6k
uHe~4Bp4_
oXK=hZB
[(-!LIa
!Y~O;co
/C-eKlXf-k|
6i:[j@q
ln`,:,l1d
=iSN] mc
{2=iY{j>
83dq`U
LuUDd2NSsVz
BHz2*S
!M.05H
/w1\i]>
EbW^iv\ls
N6ne<}0
.Dm`#+RhS/sanB0,
.H|:'MRr
uYmFyGKuG"
yEE<p0CU
u[Odzn
p GQ9"
T%+yP?DoM#
c7QWp-#
'.,Oy`TT
rPd3JQ
/{"&cg
w'K59v-:<,
5Am|eK
:QXc<<
(Pfi~.4;Urc
X#~(@c
HwPZzT
Y>bC8q'u[
aB[0iY[&Ih!
]jo]qf.Fo|TN@;5
DWs'W[
jQElc*Q
QgEEY,.OW'
"xJxuw
J$!uW`
FxA2F9
1 zV<p@-
}kUKeX4b
#_,Naq
*;Pb>z
=n{RzE
ynb6N3
m3r\7bP
};?;/]
$H:! dD
ls)F=`
n";7J<pzKR
ELgIPT
eCD%I'y
&m_W @
e 8"FY
=!f|Jum6>\
KTHA ^
07JU^@6\q
&[x!T/dc
kfUd5%.
fv57F,\N
CcN pa ~
H}{ki60E
s;n/P1m
L7\<MKd
,jAE%f1!
ww'9sU
.l]z-)t{P
9l_V*(
>;V&={
&OS@F&L
~Cq+qOh&
yRY`j_-s
=-Oo(eH
A6o5 Y)ht9V]fc.
}G:Bd e
:6)2D$p3v
Th+?in{Bv
p{QLsc~c
Zdb#re
njd9Ij_*I
wCg]o't
PJQEjwOB
,`l(O6}
I+FqS#
fbu;*+
%0M*c)
~` A< 51
b 3Wf%xI!?{`L[
y7:Z\:>a
C'3Kz~CFpKIBFv
KY{UN\X/1
mAm:w CO#q
h;S-8m|
/SiT?x5
CqGf0K)
o+F~9v
3"x|_f5
<RdeFn
suCTBK4<1Pt
iM}+bH
8l?K-7&EA:vD
\No>p]
D3i)TG
.h')78U
%{o{H6gizH;
t@| z.K0h
aLtqLS5gWj&
/Alll*w
i*w@@w<I
-[t?'bz?
S|PMQzw
qZM0({iN2-0pA
6-Y.w%x
P4pS=l6e^.
>F649N
j]!^T#
$-bQSV
xCbJ\\`z
(atMLhT@
8{t%C@Dq
. fkX~I
cx;g3*rUAp<
'&,{&B*
jw?d&R#1-{
|VM3Yn
S\oj#m6
YlRS`c
_Ip`ut.]
sdgo@;zk;.
f?6t)\"
sv~"Y9*
bY6,=7
PN"( n
#mKVY:hq:
8A3.9,
$#g%Cw\T7
t|P_3P
7{PyS"F
]hP^Ll
76Q},(
,l^vtdF=F7
?QLoU{g=F
@xiCfz
fpjThZNiK?
m{,fIm
T<ea$J
2TYs$.i
d}O=n<]\}!
+KgZ{M
c=Y?cu\.^
,j$mMh4>
3:/F9s
Oy0lns/#`
~KW*f
Nr4gei#Wdud}O
7l`5^!XhpoZ1
Ef7XzI?:
'y/HnzX!
G^1"l_PF
j&y`F?v
n`38wI?$
y)1$X^j
lHTgfGTfp"2g+2Pe_R2
w7Kn%8
8zcvhD^
96xTA#j
{%]H(~d~=
1zl2`fSEI"J
w?}a~<*
FJOscW
e=x/BQ
RTJ3PE
TmiY|D#vJ
ep1*$u!DGT]
y*Kyzk
UML/sz
MrRQuk }m
wr}&[?
yBrRzRCW#qlkB&=X9
LKs)K4[
~U\"C3s,
mrOB{p9S
k6uil[
Xe>`dR
,m%M?zz
Q^Ws\2ox51^qX8Is
,`Oz8G
m_{?;mlk
__%LK:
JZ^%mws@?s
BUKRxy
pjd}B0+#"
"qwWMe
QF_VKf3`&n+U2LY
[[SsWe
#mp`xTrO,
D1A{E$(%^`3
"Aw)(uK__@,3q
)yC@,]
#Cp7wGg,XP?
VfnBV/'u
Mj75rb
UrAmg2
w9xDGd$
8T.maL[IJ
$UTm]_Gz0.$'FD<qauhA
mBWwT9"M9
mWj7u24f
[K4}0=hg
y&MH_}%|&
Nn] ~jI3xJ3@<
CC-& @
3k<eqo9*l^n
,z~5$T\
e3eoZ?*<
lnf+SLf
A@;?/>r[
$@SnsSK
n D*|dvkF`D}.p
b/;}F/;
](Vf.u
_yVCq/# }
+M:{5'
hU)uSh#cl$%o
G*V0Jp^>Z_v~
_\_LO(y;
K!`lA$T/_
1;@Qz
&WZoi%
>Z{)6k
{&O8[8Gm_x
52Tx J
__w&h[~<
/Fn+j@]\
udYCo7
"2k5pL
u4ucCAXr
/oZ7@T.@r
QpTSM-
!Ro{$Z!UK/,
w=3<z#01gg
[[hL p
IS+Gi5C
xm[h|Zx[T{
r^<M@Tv
e=*hLpGaw=ay6t
Vo*]5{
b]1]C~@
_7~Cn>v&E
G&~;9463Le
-EY0$e'e
GrZ}9I
M@x#e4)7P
%-U!XuzH8
90A{,@Im_|5E_w
*KXyOPXkj5vRQR=c
A$h9:s
gVXjOv/Do
V{ AqGV;hoG
+AFFI*]
S![vEi
\g*c=S9fY
KOGwcN4
A`{2Z4w31TVCf
0_oJ3y+
`evMs<k
{`:ej/
ko$LIa
#>8u$f
:1Gg|.}F!
AEW/E7cNhQm~
~{D3v4,AW2
G4-2?;-
Y #Gcb
%u<D$v
;avHo{
R'8 H6B
db$ 1?S
&J_EQt`n
<DS($H*
Dw0(Km
jnR?hCQ8
T ap3-
50j J|U
gpb>o7
#Pn+#f}?!
O.;PGj"I
-DZ w`
wjz%([c
ed'szi$#]Gt %!
+-F*P[_o
eZ+!$,
"B:g1/+~1
.?R>9cS(KQ{
lBc0-tlLG
?VodUG~#L
/ 5i.R<K
I%U05$]v
76x 4"
^'IE*yv&%C$
hH)PhH)ThH)XhH)\hH)@hH)DhH)HhH)LhH)phH)thH)xhH)|hH)`hH)dhH)hhH)lhH)
hH)0hH)4hH)8hH)
*jHNw*"jH*@'mH~w/qH
3l&tHv4
&wHvq9
{H=8:~He>~H
Hv_2!HVc
%Hg)H>k-H1nzz.H
.H~n@.H
n2.H|n
nT.Hn6.H<q
g3HvMu
D;HVn}^?HD
x-BHlt
V1EHBx
^H1!0~cH%
jhH(hH(ThH(>hH(7kH
.]Vnb.]
o1]$<r
3]:<rH{
3]@<rH
3]=rHj
3]=rHe
3]=rH`
3]=rHU
3]=rHz
3]$=rH
3]K=rH
3]"rH(
d@+:2$g
1LzD$o
UNY2z4
i(D@#K
:Y n&<:s
6K^YtC
$QB)y53
gePa}wtM
vN=|w||J
WC>q+4
Z`h!xk
<_[H.V.
.:.L@.R
Hmu%Vt-O
k:NnL&k
qp a=(
wnthZcUc=
Q|.|o|)v>}(.L~+?T~**K
Tf.ew:CG
[g1sr2&=Q#x
.@)-a|VjJ!n<&T8
md<:/0-K
4vt-aOS
js2J]:
h*Q??d6G
87N&ao
:-Lwj/
nB!y{AlP(<6tn
1K{?>j:Z
LM~@|>
,DJrp}
h~W OCk
2&ix&[ueh@
O 5Ca4'
"nLi"3c
Y74Ee|
UgzGr*
=V59b[
~|_k4pMUI
o?vD"(
kV*\!`
?_#qnX0h7
bRV$>l\
I)EeTse
$X9J]bL
V-@&m5Xz?E~ ?~ ?
Ui,VZ,
lximi<|bBV
5&H`D<
z @[~md,%#U,8gmJ<
M~cXr9Mq2
EbpWS:$(
g`\Uky
wZ\cZ2^X:3h
m$D5+owg
o%8vw.
UjBi^1??
[f:c(@5k
wY PE37
[rYk3E
lRu5_Vg
Svo`]]!
@xG+Tz1K
c3`VrT
lyp\SYTJE
&qZ[RKKP
eD|-myp
cKHvz[M!r
u(Ub=C[9ch
)lybNRu"jln>
r&)2Gi
^|K*90yY=&
(bfD"<
|o5XvWin
,a}Imew
?KHzJQ
G?\pWW)Y
%`@PQ"W
@"89Y2|$
b_QO:G-
_^x}eLORB`_
C!<}.[j
e=$|pG2n
EQh]/n
tnFSf]]u
ib}[^`Vg
y@S<goE
{iw[QBd
_l`Xgk
kaKUq$
/KU{={+
^zluZh
TRp`l10d
GPo#C-
>Y6]wtG
B_=Y+7
Zi]vZI
iormG@
3#r/r4y
_JjtLS#
NkvD#j
jupsiGI
>(y1a_bDl w JXrN
$%$bd/V
"a+2 6w
-E*72'
KLk*ue
W^TkUq
PanZdN
PVCbM/8
0X|(Z>
+prsms
+aiLN)
W9U$?/
.iqICy
VziN[P+
gqkmh|
WsC^iy
ex)d5o
zw~6rBe|"
2x!=H"v;-
a2~e<MdW+S
6S@(2R +R
Nf:.rp
-1-5-9-=-!-%-)---
-_-[-W-S-O
1e,i/Im.
Gf+p!m6Nn-5 tNj-5 tNf-5 tNb-5 tN^-5 tNZ-5 tNV-5 GHR-
}rmq_V?9
n<dL|_<
Z atjauV
j^uv\T
3t9Z!i
*lt{#"]
+VXm!2
i^r(3f
rG`EN}GUJe
DS(-zo
(,M\V[
r oRl5
(q@(qCFhTEX
=q"sh%r
-#!~l-#l
m1p8U3
UkF~-m#
jALri:8
#J2dNT~
dK E4c
!i/JiQbG
<-.WpT
m$RKJY1
2sx[] LzDcS&hOV
Li!#=cP
'r.A'CbFEk3E!
,DatD3EVJ`wO
F}Lj +
o&n=muj:$*W
UpkoR?
o|6mn<]
sEN`CH~
,&SOGkfg4!
x:I8;h
!h$s5 Ye+I
k")ik1?
~R,gt$]
{ k]GyY,b
UO5NqQc9
4q@W,L
gyuDgJF4
DIGRKOY)
D$~8]|YG
U9?R}Jb#$
+1 ~`oix#@
; +HrQ
?nkDaBd{Z
9y*MY:
[m5.I[F
y7l2:4
(gre#u
#=DrMM
F20:Pt2
{QwBmwVP6R
TZ\:'-*41kU
A}=}%Hq
:NB5J/
r1Eb"`k1
mv 8ZdAzT9+
I<h(d5#v#Vi
;9FkB\
%1zmGsn;B7
*?dB2y
@@fA!FiK
@&;]Vj
=GAENWWM
/v*'Uc
w@o;?;
T3efU5
6DDg k
V)yloI^Mhr
,UDc f,@`z
t@t\18xZF'vfB'vf>'vf:'vf6'vf2'vf.'vf*'vf&'vf"'vf
'vf'vPf'vTf'vXf'v\f'v@f'vDf'vHf'vLf
'v,f~'v
fn'vfj'v
f^'vfZ'vfV'vfR'vfN'vfJ'vfF'vfB'vf>'vf:'vf6'vf2'vf.'vf*'vf&'vf"'vf
'vf'vPf'vTf'vXf'v\f'v@f'vDf'vHf'vLf
a�x�r�_�o�s�.�d�l�l�
Process Tree
-
029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe (628)
"C:\Users\Administrator\AppData\Local\Temp\029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe"
- sc.exe (2124) "C:\Windows\System32\sc.exe" description gktshveu "Internet Mobile Support"
- cmd.exe (1852) "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gktshveu\
- cmd.exe (1988) "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\ADMINI~1\AppData\Local\Temp\lvifscfd.exe" C:\Windows\SysWOW64\gktshveu\
- netsh.exe (1992) "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
- sc.exe (312) "C:\Windows\System32\sc.exe" start gktshveu
- sc.exe (1140) "C:\Windows\System32\sc.exe" create gktshveu binPath= "C:\Windows\SysWOW64\gktshveu\lvifscfd.exe /d\"C:\Users\Administrator\AppData\Local\Temp\029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe\"" type= own start= auto DisplayName= "P2P Support"
029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe, PID: 628, Parent PID: 1332
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 1852, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 1988, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 1140, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
sc.exe, PID: 2124, Parent PID: 628
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| microsoft.com |
A 20.112.250.133
A 20.236.44.162 A 20.70.246.20 |
|
| microsoft.com | MX microsoft-com.mail.protection.outlook.com | |
| microsoft-com.mail.protection.outlook.com |
A 52.101.8.49
A 52.101.11.0 A 52.101.42.0 A 52.101.40.26 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 52.101.40.26 | 25 | 192.168.56.101 | 49170 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | e15d95cb1227e427_lvifscfd.exe |
|---|---|
| Filepath | c:\windows\syswow64\gktshveu\lvifscfd.exe |
| Size | 14.0MB |
| Processes | 628 (029f085a5a72a188098315c6563a5214246a1d5a34f6ee578321e690be60fb97.exe) 1988 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | e86555bc3f7a4edea0ee7a8ad025efca |
| SHA1 | 920576a79171e2a3749957ecc3e8269cd057d50f |
| SHA256 | e15d95cb1227e4278e45198d65d80c924c3c1d995af925dc3c30cc281124eedb |
| CRC32 | D0C89285 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.